Now on Demand: Zero Trust Strategies Summit - Access All Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Ransomware

US Government Issues Advisory on Ransomware Group Blamed for Halliburton Cyberattack

The RansomHub ransomware group, which has made at least 210 victims, is believed to be behind the attack on oil giant Halliburton. 

Halliburton ransomware

The RansomHub ransomware group is believed to be behind the attack on oil giant Halliburton, and the US government has issued an advisory focusing on the cybercrime gang.

Halliburton, considered the world’s second largest oil service company, revealed on August 21 in an SEC filing that an unauthorized third party had gained access to some of its systems.

While no technical details were made public, the incident response steps described by the company suggested that it may have been targeted in a ransomware attack. 

Since the incident came to light, there have been several unconfirmed reports that RansomHub is behind the Halliburton incident, including from reputable ransomware researcher Dominic Alvieri

On Reddit, a few anonymous individuals mentioned RansomHub being behind the attack, with one claiming that data was stolen and that the cybercriminals had been demanding a $45 million ransom.

Bleeping Computer also reported on Thursday that RansomHub is behind the Halliburton attack, based on some indicators of compromise (IoCs).

RansomHub’s leak website does not mention Halliburton at the time of writing, which suggests that — if they are indeed behind the attack — the cybercriminals are still in negotiations with the company.

Halliburton has not made public any information beyond its initial statement and SEC filing. SecurityWeek has reached out to the company for confirmation that it was targeted by the RansomHub ransomware group and will update this article if the company responds.

Advertisement. Scroll to continue reading.

The cybersecurity agency CISA, the FBI, the HHS and the Multi-State Information Sharing and Analysis Center (MS-ISAC) on Thursday published a joint advisory detailing RansomHub attacks.

The advisory describes the tactics, techniques and procedures (TTPs) used in RansomHub attacks and shares IoCs that can be used to detect and prevent intrusions. 

According to the government agencies, the RansomHub operation has encrypted and exfiltrated data from at least 210 victims since its inception in February 2024. 

RansomHub’s Tor-based leak website currently lists 180 victims, but the US government is likely aware of additional victims. 

The government advisory mentions that RansomHub victims are from various critical infrastructure sectors, including water, IT, government services and facilities, healthcare, emergency services, financial services, food and agriculture, commercial facilities, critical manufacturing, communications, and transportation. 

The advisory, however, does not mention victims in the energy sector, which includes oil companies. This indicates that the timing of the advisory may not be related to the Halliburton attack.

Related: American Radio Relay League Paid $1 Million to Ransomware Gang

Related: Ransomware Gang Leaks Data Allegedly Stolen From Microchip Technology

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Former Darktrace CEO Poppy Gustafsson has joined the UK government as Minister for Investment.

Nupur Goyal has joined cloud identity security and management solutions provider Saviynt as VP of Product Marketing.

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.