BlackBasta Ransomware Hits Lambertz: 800 GB of Sensitive Data Stolen

Incident Date:

June 30, 2024

World map



BlackBasta Ransomware Hits Lambertz: 800 GB of Sensitive Data Stolen






Aachen, Germany

, Germany

First Reported

June 30, 2024

BlackBasta Ransomware Attack on Lambertz: A Detailed Analysis

Overview of Lambertz

Lambertz, officially known as Aachener Printen- und Schokoladenfabrik Henry Lambertz GmbH & Co. Kg, is a renowned German company specializing in the production of traditional German baked goods. Founded in 1688, Lambertz has a long-standing history and has grown to become one of the leading manufacturers in the European confectionery market. The company is headquartered in Aachen, Germany, and operates several production facilities across the country.

Lambertz's product range includes gingerbread (Lebkuchen), Printen (a type of gingerbread specific to the Aachen region), Dominosteine (layered gingerbread cubes coated in chocolate), and various types of cookies and biscuits. The company places a strong emphasis on maintaining traditional recipes while also innovating to meet contemporary tastes and dietary preferences, including offering organic and gluten-free options.

With a significant international presence, Lambertz exports its products to numerous countries around the world. The company has built a reputation for quality and tradition, which has helped it to establish a loyal customer base both in Germany and abroad.

Details of the Ransomware Attack

Lambertz recently fell victim to a ransomware attack orchestrated by the BlackBasta ransomware group. The hackers reportedly stole 800 GB of sensitive data, which includes personal information of employees, financial accounting records, human resources details, and other confidential information. The attack was disclosed on BlackBasta's dark web leak site, where the group threatened to publish the stolen data if their ransom demands were not met.

About BlackBasta Ransomware Group

BlackBasta is a ransomware operator and Ransomware-as-a-Service (RaaS) criminal enterprise that emerged in early 2022. The group is believed to have connections to the defunct Conti threat actor group due to similarities in their approach to malware development, leak sites, and communications for negotiation, payment, and data recovery.

Penetration of Lambertz's Systems

While the exact method of penetration in the Lambertz attack has not been disclosed, BlackBasta typically employs several strategies to gain initial access to target networks. These include spear-phishing campaigns, exploiting vulnerabilities, and using tools like QakBot and Mimikatz for lateral movement and credential harvesting. Once inside a network, the group uses tools like Cobalt Strike Beacons and SystemBC to maintain control over compromised systems.

Before encrypting files, BlackBasta takes steps to maximize their leverage, including disabling security tools, deleting shadow copies, and exfiltrating sensitive data. The group’s ability to evade detection and employ sophisticated encryption methods makes them a formidable threat to organizations like Lambertz.

Impact on Lambertz

The ransomware attack on Lambertz has significant implications for the company. The theft of 800 GB of sensitive data could lead to severe financial losses, legal repercussions, and damage to the company's reputation. The attack also highlights the vulnerabilities in Lambertz's cybersecurity measures and underscores the need for robust security protocols to protect against such threats.


Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.