Ransomhub, a recently emerged ransomware group, has launched a targeted attack on the Supervisory Control and Data Acquisition (SCADA) system of Matadero de Gijón, a Spanish bioenergy plant. This attack underscores the severe vulnerabilities present in Industrial Control Systems (ICS) and the urgent need for enhanced security measures to protect these critical infrastructures. Since 2022, cyberattacks on ICS have disrupted operations across various industries, emphasizing the critical nature of these systems.
Ransomhub claims to have gained unauthorized access to the plant’s SCADA system, controlling essential processes like the Digester and Heating systems. The group provided screenshots as proof of their infiltration, though the exact extent of the data breach remains unclear, with estimates ranging from 15 GB to 400 GB. Ransomhub, a Ransomware-as-a-Service (RaaS) operation, uses advanced cryptographic techniques, including asymmetric cryptography (x25519) and symmetric algorithms (aes256, chacha20, and xchacha20), to encrypt victim data rapidly.
The group has excluded attacks on CIS countries, Cuba, North Korea, and China, suggesting potential pro-Russian affiliations. Since their debut in February 2024, Ransomhub has claimed responsibility for 68 attacks, mainly targeting the IT and ITES sectors and organizations in the United States. They have been attempting to expand their reach by recruiting affiliates from other ransomware groups, though with limited success.
Security experts warn that Ransomhub’s use of stolen credentials from Initial Access Brokers to target SCADA systems with connected Virtual Network Computing (VNC) devices signals a growing interest in ICS environments among ransomware groups. This trend necessitates a critical reassessment of cybersecurity strategies to protect these vital infrastructures from future attacks. As ransomware groups continue to evolve, the threat to Operational Technology (OT) environments is expected to increase.
Reference:
