The RansomHub ransomware gang was behind a recent cyberattack on oil and gas services giant Halliburton, disrupting the company’s IT systems and business processes.
The attack caused widespread disruption, with BleepingComputer told of customers being unable to create invoices or purchase orders because necessary systems were down.
The company provides a range of services to oil and gas companies, including well construction, drilling, hydraulic fracturing (fracking), and IT software and services. The company has close relationships with its customers due to the wide range of services it offers.
When BleepingComputer reached out to Halliburton about these allegations, the company said it had no further comment.
“We will not comment on anything beyond what is contained in the file. All subsequent notifications will be in the form of a Form 8-K,” Halliburton told BleepingComputer.
However, in an August 26 email sent to suppliers and shared with BleepingComputer, Halliburton provided additional information, saying the company had taken its systems offline for protection and was working with Mandiant to investigate the incident.
Analysis of the sample showed it to be a newer version than previously analyzed, as it included a new command line argument, “-cmd string,” that runs a command on the device before encrypting files.
Ransomware operation RansomHub launched in February 2024 and claimed to be an extortion and data theft group that sold stolen files to the highest bidder.
However, shortly after, it was discovered that the operation also used a ransomware encryptor in a double extortion attack. Attackers penetrated networks, stole data, and encrypted files.
The encrypted files and the threat of leaking the stolen data were used to blackmail companies into paying the ransom.
Since the beginning of the year, RansomHub has been responsible for a number of high-profile attacks against US non-profit credit union Patelco, drugstore chain Rite Aid, auction house Christie’s, and US telecommunications provider Frontier Communications, among others.
A data leak site from the ransomware operation was also used to leak data stolen from Change Healthcare after the closure of the BlackCat and ALPHV ransomware operations.
Following BlackCat’s closure, it is believed that some of its partners migrated to RansomHub, enabling them to quickly escalate attacks with the help of experienced ransomware threat actors.
