Norway-based silicon materials manufacturer REC Silicon has disclosed a ransomware attack on its systems. The attack halted the company’s business systems for a brief time, according to a stock exchange disclosure. Cybercriminal group RansomExx had listed REC Silicon as a target on December 11, days after the company announced its EGM date.
The company claimed minimal data loss and that all the intellectual property was safe. However, it did not disclose the amount of data lost, the data and duration of the attack, or whether the company has received a ransom demand.
“The company’s virtual server environment suffered a ransomware news attack that caused business systems to stop functioning for a brief period of time,” said the announcement.
“Although all REC systems have been recovered, regretfully, the threat actor did exfiltrate a limited amount of data that does not appear to include any significant intellectual property of the company,” it added.
The dark web researchers commissioned by The Cyber Express could not detect the company’s data posted for sale or distribution on any of the known dark web marketplaces or Telegram groups.
Shareholder tussle
The attack disclosure comes at a time when the company board is battling with its second-largest investor Lodbrok Capital, which has been questioning the role of South Korea’s Hanwha Group – the company’s largest shareholder – over the company’s operations and board.
Lodbrok wrestled with the board successfully to announce an emergency general meeting to be conducted on 22 December – just two months after the previous EGM – with the intention of initiating a change in the company board.
Emsisoft Threat Analyst Brett Callow tweeted on December 11 that Ransomxx group has listed the company as a target.
RansomExx lists REC Silicon days before the company’s EGM. #ransomware https://t.co/ky5pC8KhwP pic.twitter.com/UU2CR4qh0b
— Brett Callow (@BrettCallow) December 11, 2022
The company went through a series of high-profile board and executive changes in the past six-month period, including a host of new directors and a CEO.
RansomExx: mode of operation
RansomExx, earlier known as Defray777, was found to be linked to the cybercriminal group Gold Dupont. Several research reports pinpointed the goal as financial gain. The malware used included RansomExx or Defray777, Cobalt Strike, Metasploit, and Vatet Loader.
Although active since in 2018, the group rose to notoriety in 2020 after successive attacks on high-profile targets including government agencies. Researchers confirmed the name RansomExx after the string “ransom.exx” was discovered in its binary. The group that year opened its leak site for naming and shaming reluctant victims into paying as well as for the sale of stolen data.
“Like other groups, the one running RansomEXX appears to have no qualms about publishing data stolen from its targets. It has also published information stolen from government agencies — a recent case was an attack on a Scottish mental health charity in March 2022, where they published 12GB worth of data that included the personal information and even credit card details of the charity’s volunteers,” noted a Trend Micro threat advisory.
IBM researchers last month found a new variant of the ransomware, which was rewritten in the Rust programming language.