RansomHub Ransomware Attack on PHD Services

PHD Services, a comprehensive facility services provider based in Illinois, has recently fallen victim to a ransomware attack orchestrated by the cybercriminal group RansomHub. Established in 1962, PHD Services specializes in professional cleaning, facility support, grounds maintenance, and supply chain solutions. As a women-owned and operated business, the company has grown from a local enterprise to a regional leader, serving clients across the United States.

Company Profile

PHD Services employs over 400 people and has built a reputation for reliability and quality over its six decades of operation. The company offers a wide array of support services tailored to the specific needs of their clients, including routine janitorial work, specialized cleaning, facility management, and grounds maintenance. Their supply chain solutions help streamline operations for clients, making them a preferred partner in the facility services industry.

Attack Overview

The ransomware attack on PHD Services has potentially compromised sensitive client data and disrupted the company's ability to provide critical support. The attack poses significant risks to both the organization's operations and the satisfaction of its clientele. The exact details of the data exfiltrated and the ransom demanded have not been disclosed, but the impact on the company's operations is evident.

RansomHub: The Ransomware Group

RansomHub, a Ransomware-as-a-Service (RaaS) group, emerged in February 2024 and quickly established itself as a formidable player in the ransomware landscape. Known for its speed and efficiency, RansomHub employs a double extortion strategy, encrypting victims' data and exfiltrating sensitive information to increase leverage in ransom demands. The group targets high-value sectors such as healthcare, financial services, and government.

Penetration and Methodology

RansomHub affiliates primarily use phishing campaigns, vulnerability exploitation, and password spraying to gain initial access. They are known to exploit unpatched systems like Citrix ADC and FortiOS. Once inside, they conduct multi-phase attacks involving network reconnaissance, privilege escalation, and data exfiltration before encrypting files. The ransomware uses Curve 25519 elliptic curve encryption and intermittent encryption techniques to minimize encryption time while maintaining impact.

Vulnerabilities and Impact

PHD Services' extensive operations and reliance on digital systems for managing client data and service delivery made them a prime target for RansomHub. The attack has highlighted the vulnerabilities in their cybersecurity infrastructure, emphasizing the need for enhanced security measures to protect against sophisticated ransomware threats.

Sources

• PHD Services - About Us
• PHD Services - Services
• PHD Services LLC - LinkedIn
• PHD Services Limited - UK
• PHD Services LLC - ZoomInfo