RansomHouse group has allegedly breached IPCA Laboratories

Summary

RansomHouse group has allegedly breached IPCA Laboratories. The incident took place on 3 September 2022, and the current status is under encryption with approximately 6000 views.
RansomHouse group has allegedly breached IPCA Laboratories
Category: Adversary Intelligence Industry: Healthcare and Pharma Country: Asia & Pacific Source*: C2

Executive Summary

THREAT IMPACT MITIGATION
  • RansomHouse group has allegedly breached IPCA Laboratories.
  • The incident took place on 3 September 2022, and the current status is under encryption with approximately 6000 views.
  • Phishing attacks against affected users.
  • Could equip malicious actors with details required to launch sophisticated ransomware attacks, exfiltrate data, and maintain persistence.
  • Implement a strong password policy and enable MFA across logins
  • Check for anomalies in the endpoints.
  • Patch vulnerable and exploitable endpoints.

Analysis and Attribution

Information from the Post

  • On 3 September 2022, RansomHouse group published on their PR site advertising the data of IPCA Laboratories. IPCA Laboratories is an Indian pharmaceutical multinational headquartered in Mumbai founded in 1949.
  • A total of 0.5 TB of data was exfiltrated and the status of the victim is tagged as ‘encrypted’.
  • A sample was provided to substantiate their claims with sensitive information such as employee PII, client folders, audit documents, and doctor profiles.
  • Another file titled, ‘IT Services details’, was found to be created on 01/29/2020, by Rajesh Nawale and was last modified on 30 August 2022- indicating the likely infiltration date.
RansomHouse allegedly claims to have breached IPCA Laboratories
RansomHouse allegedly claims to have breached IPCA Laboratories
 
  • RansomHouse was first observed in early June 2022 and has targeted approximately 10 victims so far.
  • During their early inception in May, they claimed to be mediators and had no responsibility in attacking any entity. They were merely an extortion marketplace.
  • Discussions even emerged hinting that Ransom House is a possibly rebranding of Hive because their user interface is exactly identical.
  • One of the possible techniques to gain an initial foothold in an organization as claimed by the group themselves is compromising weak passwords.

Threat Actor Activity and Rating

Threat Actor Profiling
Active since May 2022
Reputation High, given that there are no complaints of the group to be scammers.
Current Status Active
History Emerged as an extortion marketplace.
Rating C2(C: Fairly reliable; 2: Probably true.)

References

Appendix

Data sample shared by the RansomHouse group
Data sample shared by the RansomHouse group
 
Speculations around motivating of Ransom House and correlation with Hive
Speculations around motivating of Ransom House and correlation with Hive
More samples
Sample folder shared by the threat actor
Sample folder shared by the threat actor
  Sample folder shared by the threat actor

Table of Contents

Request an easy and customized demo for free