Halliburton Cyberattack: RansomHub Ransomware Impacts 210+ Victims, Disrupts Oil Services – Key Insights and Response Details

Continue reading
The RansomHub ransomware gang has been identified as the attackers behind the recent cyberattack on Halliburton, a leading oil and gas services giant.
This attack, which occurred on August 21, 2024, has significantly disrupted Halliburton's IT systems and business operations, impacting the company's ability to generate invoices, process purchase orders, and maintain overall business continuity.
Halliburton disclosed the breach in an SEC filing last Friday, acknowledging that an unauthorized party gained access to certain systems.
This breach has caused widespread operational disruption, with customers reporting an inability to perform essential business functions due to the system outages.
The company stated in the SEC filing: _"On August 21, 2024, Halliburton Company (the 'Company') became aware that an unauthorized third party gained access to certain of its systems."_
Halliburton quickly activated its quick action response plan, involving both internal and external cybersecurity experts to assess and mitigate the unauthorized activity.
Despite the significant impact of the attack, Halliburton has provided limited details to its customers, leaving many in the oil and gas industry uncertain about the potential risks to their own systems. This lack of transparency has led some customers to disconnect from Halliburton's services as a precautionary measure.
Several companies affected by the attack are working with the Oil and Natural Gas Information Sharing and Analysis Center (ONG-ISAC), which coordinates physical and cybersecurity threat responses for the oil and gas sector. These companies are seeking technical information to assess whether they, too, have been breached.
Rumors of RansomHub's involvement in the Halliburton attack had actively circulated for days before the company confirmed the connection.
Discussions on platforms such as Reddit and TheLayoff hinted at RansomHub's involvement, and a partial ransom note was even published on the latter site.
However, when attempting to contact Halliburton for confirmation, the company declined to provide additional comments, stating, _"We are not commenting beyond what was included in our filing. Any subsequent communications will be in the form of an 8-K."_
In an email dated August 26, 2024, sent to suppliers, Halliburton furnishes further details.
The company mentioned taking certain systems offline to protect them and confirmed that it is working with cybersecurity firm Mandiant to investigate the incident.
Halliburton also assured stakeholders that its email systems remain operational, as they are hosted on Microsoft Azure infrastructure.
Meanwhile, RansomHub has already been in surfacing with because of there new adoption to EDRKillShifter.
To assist customers, the email included a list of Indicators of Compromise (IOCs) related to the attack, such as file names and IP addresses.
One notable IOC was a Windows executable named `maintenance.exe`, identified as a RansomHub ransomware encryptor.
Further analysis revealed that this encryptor appears to be a newer version, featuring a command-line argument `-cmd string` that executes a command on the device before file encryption.
RansomHub, which launched in February 2024, initially claimed to be a data theft and extortion group, selling stolen files to the highest bidder.
However, it quickly became evident that RansomHub also employed ransomware encryptors in its double-extortion attacks. In these attacks, the threat actors breach networks, steal data, and then encrypt the files.
The combination of encrypted files and the threat of leaking stolen data is used to coerce victims into paying a ransom.
Symantec's analysis of the RansomHub encryptors indicated that they are based on the Knight ransomware encryptors, formerly known as Cyclops. Interestingly, the Knight operation claimed to have sold its source code in February 2024, coinciding with RansomHub's emergence.
This has led many cybersecurity researchers to believe that RansomHub is a rebranded version of the Knight ransomware operation.
On the same day as Halliburton's disclosure, the FBI released an advisory on RansomHub, detailing the threat actor's tactics and warning that the group has breached at least 210 victims since its inception.
The timing of the advisory suggests a coordinated effort to address the growing threat posed by RansomHub, especially in the wake of the Halliburton attack.
RansomHub has been responsible for several high-profile attacks in 2024, including those on Patelco Credit Union, Rite Aid, Christie's auction house, and Frontier Communications.
The group also used its data leak site to publish stolen data from Change Healthcare after the shutdown of the BlackCat and ALPHV ransomware operations which includes victims like Prudential, VFCorporation, Creos, BamdiNemco and more.
It is believed that after BlackCat's demise, some of its affiliates joined RansomHub, bolstering its capabilities and allowing it to escalate its attacks.

148 malicious npm packages masquerading as student proxy and school Wi-Fi bypass tools. Rather than compromising developers during installation