Hoerbiger Holding AG Hit by Akira Ransomware: 50GB Data Stolen

Incident Date:

August 21, 2024

World map

Overview

Title

Hoerbiger Holding AG Hit by Akira Ransomware: 50GB Data Stolen

Victim

Hoerbiger Holding AG

Attacker

Akira

Location

Zug, Switzerland

, Switzerland

First Reported

August 21, 2024

Ransomware Attack on Hoerbiger Holding AG by Akira Group

Hoerbiger Holding AG, a global technology company headquartered in Zug, Switzerland, has recently been targeted by the Akira ransomware group. The attack, which occurred on July 29, 2024, resulted in the exfiltration of over 50 gigabytes of sensitive data and caused significant disruptions to the company's operations.

About Hoerbiger Holding AG

Founded in 1895, Hoerbiger Holding AG specializes in performance-critical components and systems across various industries. The company operates in 43 countries with 127 production and service locations, employing approximately 6,174 individuals worldwide. Hoerbiger's business is structured into five main operating units: Compression, Automotive, Rotary, Engine, and Safety. The company is recognized for its innovation and commitment to sustainability, particularly in the fields of gas compression technologies, automotive components, and explosion protection solutions.

Attack Overview

The ransomware attack led to a partial failure of Hoerbiger's global IT systems, causing temporary disruptions in production at several locations. Forensic analysis revealed that the unauthorized access and encryption of data occurred on two of the 800 affected servers. Despite the breach, Hoerbiger's core systems for processing personal and business data, such as Microsoft 365 and its ERP, CRM, and HR systems, remained unaffected as they are managed by external service providers. The company has not disclosed whether a ransom was paid but has successfully restored its production facilities and is actively working on enhancing its IT infrastructure.

About the Akira Ransomware Group

Akira is a rapidly growing ransomware family that first emerged in March 2023. The group targets small to medium-sized businesses across various sectors, including manufacturing, technology, and telecommunications. Akira is believed to be affiliated with the now-defunct Conti ransomware gang, sharing similarities in their code. The group employs double extortion tactics, stealing data before encrypting systems and demanding a ransom for both decryption and data deletion. Akira's ransom demands typically range from $200,000 to over $4 million.

Penetration and Impact

Akira's tactics include unauthorized access to VPNs, credential theft, and lateral movement to deploy the ransomware. They have been observed using tools like RClone, FileZilla, and WinSCP for data exfiltration. In some cases, Akira has deployed a previously unreported backdoor. The attack on Hoerbiger highlights the vulnerabilities that even well-established companies face, particularly in managing and securing their extensive IT infrastructure.

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.