Full Report
ENGlobal has been hit by a ransomware attack, taking its IT systems offline since November 25
Analysis Summary
# Incident Report: Ransomware Outage at ENGlobal Corporation
## Executive Summary
ENGlobal Corporation, a US contractor specializing in engineering and automation for the energy sector and government, suffered a ransomware attack discovered on November 25, 2024. The incident led to the encryption of data files and the isolation of portions of their IT systems, causing disruption to operations. Response efforts involved external cybersecurity experts and internal investigations, though the timeline for full system restoration remains undetermined.
## Incident Details
- Discovery Date: November 25, 2024
- Incident Date: Prior to November 25, 2024
- Affected Organization: ENGlobal Corporation
- Sector: Engineering & Automation Services (Energy Sector Contractor, US Government Supplier)
- Geography: Houston, US
## Timeline of Events
### Initial Access
- Date/Time: Unknown (Prior to Nov 25, 2024)
- Vector: Unspecified initial compromise leading to unauthorized access.
- Details: Threat actor illegally accessed the company’s IT system.
### Lateral Movement
- Details: Attackers were able to access and encrypt some of the company's data files, implying successful internal reconnaissance and movement, though specifics are undisclosed.
### Data Exfiltration/Impact
- Details: Data files were encrypted. It is currently undetermined if sensitive data was exfiltrated, but the primary impact was operational disruption due to system downtime.
### Detection & Response
- Date/Time: November 25, 2024 (Discovery date announced Dec 3, 2024)
- Details: ENGlobal took portions of its IT systems offline to mitigate the impact. They engaged external cybersecurity experts and launched an internal investigation.
## Attack Methodology
- Initial Access: Illegal Access (Mechanism unknown, likely common entry vectors like phishing or exploitation of public-facing services).
- Persistence: Undisclosed.
- Privilege Escalation: Undisclosed.
- Defense Evasion: Undisclosed, evidenced by the successful execution of data encryption.
- Credential Access: Undisclosed.
- Discovery: Undisclosed.
- Lateral Movement: Implied successful movement to encrypt data files across the network.
- Collection: Undisclosed, though data encryption occurred.
- Exfiltration: Unknown whether data was exfiltrated prior to encryption.
- Impact: Encryption of internal data files, causing significant operational disruption.
## Impact Assessment
- Financial: Unclear; the company has yet to determine if the incident will significantly affect financial performance.
- Data Breach: Undisclosed type or volume of data compromised by encryption; data exfiltration status is unknown.
- Operational: Significant disruption; the company is operating with limited access to IT systems, focusing only on essential business functions. Full restoration timeline is unknown.
- Reputational: Disclosed via regulatory filing (SEC 8-K), indicating public awareness of the operational disruption.
## Indicators of Compromise
- Network indicators: None disclosed (Defanged).
- File indicators: Files were encrypted (Specific ransomware strain/file hashes not disclosed).
- Behavioral indicators: Unauthorized access to and encryption of IT system data files.
## Response Actions
- Containment measures: Promptly took portions of IT systems offline.
- Eradication steps: Engaged external cybersecurity experts; launched an internal investigation.
- Recovery actions: Initiated remediation efforts; working diligently to restore full access to IT systems.
## Lessons Learned
- Key takeaways: Critical infrastructure contractors serving the DoD and DOE remain high-value targets for ransomware actors. Operational continuity planning is crucial when core IT systems are unavailable.
- What could have been done better: Rapid identification and determination of exfiltration (due to lack of immediate disclosure on data theft).
## Recommendations
- Prevention measures for similar incidents: Implement robust, tested offline backups. Enhance employee training to mitigate initial access vectors (e.g., phishing). Ensure software is regularly updated across the infrastructure. Implement strong, multilayered data encryption strategies.