RansomHouse group has allegedly breached IPCA Laboratories
| Category:
Adversary Intelligence |
Industry:
Healthcare and Pharma |
Country:
Asia & Pacific |
Source*:
C2 |
Executive Summary
| THREAT |
IMPACT |
MITIGATION |
- RansomHouse group has allegedly breached IPCA Laboratories.
- The incident took place on 3 September 2022, and the current status is under encryption with approximately 6000 views.
|
- Phishing attacks against affected users.
- Could equip malicious actors with details required to launch sophisticated ransomware attacks, exfiltrate data, and maintain persistence.
|
- Implement a strong password policy and enable MFA across logins
- Check for anomalies in the endpoints.
- Patch vulnerable and exploitable endpoints.
|
Analysis and Attribution
Information from the Post
- On 3 September 2022, RansomHouse group published on their PR site advertising the data of IPCA Laboratories. IPCA Laboratories is an Indian pharmaceutical multinational headquartered in Mumbai founded in 1949.
- A total of 0.5 TB of data was exfiltrated and the status of the victim is tagged as ‘encrypted’.
- A sample was provided to substantiate their claims with sensitive information such as employee PII, client folders, audit documents, and doctor profiles.
- Another file titled, ‘IT Services details’, was found to be created on 01/29/2020, by Rajesh Nawale and was last modified on 30 August 2022- indicating the likely infiltration date.
[caption id="attachment_21594" align="alignnone" width="609"]
RansomHouse allegedly claims to have breached IPCA Laboratories[/caption]
- RansomHouse was first observed in early June 2022 and has targeted approximately 10 victims so far.
- During their early inception in May, they claimed to be mediators and had no responsibility in attacking any entity. They were merely an extortion marketplace.
- Discussions even emerged hinting that Ransom House is a possibly rebranding of Hive because their user interface is exactly identical.
- One of the possible techniques to gain an initial foothold in an organization as claimed by the group themselves is compromising weak passwords.
Threat Actor Activity and Rating
| Threat Actor Profiling |
| Active since |
May 2022 |
| Reputation |
High, given that there are no complaints of the group to be scammers. |
| Current Status |
Active |
| History |
Emerged as an extortion marketplace. |
| Rating |
C2(C: Fairly reliable; 2: Probably true.) |
References
Appendix
[caption id="attachment_21595" align="alignnone" width="1054"]
Data sample shared by the RansomHouse group[/caption]
[caption id="attachment_21596" align="alignnone" width="492"]
Speculations around motivating of Ransom House and correlation with Hive[/caption]
More samples
[caption id="attachment_21597" align="alignnone" width="486"]
Sample folder shared by the threat actor[/caption]
Sample folder shared by the threat actor
