RansomHouse group has allegedly breached IPCA Laboratories

RansomHouse group has allegedly breached IPCA Laboratories. The incident took place on 3 September 2022, and the current status is under encryption with approximately 6000 views.
Updated on
April 19, 2023
Published on
November 14, 2022
Read MINUTES
5
Subscribe to the latest industry news, threats and resources.
RansomHouse group has allegedly breached IPCA Laboratories
Category: Adversary Intelligence Industry: Healthcare and Pharma Country: Asia & Pacific Source*: C2

Executive Summary

THREAT IMPACT MITIGATION
  • RansomHouse group has allegedly breached IPCA Laboratories.
  • The incident took place on 3 September 2022, and the current status is under encryption with approximately 6000 views.
  • Phishing attacks against affected users.
  • Could equip malicious actors with details required to launch sophisticated ransomware attacks, exfiltrate data, and maintain persistence.
  • Implement a strong password policy and enable MFA across logins
  • Check for anomalies in the endpoints.
  • Patch vulnerable and exploitable endpoints.

Analysis and Attribution

Information from the Post

  • On 3 September 2022, RansomHouse group published on their PR site advertising the data of IPCA Laboratories. IPCA Laboratories is an Indian pharmaceutical multinational headquartered in Mumbai founded in 1949.
  • A total of 0.5 TB of data was exfiltrated and the status of the victim is tagged as ‘encrypted’.
  • A sample was provided to substantiate their claims with sensitive information such as employee PII, client folders, audit documents, and doctor profiles.
  • Another file titled, ‘IT Services details’, was found to be created on 01/29/2020, by Rajesh Nawale and was last modified on 30 August 2022- indicating the likely infiltration date.
[caption id="attachment_21594" align="alignnone" width="609"]RansomHouse allegedly claims to have breached IPCA Laboratories RansomHouse allegedly claims to have breached IPCA Laboratories[/caption]  
  • RansomHouse was first observed in early June 2022 and has targeted approximately 10 victims so far.
  • During their early inception in May, they claimed to be mediators and had no responsibility in attacking any entity. They were merely an extortion marketplace.
  • Discussions even emerged hinting that Ransom House is a possibly rebranding of Hive because their user interface is exactly identical.
  • One of the possible techniques to gain an initial foothold in an organization as claimed by the group themselves is compromising weak passwords.

Threat Actor Activity and Rating

Threat Actor Profiling
Active since May 2022
Reputation High, given that there are no complaints of the group to be scammers.
Current Status Active
History Emerged as an extortion marketplace.
Rating C2(C: Fairly reliable; 2: Probably true.)

References

Appendix

[caption id="attachment_21595" align="alignnone" width="1054"]Data sample shared by the RansomHouse group Data sample shared by the RansomHouse group[/caption]   [caption id="attachment_21596" align="alignnone" width="492"]Speculations around motivating of Ransom House and correlation with Hive Speculations around motivating of Ransom House and correlation with Hive[/caption] More samples [caption id="attachment_21597" align="alignnone" width="486"]Sample folder shared by the threat actor Sample folder shared by the threat actor[/caption]   Sample folder shared by the threat actor

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations