Halliburton reportedly sent emails to suppliers with indicators of compromise confirming a ransomware attack. Credit: Zephyr_p / Shutterstock The August 21 cyberattack on the US oilfield services contractor Halliburton is now feared to be a ransomware attack, according to an email reportedly sent to the company’s suppliers. BleepingComputer accessed a copy of an email sent and reported that they had been able to confirm one of the indicators of compromise (IOCs) shared within the email “to be a RansomHub ransomware encryptor.” Halliburton is one of the biggest oil service companies globally, responsible for most of the world’s largest fracking operations. RansomHub encrypter found The analysis of IOCs shared in the email, containing filenames and IP addresses, reportedly revealed a Windows executable named maintenance.exe, the one confirmed to be a RansomHub encryptor. The connection, however, had already been made in several social media rumors but no evidence had yet been presented. Emails sent to Halliburton by CSO for comments did not elicit a response at the time of publishing this article. “We are reaching out to update you about a cybersecurity issue affecting Halliburton,” said the email to suppliers. “As soon as we learned of the issue, we activated our cybersecurity response plan and took steps to address it, including (1) proactively taking certain systems offline to help protect them, (2) engaging the support of leading external advisors, including Mandiant, and (3) notifying law enforcement.” Incidentally, the FBI and CISA have released a joint advisory on the Ransomhub Ransomware variant, calling it a formidable service model attracting high-profile affiliates from other prominent variants such as LockBit and ALPHV. “Since its inception in February 2024, RansomHub has encrypted and exfiltrated data from at least 210 victims representing the water and wastewater, information technology, government services and facilities, healthcare and public health, emergency services, food and agriculture, financial services, commercial facilities, critical manufacturing, transportation, and communications critical infrastructure sectors,” CISA added in the advisory. Halliburton sent into shutdown The cyberattack had pushed Halliburton to shut down a few of its systems while it investigated the incident, according to the company’s SEC filing. Generating invoices and purchasing orders was temporarily affected but a workaround has since been made available, according to the email. “On August 21, 2024, Halliburton Company became aware that an unauthorized third party gained access to certain of its systems,” the oilfield services giant said in the filing. “The Company’s response efforts included proactively taking certain systems offline to help protect them and notifying law enforcement.” Additionally, the company launched an internal investigation with the “support of external advisors to assess and remediate the unauthorized activity”, the filing added. Related content feature Ransomware recovery: 8 steps to successfully restore from backup The best way to recover from a ransomware attack is to have a reliable and fast backup process. Here's how to do it. By Maria Korolov 02 Sep 2024 17 mins Ransomware Malware Backup and Recovery feature 15 infamous malware attacks: The first and the worst Whether by dumb luck or ruthless skill, these malware attacks left their mark on the internet. By Josh Fruhlinger and John Leyden 30 Aug 2024 16 mins Ransomware Cyberattacks Malware news Iranian threat actors targeting businesses and governments, CISA, Microsoft warn Pioneer Kitten and Peach Sandstorm both believed to be state sponsored. By Howard Solomon 29 Aug 2024 7 mins Ransomware Cyberattacks Malware PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe