Decipher File · August 21, 2024 disclosure with multi-week recovery

Halliburton Ransomware (Aug 2024): RansomHub Hit US Oilfield Services Giant

Halliburton, the second-largest oilfield services company in the world, disclosed a ransomware attack on August 21, 2024 via SEC Form 8-K. RansomHub was attributed in public reporting and CISA's August 29, 2024 joint advisory on RansomHub activity. Halliburton's August 22 and August 28, 2024 8-K filings confirmed unauthorized access, system shutdowns including billing and customer-facing platforms, and ongoing forensic response with law enforcement. The company's Q3 2024 10-Q recorded a $35 million pre-tax impact and a roughly 2 cents per share earnings hit. The incident raised oil and gas sector concerns about ransomware against upstream service providers tied to global production logistics.

By·Published May 18, 2026·Last verified May 2026

MITRE ATT&CK techniques

T1486 Data Encrypted for Impact T1078 Valid Accounts T1190 Exploit Public-Facing Application T1567.002 Exfiltration to Cloud Storage T1490 Inhibit System Recovery

Incident summary

Halliburton, the world's second-largest oilfield services company, disclosed a cybersecurity event on August 21, 2024. Per the company's SEC Form 8-K filed August 22, 2024, an unauthorized third party gained access to Halliburton systems, prompting the company to shut down certain IT systems and engage outside cyber advisors and law enforcement. The August 28, 2024 8-K amendment confirmed that the actor had also exfiltrated data prior to deploying ransomware. Halliburton's Q3 2024 Form 10-Q, filed in late October 2024, recorded an approximately $35 million pre-tax impact and stated that the event reduced earnings by about 2 cents per diluted share for the quarter.

Public reporting from Reuters on August 28, 2024 and Bloomberg on August 23, 2024 attributed the intrusion to RansomHub, a ransomware-as-a-service group active since early 2024 and the subject of CISA joint advisory AA24-242A issued August 29, 2024. The CISA advisory documented RansomHub as a successor operation that absorbed affiliates from ALPHV and LockBit following their respective disruptions. The Halliburton intrusion was one of the largest publicly disclosed RansomHub victim engagements in the calendar year.

Operational disruption included billing systems and customer-facing platforms used by exploration and production customers. Halliburton stated in its August 28 8-K that operations on customer well sites were not directly affected, but back-office and invoicing functions ran in degraded mode for weeks. The $35 million pre-tax impact captured remediation costs, lost revenue from delayed billing, and incident response expense. The company did not publicly disclose whether a ransom was paid.

Attack technique

Per CISA advisory AA24-242A on RansomHub TTPs, the affiliate playbook combines initial access via valid accounts (T1078), exploitation of public-facing applications (T1190) where unpatched edge infrastructure is available, and post-compromise exfiltration to attacker-controlled cloud storage (T1567.002) before deploying file encryption (T1486). RansomHub affiliates frequently obtain initial access through credential broker purchases on Russian-language forums and through phishing campaigns targeting privileged users. The Halliburton initial access vector has not been publicly confirmed, but the August 28 8-K language is consistent with valid-credential entry rather than a software supply chain compromise.

Post-compromise, RansomHub affiliates typically establish persistence using legitimate remote access tools including AnyDesk, ConnectWise ScreenConnect, and Atera, all of which are commonly present in enterprise environments and produce low-fidelity EDR signals. Affiliates then run reconnaissance with built-in Windows commands and Active Directory tools, identify high-value file shares, and exfiltrate data to Mega.io or similar cloud storage. Encryption is deployed last, often during off-hours, using a RansomHub binary that disables volume shadow copies and backup catalogs to inhibit recovery (T1490).

The Halliburton 8-K language indicates Halliburton detected the intrusion and proactively shut down affected systems before full domain-wide encryption was complete. That timing matters analytically. RansomHub affiliates often spend days to weeks inside a target network before the encryption event, and detection during that dwell window can substantially reduce the encryption footprint and the actor's negotiating position. Halliburton's stated multi-week recovery timeline is consistent with partial encryption plus full network rebuild from clean baselines.

Impact and consequences

The direct financial impact disclosed in Halliburton's Q3 2024 10-Q was approximately $35 million pre-tax, with earnings reduced by about 2 cents per diluted share for the quarter. That figure captures remediation expense, lost revenue from billing system downtime, and the cost of forensic and recovery work. The figure does not include any ransom payment, which Halliburton did not confirm or deny in public filings. The relative size of the impact, against Halliburton's roughly $5.5 billion quarterly revenue, illustrates that even a single ransomware event at a Fortune 200 industrial company produces a measurable but not existential financial outcome.

