One of the year’s most prominent ransom gangs has set its sights on Australian engineering and construction companies, hitting three targets in less than a fortnight.
First observed in February 2022, RansomHub is a ransomware threat actor which rose in notoriety after claiming an attack at global auction house Christie’s in May this year.
Since then, the gang has posted nearly 90 additional victims to its dark web leak site – and most recently appears to have set its sights on Australian firms.
On 1 August, RansomHub added a leak listing for Perth-based engineering company McDowall Affleck, threatening to leak 470GB of stolen data.
“On July 24th, the company McDowall Affleck was attacked,” wrote RansomHub.
“The company's network was encrypted, and confidential data was extracted.”
The gang claimed to have stolen blueprints and project documents, insurance information, tender and contract details, the personal information of employees and “much more”.
“The company's director, Stephen Connell, was personally notified several times with details about the incident and was informed that if he did not pay us, all the data would be published on our blog,” threatened RansomHub.
McDowall Affleck later confirmed to Cyber Daily it had “experienced a cyber incident”, and had notified both Western Australian police and the Australian Cyber Security Centre as it investigates RansomHub’s claims.
The gang’s dark web site currently threatens a 4-day countdown timer for McDowall Affleck.
RansomHub went on to claim two more Aussie victims late last week: Victorian engineering firm Kempe Engineering and Tasmanian construction outfit Hudson Civil Products.
The listing for Hudson Civil is notably scant, threatening to have stolen some 112GB of data while pointing to a ransom timer with 2 days remaining at the time of writing.
On the listing for Kempe Engineering, however, RansomHub advertised fully 4 terabytes of data and provided alleged samples to back up its claims.
These samples include an ANZ ‘payment and cash’ management request form, a purported life insurance statement belonging to a senior employee, and an alleged list of nearly 100 Kempe employees (alongside personal details such as phone numbers, home addresses, email addresses and dates of birth).
As the name suggests, RansomHub works by threatening to either dump or sell its stolen data under threat of ransom – using an affiliate model where the gang itself collects 10 per cent of extorted profits while criminal “affiliates” carry out its ransomware attacks for a bulk of the payload.
At the time of writing, the group claims its listings for Kempe Engineering, Hudson Civil and McDowall Affleck have collectively attracted nearly 8,000 visitors to its leak site.
Why Aussie engineering?
While it is by no means unusual for a threat actor to target high-value industries such as engineering and construction, RansomHub’s latest Aussie streak signals a marked shift in the gang’s behaviour.
By comparison, recent attacks at ticketing vendors Ticketmaster and Ticketek were largely suspected of having a common thread via third-party vendor Snowflake, which eventually revealed many of its customers were victim to a widespread threat campaign.
Neither McDowall Affleck, Kempe Engineering nor Hudson Civil responded when asked by Information Age whether RansomHub’s alleged attacks are legitimate, or if they occurred through a third-party vendor.
RansomHub is believed to be an international operation with either an affinity or affiliation with communist states.
According to its site, the group does not allow “CIS, Cuba, North Korea and China to be targeted”, and has largely targeted a mix of victims in US, Brazil, Indonesia, Vietnam, New Zealand and, more recently, Australia.
The gang has also repeatedly victimised critical sector organisations – particularly in healthcare, government and water distribution.
Given Kempe, Hudson and McDowall have all serviced clients in critical infrastructure, RansomHub’s alleged attacks could be related to wider criminal goals for Australian critical infrastructure organisations.
Other Australian victims claimed by RansomHub include Sydney jewellery company Pierre Diamonds and design firm Intoto – the latter of which saw the gang publish alleged client data for the likes of KFC, Event Cinemas, and Vodafone.