Qiulong Ransomware Group Targets Concisa Obras de Infraestrutura

Overview of the Attack

Concisa Obras de Infraestrutura, a prominent Brazilian company specializing in infrastructure construction and engineering services, has recently fallen victim to a ransomware attack orchestrated by the Qiulong ransomware group. The attack was publicly claimed by Qiulong on their dark web leak site, marking a significant disruption for the company known for its high-quality services in both public and private sectors.

About Concisa Obras de Infraestrutura

Concisa Obras de Infraestrutura, based in Chapecó, Santa Catarina, has been a key player in the Brazilian infrastructure sector for over two decades. The company engages in a wide range of activities, including the construction of roads, bridges, tunnels, and other transportation infrastructure. They also work on water supply and sewage systems, ensuring that communities have access to essential utilities. Additionally, Concisa is involved in the development of residential and commercial buildings, providing comprehensive solutions from planning and design to execution and maintenance.

What sets Concisa apart in the industry is their commitment to sustainability and environmental responsibility. They employ advanced engineering techniques and state-of-the-art technology to ensure the durability and efficiency of their projects. Their team of skilled professionals, including engineers, architects, and project managers, collaborates closely with clients to deliver customized solutions that adhere to strict quality standards and regulatory requirements.

Details of the Ransomware Attack

The Qiulong ransomware group, known for its targeted attacks primarily in Latin America, has claimed responsibility for the attack on Concisa. The group is notorious for its sophisticated tactics, techniques, and procedures (TTPs), which include leveraging known valid accounts, exposed Remote Desktop Protocol (RDP) servers, and vulnerabilities in FortiOS to gain initial access to networks. Once inside, they utilize tools like AdFind to gather Active Directory information and distribute executables within internal networks through methods such as Group Policy Objects, scheduled tasks, PsExec, or wmic.

Qiulong employs a unique encryption strategy, appending the ".play" extension to encrypted files. They practice double extortion, threatening to exfiltrate and publish sensitive data on dark web forums. Notably, they use intermittent encryption, which encrypts chunks of files to avoid detection. Recently, Qiulong has adopted a Ransomware-as-a-Service (RaaS) model, making their tools more accessible to other threat actors. This shift has resulted in a surge of new victims across various industries.

Potential Vulnerabilities

Concisa Obras de Infraestrutura's extensive use of advanced engineering techniques and state-of-the-art technology, while beneficial for their projects, also makes them a prime target for cyberattacks. The company's reliance on digital systems for project management, client collaboration, and operational efficiency could have provided multiple entry points for the Qiulong ransomware group. Exposed RDP servers, unpatched vulnerabilities in software, and potentially insufficient network segmentation are common vulnerabilities that threat actors exploit to penetrate systems.

Sources

• Concisa Obras de Infraestrutura
• Concisa Obras de Infraestrutura - Company Profile