German Engineering Firm HVB Ingenieurgesellschaft Hit by Cloak Ransomware
Incident Date:
August 21, 2024
Overview
Title
German Engineering Firm HVB Ingenieurgesellschaft Hit by Cloak Ransomware
Victim
HVB Ingenieurgesellschaft
Attacker
Cloak
Location
First Reported
August 21, 2024
Ransomware Attack on HVB Ingenieurgesellschaft by Cloak
HVB Ingenieurgesellschaft mbH, a well-established German engineering firm, has recently fallen victim to a ransomware attack orchestrated by the notorious Cloak ransomware group. The attack, discovered on August 22, 2024, resulted in a significant data breach, compromising 138GB of sensitive information.
About HVB Ingenieurgesellschaft
Founded in 1993, HVB Ingenieurgesellschaft mbH is a prominent player in the engineering sector, specializing in structural engineering and project management. Headquartered in Wandlitz, Germany, the firm also operates offices in Berlin, Dresden, Leipzig, and Spangenberg. With a workforce of approximately 30 employees, HVB Ingenieurgesellschaft is known for its comprehensive planning and consulting services, emphasizing flexibility and high-quality service delivery.
The company stands out in its industry due to its tailored solutions and holistic approach to project management, ensuring all aspects of a project are coordinated among stakeholders. This commitment to quality and customer satisfaction has been a cornerstone of its operations for over 30 years.
Vulnerabilities and Attack Overview
Despite its strong reputation, HVB Ingenieurgesellschaft's relatively small size and specialized focus made it a target for threat actors like the Cloak ransomware group. The attack leveraged compromised employee credentials, likely obtained through info-stealers such as Lumma, Aurora, and Redline. The ransomware used the infected machine's own resources to exfiltrate and encrypt data, leading to the significant breach.
The attack underscores the growing threat of ransomware on critical infrastructure and highlights the need for enhanced cybersecurity measures, especially for small to medium-sized enterprises (SMEs) in specialized sectors.
About Cloak Ransomware Group
Cloak ransomware is a relatively new but highly active group that emerged between late 2022 and early 2023. The group is financially motivated and primarily targets sectors such as medical, real estate, construction, IT, food industry, and manufacturing, with a particular focus on Europe. Cloak operates a data leak site where they sell and publish stolen data from victims, employing double extortion tactics to maximize their financial gain.
The group distinguishes itself by purchasing initial access from Initial Access Brokers (IABs) on underground marketplaces and using sophisticated methods to exfiltrate and encrypt data. As of mid-2023, Cloak had accessed 23 databases of small-medium businesses, with a high ransom payment rate of 91-96%.
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.