The sector-level impact is the strategic story. Halliburton provides drilling, completion, and production services across roughly 70 countries. The August 2024 intrusion landed during a period of heightened US Department of Energy and CISA focus on oil and gas sector cyber resilience, following the Colonial Pipeline incident in 2021 and the subsequent TSA security directives on pipeline operators. Halliburton's intrusion extended that focus from pipelines to upstream services. The CISA RansomHub advisory issued one week after the Halliburton disclosure cited the energy sector as a particular focus of RansomHub affiliate targeting.

Customer-side impact extended beyond Halliburton's own balance sheet. Major exploration and production customers including ExxonMobil, Chevron, and ConocoPhillips relied on Halliburton's billing and operations platforms for downstream reconciliation. Weeks of degraded billing functionality produced reconciliation backlog at customer accounts payable teams. No public customer disclosed a material impact, but the operational friction at the customer side was widely reported in industry press through September 2024.

Regulatory consequence followed. The SEC's July 2023 cybersecurity disclosure rule, which took effect December 2023, requires public companies to disclose material cybersecurity incidents on Form 8-K within four business days of materiality determination. Halliburton's August 22, 2024 8-K, filed roughly 24 hours after the August 21 detection, became one of the early reference disclosures under the new rule. The two-step disclosure pattern, initial 8-K followed by an amendment with additional detail, set a market precedent that other large public companies followed in subsequent incidents.

Indicators of Compromise

Specific artifacts defenders should hunt for. Cross-reference these against your existing detection rules before acting on them.

› Unscheduled shutdown of Halliburton corporate IT systems on August 21, 2024 per the 8-K disclosure timeline
› Customer-facing billing portal outages during the August 21 to August 28, 2024 window confirmed in Halliburton statements
› Network traffic patterns consistent with RansomHub TTPs documented in CISA advisory AA24-242A issued August 29, 2024
› Use of valid administrative credentials for initial domain pivoting, consistent with the RansomHub affiliate playbook
› Exfiltration of corporate data to cloud storage prior to encryption, consistent with double-extortion ransomware operations
› Disabling of volume shadow copies and backup catalogs across affected hosts to inhibit recovery

Lessons for defenders

Detection during dwell time, not perfect prevention, is the realistic defensive posture against RansomHub-class affiliates. Halliburton's August 21 detection and proactive shutdown sequence, before full domain-wide encryption, materially reduced the encryption footprint and recovery time. Build detection capability that fires on the pre-encryption indicators: anomalous AnyDesk or ScreenConnect sessions on production servers, mass file enumeration from non-admin workstations, and outbound traffic to Mega.io or similar cloud storage from server-class hosts. Reference CISA advisory AA24-242A for the specific RansomHub indicator set.

Backup integrity is the recovery control. RansomHub binaries disable volume shadow copies and backup catalogs (T1490) as standard practice. Online backups accessible from compromised domain credentials are within the actor's reach. Offline, immutable, or air-gapped backup copies with independent authentication are the only backup tier reliably available after a full domain compromise. The Halliburton multi-week recovery timeline indicates partial reliance on offline backup tiers, which is the realistic enterprise pattern.

SEC 8-K cybersecurity disclosure cadence is now a board-level operational requirement, not a legal afterthought. The four-business-day clock starts at materiality determination, and the materiality assessment process needs to be pre-defined before an incident. Halliburton's 24-hour turnaround from detection to initial 8-K was achievable because the company had a pre-built materiality assessment process. Build that process now, document it, and exercise it in tabletop drills. The first 8-K an organization files under an active incident is not the time to discover that the process does not exist.

Sector-level coordination is increasingly the operational reality. CISA's RansomHub advisory was issued one week after the Halliburton disclosure and incorporated indicators from multiple oilfield services and energy sector victims. Participate in sector-specific information sharing through the Oil and Natural Gas ISAC, the Electricity ISAC, or the relevant sector ISAC for your industry. The sector-level intelligence that flows through ISACs is faster and more actionable than waiting for CISA advisories, which lag the active campaign by weeks.

Related career roles

The cybersecurity professionals whose day-to-day work would have detected, investigated, or contained this incident.

Related Decipher Files

Tracking AI-system incidents and policy events? Browse Applied AI Decipher Files →

Frequently asked questions

When did the Halliburton ransomware attack happen?

