During the past few weeks, Holdmayr International AG has been suffering the consequences of a dramatic case of ransomware.
Holdmayr, which is a renewed logistics company from Austria, employs more than 2,000 workers and has an annual revenue of over 300 € million. These numbers may also represent the extraordinary volume of sensitive data that the company possesses, making it a valuable target of cyberattacks.
CLOP ransomware operators successfully attacked the logistics company a few months ago and, according to publicly disclosed information about the ongoing situation, negotiations between the operators and the company have been falling progressively, leading to new data leaks.
What We Know About the Leak
The CLOP ransomware operators behind this attack successfully breached Holdmayr International AG’s network months ago and started leaking the data around early June.
It has been publicly disclosed that the operators have leaked sensitive data progressively, grouping the information in multiple parts to coerce the victim to pay the ransom.
While the first part of the data leak was about 10 GB, their size has been progressively increasing. We can see how parts 3, 4, 5, and 6 are well over 100 GB apiece.
What is worse is the analyzed content of this data. The Cyber Research Team from the cybersecurity firm has identified scanned user IDs, full email conversations, and personal information on the clients in the leak.
All this data is strictly confidential, and the inability of Holdmayr to prevent the data leak puts the company in a devastating situation. This is an ongoing situation, and the malicious party likely continues to release massive amounts of sensitive data as the company refuses to pay the ransom.
What We Know about CLOP Ransomware
Discovered by MalwareHunterTeam, CLOP is Windows-based ransomware that is part of the CryptoMix family.
Using legit-looking signatures, CLOP ransomware tricks Microsoft Windows to think that it is safe software, helping it bypass defenses. It will then proceed to stop Windows processes that are linked to anti-virus and anti-malware software. By altering Registry values, this malware achieves to disable critical layers of protection.
CLOP ransomware even attacks other software that may be used to stop or counter the attack, such as terminals and IDE software.
At this point, the ransomware will proceed to disable Windows features that focus on recoveries, such as startup repair and shadow volume copies.
Here is when the CLOP ransomware starts encrypting the files and delivers a ransom note to the victim with some details of the successful attack and contact information of the attackers, suggesting communication to reach a financial understanding.
What We Could Learn
Holdmayr International AG is a sad example of how wrong things can go if a cyberattack succeeds. Large companies are responsible for significant amounts of data, and suffering breaches like this one can bring dreading consequences.
Right now, we don’t know the details of how this CLOP ransomware attack succeeded, but it will probably be related to poor cybersecurity practices, as always happens to be.
Organizations, no matter their size, should implement high-standard cybersecurity practices that keep this type of threat at bay.
We should not stop at using secure mechanisms and software but to go the extra mile by teaching our workers how to behave responsibly online, primarily when operating devices within the business network.