RansomHub Ransomware Hits Thornton Inc. Exfiltrates 100GB Data
RansomHub Ransomware Attack on Thornton Inc.
Thornton Construction Company, Inc., commonly known as Thornton Inc., has recently fallen victim to a ransomware attack orchestrated by the RansomHub group. The attackers claim to have exfiltrated 100 GB of sensitive data from the company, which is a prominent player in the construction and engineering sectors.
About Thornton Inc.
Established in 1998 by Thomas Thornton and headquartered in Miami, Florida, Thornton Inc. specializes in construction management and general contracting services. The company employs between 101 and 250 individuals and reports an annual revenue of approximately $33.9 million. Thornton Inc. is known for its commitment to quality, safety, and client satisfaction, boasting a high rate of repeat customers. The firm operates across various sectors, including commercial, industrial, and institutional buildings, and emphasizes rigorous safety protocols and a strong corporate culture.
Attack Overview
The ransomware attack on Thornton Inc. was claimed by RansomHub via their dark web leak site. The group asserts that they have exfiltrated 100 GB of data, which could potentially include sensitive project details, financial records, and personal information of employees and clients. The attack highlights the vulnerabilities in Thornton Inc.'s cybersecurity measures, despite their strong operational protocols in other areas.
About RansomHub
RansomHub is a Ransomware-as-a-Service (RaaS) group that emerged in February 2024. The group is known for its aggressive affiliate model and double extortion tactics, which involve encrypting victims' data and exfiltrating sensitive information to increase ransom demands. RansomHub has quickly gained notoriety for its speed and efficiency, targeting high-value sectors such as healthcare, financial services, and government.
Penetration Methods
RansomHub affiliates typically use phishing campaigns, vulnerability exploitation, and password spraying to gain initial access to their targets. In the case of Thornton Inc., it is likely that the attackers exploited unpatched systems or used social engineering techniques to infiltrate the company's network. Once inside, they would have conducted network reconnaissance, escalated privileges, and exfiltrated data before deploying the ransomware to encrypt files.
RansomHub's Distinguishing Features
RansomHub sets itself apart with its use of intermittent encryption, which encrypts files in chunks to minimize encryption time while maintaining impact. The group employs Curve 25519 elliptic curve encryption for generating unique keys per victim and uses a modular architecture that allows affiliates to update ransomware strains quickly to avoid detection. These features, combined with their ruthless operational tactics, make RansomHub a formidable threat in the cybersecurity landscape.
Sources
See Halcyon in action
Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!