Ransomware Attack on Roberts Environmental Control by Abyss Group

Roberts Environmental Control, a well-established mechanical contractor based in Illinois, has recently fallen victim to a ransomware attack orchestrated by the cybercriminal group known as Abyss. The attack has raised significant concerns about the security measures in place and the potential impact on the company's operations and sensitive information.

About Roberts Environmental Control

Roberts Environmental Control, originally founded in 1949 as Roberts Refrigeration, is a mechanical contracting firm specializing in the installation and service of complex mechanical systems. The company was incorporated under its current name in 1973 by James and Robert Wasniewski. Over the years, the company has expanded its services to include pipe fitting, sheet metal work, and temperature control, establishing itself as a full-service provider in the HVAC industry. With a workforce of approximately 55 employees and a revenue exceeding $10 million, Roberts Environmental Control is a notable player in the HVAC market.

Attack Overview

The ransomware attack on Roberts Environmental Control was claimed by the Abyss group via their dark web leak site. The attackers managed to infiltrate the company's systems and exfiltrate a substantial amount of data, totaling 240GB in its uncompressed form. This breach underscores the growing threat of ransomware attacks and highlights the critical need for enhanced cybersecurity defenses.

About Abyss Ransomware Group

The Abyss ransomware group is a multi-extortion operation that emerged in March 2023, primarily targeting VMware ESXi environments. They are known for hosting a TOR-based website where they list victims along with exfiltrated data if the victims fail to comply with their demands. Abyss Locker ransomware campaigns have targeted various industries, including finance, manufacturing, information technology, and healthcare, with a primary focus on the United States.

Penetration and Distinguishing Features

Initial access for Abyss Locker infections can vary, with affiliated threat actors observed targeting weak SSH configurations through SSH brute force attacks to establish entry to exposed servers. For Linux, Abyss Locker payloads are derived from the Babuk codebase and function similarly. The ransomware has a standard command line interface, requiring the threat actor to define a targeted path for encryption. Encrypted files are noted with the ".crypt" extension, and any folder containing encrypted files will also contain Abyss Locker ransom notes with the .README_TO_RESTORE extension.

Sources

• Roberts Environmental Control
• SentinelOne: Abyss Locker
• Daily Dark Web: Abyss Data Breach