LockBit Ransomware Hits Nichols Fleet Equipment: Data Release Threatened
Incident Date:
August 12, 2024
Overview
Title
LockBit Ransomware Hits Nichols Fleet Equipment: Data Release Threatened
Victim
Nichols Fleet Equipment
Attacker
Lockbit3
Location
First Reported
August 12, 2024
LockBit Ransomware Attack on Nichols Fleet Equipment
Nichols Fleet Equipment (NFE), a prominent manufacturer of customized service trucks and fleet equipment based in Chattanooga, Tennessee, has fallen victim to a ransomware attack orchestrated by the notorious LockBit group. The attack was publicly claimed on LockBit's dark web leak site, with the attackers threatening to release the company's data on August 15, 2023.
About Nichols Fleet Equipment
Founded in 1991 by David Nichols Sr., Nichols Fleet Equipment has established itself as a key player in the service truck and fleet equipment industry. The company specializes in designing and manufacturing service trucks tailored to meet the specific needs of their clients. Their product range includes service truck bodies, cranes, and various equipment solutions. NFE is recognized as an IMT "Diamond Authority Dealer," which allows them to offer competitive pricing on top-tier service truck bodies and cranes.
With a strong emphasis on customization, NFE ensures that each truck is built to the unique specifications of their customers. This includes options for lighter-duty solutions, fuel and lube systems, and specialized equipment like air compressors and integrated welding systems. The company also provides comprehensive parts and service support, with a dedicated team of experienced technicians committed to maintaining the functionality and longevity of the trucks they produce.
Attack Overview
The ransomware attack on Nichols Fleet Equipment was executed by LockBit, a highly sophisticated ransomware-as-a-service (RaaS) group. LockBit is known for its modular ransomware that encrypts its payload until execution, making it difficult to detect and analyze. The group employs "double extortion" tactics, exfiltrating sensitive data and threatening to release it publicly if the ransom is not paid.
LockBit typically exploits vulnerabilities in Remote Desktop Protocol (RDP) services and unsecured network shares to spread quickly across a network. The ransomware uses a combination of RSA-2048 and AES-256 encryption algorithms to encrypt victims' files. Indicators of Compromise (IOCs) for LockBit include the creation of a mutual exclusion object (Mutex) when executed, the use of a unique icon, and changes to the victim's computer wallpaper.
Potential Vulnerabilities
Nichols Fleet Equipment, like many companies in the manufacturing sector, may have been targeted due to potential vulnerabilities in their network security. The use of RDP services and unsecured network shares could have provided an entry point for the attackers. Additionally, the company's reliance on customized and specialized equipment solutions may have made them an attractive target for ransomware groups seeking to disrupt operations and demand a ransom.
About LockBit
LockBit has been active since September 2019 and has become the most active ransomware group, responsible for over one-third of all ransomware attacks in the latter half of 2022 and the first quarter of 2023. The group distinguishes itself through its sophisticated encryption methods and its ability to spread quickly across networks. LockBit demands payment in Bitcoin, typically ranging from several thousand to several hundred thousand dollars.
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.