LockBit Ransomware Attack on Nichols Fleet Equipment

Nichols Fleet Equipment (NFE), a prominent manufacturer of customized service trucks and fleet equipment based in Chattanooga, Tennessee, has fallen victim to a ransomware attack orchestrated by the notorious LockBit group. The attack was publicly claimed on LockBit's dark web leak site, with the attackers threatening to release the company's data on August 15, 2023.

About Nichols Fleet Equipment

Founded in 1991 by David Nichols Sr., Nichols Fleet Equipment has established itself as a key player in the service truck and fleet equipment industry. The company specializes in designing and manufacturing service trucks tailored to meet the specific needs of their clients. Their product range includes service truck bodies, cranes, and various equipment solutions. NFE is recognized as an IMT "Diamond Authority Dealer," which allows them to offer competitive pricing on top-tier service truck bodies and cranes.

With a strong emphasis on customization, NFE ensures that each truck is built to the unique specifications of their customers. This includes options for lighter-duty solutions, fuel and lube systems, and specialized equipment like air compressors and integrated welding systems. The company also provides comprehensive parts and service support, with a dedicated team of experienced technicians committed to maintaining the functionality and longevity of the trucks they produce.

Attack Overview

The ransomware attack on Nichols Fleet Equipment was executed by LockBit, a highly sophisticated ransomware-as-a-service (RaaS) group. LockBit is known for its modular ransomware that encrypts its payload until execution, making it difficult to detect and analyze. The group employs "double extortion" tactics, exfiltrating sensitive data and threatening to release it publicly if the ransom is not paid.

LockBit typically exploits vulnerabilities in Remote Desktop Protocol (RDP) services and unsecured network shares to spread quickly across a network. The ransomware uses a combination of RSA-2048 and AES-256 encryption algorithms to encrypt victims' files. Indicators of Compromise (IOCs) for LockBit include the creation of a mutual exclusion object (Mutex) when executed, the use of a unique icon, and changes to the victim's computer wallpaper.

Potential Vulnerabilities

Nichols Fleet Equipment, like many companies in the manufacturing sector, may have been targeted due to potential vulnerabilities in their network security. The use of RDP services and unsecured network shares could have provided an entry point for the attackers. Additionally, the company's reliance on customized and specialized equipment solutions may have made them an attractive target for ransomware groups seeking to disrupt operations and demand a ransom.

About LockBit

LockBit has been active since September 2019 and has become the most active ransomware group, responsible for over one-third of all ransomware attacks in the latter half of 2022 and the first quarter of 2023. The group distinguishes itself through its sophisticated encryption methods and its ability to spread quickly across networks. LockBit demands payment in Bitcoin, typically ranging from several thousand to several hundred thousand dollars.

• Nichols Fleet Equipment
• SOCRadar: Dark Web Profile - LockBit 3.0 Ransomware
• TXOne Networks: Malware Analysis - LockBit 3.0
• Red Piranha: A Look at LockBit 3.0 Ransomware
• CISA: Ransomware Profile - LockBit 3.0