Full Report
ASEC Blog publishes Ransom & Dark Web Issues Week 3, December 2024 Korean Semiconductor PCB Specialist Company: Exposed to DLS Due to Underground Ransomware Attack 5.9TB of Data from the Thai Ministry of Finance Leaked on BreachForums ThreeAM Claims Responsibility for Ransomware Attack on the U.S. Subsidiary of a Japanese Water […]
Analysis Summary
# Incident Report: December 2024 Ransomware and Data Leak Incidents (Week 3 Summary)
## Executive Summary
This report summarizes several significant cyber incidents reported in the third week of December 2024, primarily involving ransomware attacks and subsequent data exposure on the dark web. Key events include a data leak affecting the Thai Ministry of Finance via BreachForums, a ransomware attack on Kurita America Inc. claimed by ThreeAM, and a ransomware attack exposing sensitive data from a South Korean semiconductor PCB specialist. The incidents highlight continued threats involving data exfiltration preceding or alongside encryption.
## Incident Details
- **Discovery Date:** Week of December 19, 2024 (Publication Date of Summary)
- **Incident Date:** Various dates around December 2024
- **Affected Organization:** Thai Ministry of Finance, Kurita America Inc. (KAI), South Korean Semiconductor PCB Specialist Company (Unnamed)
- **Sector:** Government (Finance), Manufacturing/Water Treatment Solutions, Semiconductor/Electronics
- **Geography:** Thailand, United States (Subsidiary location), South Korea
## Timeline of Events
### Initial Access
- **Date/Time:** Undisclosed, occurring prior to discovery/publication.
- **Vector:** Ransomware attack (for KAI and Korean company), Threat actor exploitation leading to data dumping (for Thai MoF).
- **Details:**
* Thai Ministry of Finance data (5.9 TB) was leaked on BreachForums, suggesting a successful compromise leading to data theft.
* Kurita America Inc. (KAI) suffered a ransomware attack claimed by the ThreeAM group, resulting in the encryption of multiple servers.
* A South Korean semiconductor PCB specialist company was exposed to "DLS (Data Leak Site)" due to an underground ransomware attack.
### Lateral Movement
- **Details:** The specific vectors for lateral movement are not detailed in the summary; however, the encryption of "multiple servers" at KAI implies successful network traversal following initial compromise.
### Data Exfiltration/Impact
- **Details:**
* Thai MoF: 5.9 TB of data leaked.
* Korean PCB Specialist: Exposure on a Data Leak Site (DLS).
* KAI: Ransomware encryption applied to multiple servers.
### Detection & Response
- **Details:** The incidents were brought to light through reporting by ASEC/AhnLab, indicating external discovery or public disclosure by threat actors (e.g., via BreachForums or DLS). Specific organizational response actions are not detailed in this summary, other than the confirmation of the attacks.
## Attack Methodology (Inferred from Nature of Attacks)
- **Initial Access:** Likely phishing, external service exploitation, or exploiting known vulnerabilities (standard ransomware entry points).
- **Persistence:** Not specified, but required for data exfiltration pre-encryption.
- **Privilege Escalation:** Not specified.
- **Defense Evasion:** Not specified.
- **Credential Access:** Not specified.
- **Discovery:** Required to identify valuable data sets (5.9 TB for Thai MoF).
- **Lateral Movement:** Involved in encrypting multiple servers at KAI.
- **Collection:** Demonstrated by the exfiltration of 5.9 TB of data from the Thai Ministry of Finance.
- **Exfiltration:** Explicitly occurred in the Thai MoF breach and heavily implied in the others (DLS listing).
- **Impact:** Data encryption (KAI, Korean company) and data publication (Thai MoF).
## Impact Assessment
- **Financial:** Not quantifiable based on the article, but ransomware demands and remediation costs are significant.
- **Data Breach:** Significant volume (5.9 TB) from the Thai MoF; sensitive corporate and technical data likely involved in the semiconductor and water treatment cases.
- **Operational:** Multiple servers encrypted at KAI indicates immediate operational disruption.
- **Reputational:** High impact due to public listing on BreachForums and potential disclosure of state data (Thai MoF).
## Indicators of Compromise
*Specific IOCs are not extracted or detailed in this summary as the report focuses on aggregated threat intelligence trends, requiring subscription to AhnLab TIP for specifics.*
## Response Actions
- **Containment measures:** Not specified in the summary.
- **Eradication steps:** Not specified in the summary.
- **Recovery actions:** Not specified in the summary.
## Lessons Learned
- **Key takeaways:** Data extortion (DLS/exfiltration) remains a primary tactic combined with/or preceding encryption for maximum leverage. Government and critical infrastructure sectors (like water treatment services) remain primary targets.
- **What could have been done better:** The successful exfiltration of 5.9 TB from the Thai MoF suggests potential gaps in data governance, access controls, or monitoring.
## Recommendations
- Implement robust **Data Loss Prevention (DLP)** controls, especially for high-volume data repositories.
- Maintain strong **network segmentation** to limit the scope of lateral movement during ransomware events.
- Continuously monitor underground forums like BreachForums for organizational data exposure.
- Ensure patching and vulnerability management processes are prioritized, particularly for externally facing services used as initial access points.