German giant Dussmann Group has become the latest company to fall victim to a ransomware-data breach attack, after hackers began posting stolen files to the dark web.
The facilities management multinational, which employs over 66,000 staff worldwide and makes billions of euros in sales annually, appears to have been struck by the Nefilim variant.
The group behind the ransomware began posting over 16,000 files to its dark web site as proof of its efforts, according to @ransomleaks. A screenshot shows the first part of the upload dated Monday with links to the archive, and reveals some personal contact details of the company’s executives.
Pioneered by groups such as Maze, this is a common tactic designed to persuade victim organizations who have backed-up their data to pay the ransom, although the cyber-criminals’ claims of how much data they actually have in their possession aren’t necessarily to be trusted.
A Dussmann statement issued by the firm revealed that the attack targeted its refrigeration subsidiary Dresdner Kühlanlagenbau, admitting that data “was encrypted and copied.
“The servers were shut down as a precaution. The data protection authorities and the State Office of Criminal Investigation in Saxony have been informed and charges have been filed,” it continued.
“Operational processes in the business unit for refrigeration air-conditioning plant engineering are secure. DKA has already informed clients and employees about the cyber-attack and the data outflow. Due to ongoing investigations, we cannot say more at present.”
It’s unclear exactly how the firm’s security was breached, although Nefilim is a fairly new variant that shares many characteristics with the Nemty ransomware family. To that end it’s most likely to spread via RDP, according to Trend Micro.
Ransomware attackers have multiple tactics to target RDP including: exploitation of vulnerabilities in the protocol, brute forcing log-ins and purchasing breached RDP credentials online.
The risks are significantly higher today considering the number of remote workers using such tools to connect to office systems.