German logistics giant Hellmann Worldwide Logistics has issued a warning that data was stolen from the company when it was hit with a ransomware attack on December 9, 2021. It is not entirely clear what type of data was extracted, but the company says it is warning partners and customers to double check their communications with it, as a precaution. Criminals could use the leaked data to make social engineering attacks more believable, so Hellmann is asking people that do business with it to look out for fraudulent mails and calls.
...the forensic investigation has meanwhile confirmed that data was extracted from our servers before our systems were taken offline on December 9. We are currently investigating what type of data was extracted and will proactively provide further information as soon as possible. We are in regular contact with relevant government authorities.
Please note that the number of so-called fraudulent calls and mails has generally increased. Whilst communication with Hellmann staff via email and telephone remains safe (inbound and outbound), please make sure that you are actually communicating with a Hellmann employee and beware of fraudulent mails/ calls from suspicious sources, in particular regarding payment transfers, change bank account details or the like.
Hellmann is one of the largest international logistics providers. Founded in 1871, it handles 16 million shipments per year by air, sea, road, and rail, and is active in 173 countries.
On December 9 it became obvious that there were problems at Hellmann Worldwide Logistics.
By the time the firm's IT team responded, the threat actors had already exfiltrated sensitive files from the compromised servers. Many ransomware operators use the threat of leaking stolen data for extra leverage during the ransom negotiation stage. While companies can use backups to recover from data encryption without paying the ransom, they can't use them to contain leaks.
And indeed, when the negotiations between Hellmann and the threat actor fell apart, the RansomExx group published some 70 GB of stolen documents on its leak site. The data reportedly included business agreements, intra-company emails, and more.
Free to download
The stolen data can be downloaded by anyone, including other criminals, who may use it to add insider knowledge to business email compromise (BEC) attacks and phishing attempts, to give them more credibility.
While RansomExx is not one of the ransomware operators that you see in the news often, they do have a reputation for going after big targets. In the past the group has attacked Konica Minolta, Gigabyte, and the Lazio region in Italy (including its COVID-19 vaccination registration portal).
The RansomExx ransomware is a rebranded Defray777 ransomware, which has become a lot more active since June 2020. The ransomware itself is highly targeted. Each sample contains a hardcoded name of the victim organization.
The group uses different methods to gain entry into a target’s network. In earlier cases the threat actors established an initial foothold through common banking trojans such as IcedID or Trickbot. From there, they deployed the Vatet loader, the PyXie RAT, and Cobalt Strike, before executing the ransomware entirely in memory.
And, similar to other ransomware operations, RansomEXX has also been known to breach networks using vulnerabilities or stolen credentials.
In February, the group was found abusing vulnerabilities in the VMWare ESXi product, allowing them to take over virtual machines deployed in enterprise environments and encrypt their virtual hard drives. Malwarebytes blocks RansomExx as Malware.Ransom.Agent.Generic.
Stay safe, everyone!