RansomHub Ransomware Hits Turkish Beverage Giant Aroma Bursa

Incident Date: Sep 20, 2024

Attack Overview

VICTIM

Aroma Bursa Meyve

INDUSTRY

Manufacturing

LOCATION

Turkey

ATTACKER

Ransomhub

FIRST REPORTED

September 20, 2024

Request Removal

RansomHub Ransomware Attack on Aroma Bursa Meyve

Aroma Bursa Meyve Suları ve Gıda Sanayi A.Ş., a leading Turkish beverage manufacturer, has fallen victim to a ransomware attack by the notorious RansomHub group. The attackers claim to have exfiltrated 500 GB of sensitive data, including SQL Server databases such as TIGER_DB, AXATA_WM, and PAPERWORK_TEST.

About Aroma Bursa Meyve

Established in 1968 in the Gürsu district of Bursa, Aroma specializes in producing fruit juices, natural spring water, and carbonated beverages. The company operates a 75,000 m² facility and has significantly expanded its fruit processing capacity from 20,000 tons to 125,000 tons annually since the Duruk Group's acquisition in 1991. Aroma is known for pioneering several innovations in the Turkish beverage market, including the introduction of 100% fruit juice and multivitamin mixed fruit juice.

Attack Overview

The ransomware attack on Aroma Bursa Meyve was executed by RansomHub, a Ransomware-as-a-Service (RaaS) group that emerged in February 2024. The group is known for its aggressive affiliate model and double extortion tactics, encrypting victims' data while exfiltrating sensitive information to increase ransom demands. The compromised data includes various SQL Server databases, posing a significant threat to Aroma's operational integrity and data security.

RansomHub's Modus Operandi

RansomHub distinguishes itself through its speed and efficiency, targeting large enterprises with valuable data. The group uses a combination of phishing campaigns, vulnerability exploitation, and password spraying to gain initial access. Once inside, they employ tools like Mimikatz and PsExec for lateral movement and privilege escalation. Data exfiltration is conducted using tools like WinSCP and RClone before encrypting files with Curve 25519 elliptic curve encryption.

Potential Vulnerabilities

Aroma Bursa Meyve's extensive use of SQL Server databases and integrated manufacturing systems may have made it an attractive target for RansomHub. The group's ability to exploit unpatched vulnerabilities and leverage zero-day exploits highlights the importance of continuous monitoring and updating of security protocols to protect against sophisticated ransomware threats.

Sources

See Halcyon in action

Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!

Let's get started

First Name

Last Name

Phone Number

Buying Timeframe

halcyon.ai is committed to protecting and respecting your privacy, and we’ll only use your personal information to administer your account and to provide the products and services you requested from us. From time to time, we would like to contact you about our products and services, as well as other content that may be of interest to you. If you consent to us contacting you for this purpose, please tick below to say how you would like us to contact you:

I agree to receive other communications from halcyon.ai and acknowledge Halcyon's privacy policy.

You may unsubscribe from these communications at any time. For more information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Privacy Policy.

By clicking submit below, you consent to allow halcyon.ai to store and process the personal information submitted above to provide you the content requested.

Back

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.