RansomHouse group has allegedly breached IPCA Laboratories
Category:
Adversary Intelligence |
Industry:
Healthcare and Pharma |
Country:
Asia & Pacific |
Source*:
C2 |
Executive Summary
THREAT |
IMPACT |
MITIGATION |
- RansomHouse group has allegedly breached IPCA Laboratories.
- The incident took place on 3 September 2022, and the current status is under encryption with approximately 6000 views.
|
- Phishing attacks against affected users.
- Could equip malicious actors with details required to launch sophisticated ransomware attacks, exfiltrate data, and maintain persistence.
|
- Implement a strong password policy and enable MFA across logins
- Check for anomalies in the endpoints.
- Patch vulnerable and exploitable endpoints.
|
Analysis and Attribution
Information from the Post
- On 3 September 2022, RansomHouse group published on their PR site advertising the data of IPCA Laboratories. IPCA Laboratories is an Indian pharmaceutical multinational headquartered in Mumbai founded in 1949.
- A total of 0.5 TB of data was exfiltrated and the status of the victim is tagged as ‘encrypted’.
- A sample was provided to substantiate their claims with sensitive information such as employee PII, client folders, audit documents, and doctor profiles.
- Another file titled, ‘IT Services details’, was found to be created on 01/29/2020, by Rajesh Nawale and was last modified on 30 August 2022- indicating the likely infiltration date.
[caption id="attachment_21594" align="alignnone" width="609"]
RansomHouse allegedly claims to have breached IPCA Laboratories[/caption]
- RansomHouse was first observed in early June 2022 and has targeted approximately 10 victims so far.
- During their early inception in May, they claimed to be mediators and had no responsibility in attacking any entity. They were merely an extortion marketplace.
- Discussions even emerged hinting that Ransom House is a possibly rebranding of Hive because their user interface is exactly identical.
- One of the possible techniques to gain an initial foothold in an organization as claimed by the group themselves is compromising weak passwords.
Threat Actor Activity and Rating
Threat Actor Profiling |
Active since |
May 2022 |
Reputation |
High, given that there are no complaints of the group to be scammers. |
Current Status |
Active |
History |
Emerged as an extortion marketplace. |
Rating |
C2(C: Fairly reliable; 2: Probably true.) |
References
Appendix
[caption id="attachment_21595" align="alignnone" width="1054"]
Data sample shared by the RansomHouse group[/caption]
[caption id="attachment_21596" align="alignnone" width="492"]
Speculations around motivating of Ransom House and correlation with Hive[/caption]
More samples
[caption id="attachment_21597" align="alignnone" width="486"]
Sample folder shared by the threat actor[/caption]
Sample folder shared by the threat actor