Halliburton detected the cybersecurity intrusion on August 21, 2024 and filed an initial SEC Form 8-K disclosure on August 22, 2024. A follow-up 8-K on August 28, 2024 confirmed that the actor had exfiltrated data prior to deploying ransomware. Halliburton's Q3 2024 Form 10-Q recorded a roughly $35 million pre-tax financial impact from the incident.

Who was behind the Halliburton ransomware attack?

Public reporting from Reuters and Bloomberg in late August 2024 attributed the intrusion to RansomHub, a ransomware-as-a-service group active since early 2024. CISA joint advisory AA24-242A, issued August 29, 2024, documented RansomHub TTPs and the affiliate model that absorbed operators from ALPHV and LockBit following their respective disruptions. Halliburton has not publicly confirmed the named actor in its SEC filings.

How much did the Halliburton cyberattack cost?

Halliburton's Q3 2024 Form 10-Q recorded an approximately $35 million pre-tax financial impact from the August event, reducing diluted earnings by about 2 cents per share for the quarter. That figure captures remediation cost, lost revenue from billing system downtime, and forensic and recovery work. The 10-Q does not separately confirm or deny a ransom payment.

What systems were affected at Halliburton?

Per Halliburton's August 28, 2024 SEC 8-K and follow-up public statements, the company shut down certain corporate IT systems including billing and customer-facing platforms. Operations on customer well sites were not directly affected per the company's statement, but back-office and invoicing functions ran in degraded mode for weeks during the recovery period. The exact list of affected systems has not been publicly disclosed.

How did Halliburton respond to the ransomware attack?

Halliburton proactively shut down affected systems on August 21, 2024 upon detection, engaged outside cyber advisors including incident response firms, notified law enforcement, and filed an initial SEC 8-K within roughly 24 hours of detection. The two-step 8-K disclosure pattern, initial filing followed by a follow-up amendment with more detail, set a market precedent that other public companies followed in subsequent incidents under the SEC's July 2023 cybersecurity disclosure rule.

What can other organizations learn from the Halliburton incident?

Detection during dwell time, not perfect prevention, is the realistic defense against RansomHub-class affiliates. Halliburton's pre-encryption detection materially reduced the encryption footprint and recovery time. Offline, immutable backup tiers are the only reliable recovery path after a full domain compromise because RansomHub binaries disable online backup catalogs. SEC 8-K cybersecurity disclosure cadence is a board-level operational requirement, and pre-defined materiality assessment processes need to exist before the first incident.

Sources

Halliburton SEC Form 8-K (August 22, 2024) · Initial disclosure of unauthorized activity on certain Halliburton systems
Halliburton SEC Form 8-K Amendment (August 28, 2024) · Follow-up disclosure naming ransomware and data exfiltration
CISA Joint Advisory AA24-242A: RansomHub Ransomware (August 29, 2024) · Federal advisory on RansomHub TTPs and mitigations relevant to the Halliburton incident
Halliburton Form 10-Q for Q3 2024 · Financial disclosure recording a $35 million pre-tax impact from the August event
Reuters: Halliburton ransomware attack disrupted business · August 28, 2024 reporting on the scope of disruption and ongoing remediation
Bloomberg: Halliburton Cyberattack Linked to RansomHub Group · Attribution reporting from Bloomberg on the RansomHub link

DecipherU is not affiliated with, endorsed by, or sponsored by any company listed in this directory. Information compiled from publicly available sources for educational purposes.

Last verified: 2026-05-18?Report an inaccuracy

This role lives inside a packaged path

Want the curriculum, comp delta, and recommended courses for this role?

DecipherU bundles cybersecurity roles into a small set of packaged paths. Each path has the curriculum sequence, the compensation delta it unlocks, and the recommended courses, all pre-set. Two ways in:

Take the 2-min Risk Score →Open the cybersecurity path hub →

Where to go next

Three next steps depending on where you are. The first two are free.

Free · 2 minutes

Start with the AI Risk Score

Two minutes. Tells you how exposed your current role is to AI automation and which defensive moves carry the best return.

Start the AI Risk Score →

Paid program · $147-$597

Aligned course: SOC Analyst Fundamentals

Capstone reviewed by the founder, published rubric, Ed25519-signed verifiable credential on completion.

View the course →

Free account

Save your results and track progress

A free account stores your assessments, recommendations, and an exportable copy of your Career DNA. No card needed.

Create your account →

Get cybersecurity career insights delivered weekly

Join cybersecurity professionals receiving weekly intelligence on threats, job market trends, salary data, and career growth strategies.

By subscribing you agree to our privacy policy. Unsubscribe anytime.