Abyss Ransomware Group Targets Tolsa Minerals in Major Data Breach

Tolsa S.A., a leading Spanish company in the minerals and mining sector, has fallen victim to a significant ransomware attack orchestrated by the Abyss ransomware group. The attack has resulted in the exfiltration of 5.1 terabytes of uncompressed data, with the company's website currently offline. The ransom deadline set by the attackers is October 3, 2024.

About Tolsa S.A.

Founded in 1957, Tolsa S.A. is a prominent player in the global minerals market, specializing in the extraction, treatment, and commercialization of clay-based additives. With a presence in over 95 countries and generating approximately $439.5 million in revenue, Tolsa is recognized for its commitment to innovation and sustainability. The company employs around 700 professionals and is headquartered in Madrid, Spain. Tolsa's products are integral to various industries, including paints, coatings, construction, and civil engineering, where they enhance product durability and application properties.

Attack Overview

The Abyss ransomware group, known for its multi-extortion tactics, has claimed responsibility for the attack on Tolsa. The group has a history of targeting VMware ESXi environments and has been active since March 2023. The attack on Tolsa is part of a broader campaign by Abyss, which has previously targeted industries such as finance, manufacturing, and healthcare. The group's operations are characterized by their use of a TOR-based website to list victims and exfiltrated data.

Vulnerabilities and Penetration

Tolsa's global operations and reliance on digital infrastructure may have made it susceptible to cyber threats. The Abyss group is known for exploiting weak SSH configurations through brute force attacks, which could have been a potential entry point into Tolsa's systems. The ransomware's payloads, derived from the Babuk codebase, are designed to encrypt files and demand ransom for their release. The attack underscores the importance of effective cybersecurity measures, particularly for companies with extensive digital operations.

About the Abyss Ransomware Group

The Abyss ransomware group distinguishes itself through its focus on VMware ESXi environments and its multi-extortion approach. The group has rapidly evolved into a significant threat, targeting both Windows and Linux systems. Their operations are marked by a sophisticated command line interface and the use of the ".crypt" extension for encrypted files. The group's ability to adapt and target diverse industries highlights the growing complexity of ransomware threats in the digital age.

Sources

• Tolsa Official Website
• Bloomberg - Tolsa Company Profile
• Seqrite - Unveiling Abyss Locker