FacebookTwitterLinkedIn

Halliburton Cyberattack Linked To RansomHub

Karolis Liucveikis Written by on

In a recent filing to the U.S. Securities and Exchange Commission (SEC), oil and gas services giant Halliburton revealed they had suffered a cyberattack that disrupted the company's IT systems and business operations. According to the filing, the company reported the attack on August 21, 2024.

Halliburton Cyberattack Linked To RansomHub

According to the filing, the company went on to say,

When the Company learned of the issue, the Company activated its cybersecurity response plan and launched an investigation internally with the support of external advisors to assess and remediate the unauthorized activity.

Excluding the filing, the company has been incredibly quiet about events. This has inevitably caused a disconnect between Halliburton and its customers. The lack of information provided by Halliburton has led to several prominent media houses wondering about the extent of the compromise and if customers and third parties have had information compromised.

According to Bleeping Computer, some companies are working with ONG-ISAC. This agency acts as a central point of coordination and communication for both physical and cybersecurity threats against the oil and gas industry, to receive technical information about the attack. This would assist them in determining if they were breached as well.

In general, when a major company, not excluding an oil and gas giant like Halliburton, is breached, rumors will swirl that the victim suffered a ransomware attack. On Reddit, the rumors started that Halliburton suffered an attack orchestrated by RansomHub affiliates. In particular, r/TheLayoff posted a partial RansomHub ransom note allegedly from the attack on the Reddit page.

Bleeping Computer reached out to Halliburton for comment, who initially stated,

We are not commenting beyond what was included in our filing. Any subsequent communications will be in the form of an 8-K.

Bleeping Computer then received emails sent by Halliburton initially sent to suppliers. This email stated the following,

We are reaching out to update you about a cybersecurity issue affecting Halliburton…As soon as we learned of the issue, we activated our cybersecurity response plan and took steps to address it, including (1) proactively taking certain systems offline to help protect them, (2) engaging the support of leading external advisors, including Mandiant, and (3) notifying law enforcement.

The email states that their email systems continue to operate as they're hosted on Microsoft Azure infrastructure. Perhaps most interesting to security researchers, the email also contained a list of indicators of compromise (IOC) containing file names and IP addresses associated with the attack that customers can use to detect similar activity on their network.

One such IOC is for a Windows executable named maintenance.exe. Bleeping Computer has shown the executable to be a sample of the encryptor used by RansomHub to encrypt files and prevent file owners from accessing the data within.

RansomHub's 210 Scalps

The last time we covered RansomHub in this publication was when security researchers determined a link between RansomHub and the defunct Knight ransomware operation. While Knight is now defunct, those behind RansomHub, affiliates, and administrators appear to have worked hard.

According to the Federal Bureau of Investigation (FBI), the ransomware operation has breached over 200 corporate and other organizations networks. This has all been done since February 2024.

Some of the ransomware gang's biggest scalps include breaching American not-for-profit credit union Patelco, the Rite Aid drugstore chain, Christie's auction house, U.S. telecom provider Frontier Communications, and possibly oil services giant Halliburton.

Frontier Communications later warned over 750,000 customers that their personal information was exposed in a data breach, and it is also believed that RansomHub and its affiliates are responsible.

The FBI summarized RansomHub operations as follows,

...RansomHub has encrypted and exfiltrated data from at least 210 victims representing the water and wastewater, information technology, government services and facilities, healthcare and public health, emergency services, food and agriculture, financial services, commercial facilities, critical manufacturing, transportation, and communications critical infrastructure sectors.

Known tactics of the gang include,

The affiliates leverage a double-extortion model by encrypting systems and exfiltrating data to extort victims. It should be noted that data exfiltration methods are dependent on the affiliate conducting the network compromise. The ransom note dropped during encryption does not generally include an initial ransom demand or payment instructions. Instead, the note provides victims with a client ID and instructs them to contact the ransomware group via a unique .onion URL (reachable through the Tor browser). The ransom note typically gives victims between three and 90 days to pay the ransom (depending on the affiliate) before the ransomware group publishes their data on the RansomHub Tor data leak site.

It should also be noted that RansomHub operators favor various methods to gain initial access to a victim's IT infrastructure.

These include phishing emails, exploitation of known vulnerabilities, and password spraying, which can be seen as targeting accounts from previous data breaches. This is a healthy reminder to change passwords when you discover you might have had your information compromised.

The FBI report on RansomHub includes a list of Indicators of Compromise and a wealth of other useful information for those tasked with defending IT infrastructure. For those looking to defend against RansomHub and other ransomware gangs, this should be treated as required reading.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

New Removal Guides
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal

Top Removal Guides
Latest News
Blog