TeamHood 
Saudi Aramco has suffered a massive ransomware attack, the attackers are able to stole 1TB of the data and then put it on sale in the darknet.
Saudi Aramco is one of the largest oil producing company in the world. Attackers have demanded a $50 million dollar in ransom. Aramco has told Bleeping Computers that data leak is through the third party contractors and due to the ransomware attack its operations are not impacted.
Zero-day exploit was used to breach network
A threat actor group known as ZeroX is offering 1 TB of proprietary data belonging to Saudi Aramco for sale. ZeroX claims the data was stolen by hacking Aramco’s “network and its servers,” sometime in 2020.
As such, the files in the dump are as recent as 2020, with some dating back to 1993, according to the group.
To create traction among prospective buyers, a small sample set of Aramco’s blueprints and proprietary documents with redacted PII were first posted on a data breach marketplace forum in June this year:
The group says that the 1 TB dump includes documents pertaining to Saudi Aramco’s refineries located in multiple Saudi Arabian cities, including Yanbu, Jazan, Jeddah, Ras Tanura, Riyadh, and Dhahran.
And, that some of this data includes:
- Full information on 14,254 employees: name, photo, passport copy, email, phone number, residence permit (Iqama card) number, job title, ID numbers, family information, etc.
- Project specification for systems related to/including electrical/power, architectural, engineering, civil, construction management, environmental, machinery, vessels, telecom, etc.
- Internal analysis reports, agreements, letters, pricing sheets, etc.
- Network layout mapping out the IP addresses, Scada points, Wi-Fi access points, IP cameras, and IoT devices.
- Location map and precise coordinates.
- List of Aramco’s clients, along with invoices and contracts.
Samples released by ZeroX on the leak site have personally identifiable information (PII) redacted, and a 1 GB sample alone costs US$2,000, paid as Monero (XMR).
The threat actor, however, did share a few recent unredacted documents with BleepingComputer for confirmation.
The price of the entire 1 TB dump is set at US$5 million, although the threat actors say, the amount is negotiable.
A party requesting for an exclusive, one-off sale (i.e. obtain the complete 1 TB dump and demand it be wiped completely from ZeroX’s end) is expected to pay a whopping US$50 million.
However contrary to the reports Saudi Aramco maintains that the data has been leaked by the third party contractors and there is no ransomware incident.
