LockBit Ransomware Strikes Westfälische Stahlgesellschaft

Incident Date:

July 5, 2024

World map

Overview

Title

LockBit Ransomware Strikes Westfälische Stahlgesellschaft

Victim

Westfälische Stahlgesellschaft

Attacker

Lockbit3

Location

Plettenberg, Germany

, Germany

First Reported

July 5, 2024

Analysis of the LockBit Ransomware Attack on Westfälische Stahlgesellschaft

Company Profile: Westfälische Stahlgesellschaft

Westfälische Stahlgesellschaft mbH & Co Eisen- & Stahlhandel-KG, a prominent group of steel trading companies based in Germany, stands out in the steel industry due to its unique combination of production expertise and extensive trading capabilities. Operating across four sites in three locations—Plettenberg, Löhne (East Westphalia), and Stuhr-Brinkum (near Bremen)—the company is noted for its substantial stock of a wide variety of steel grades and configurations. The inclusion of the Plettenberg drawing mill allows the company to produce high-quality bar steel products, enhancing its market position in the steel production sector.

Attack Overview

On June 9, 2024, Westfälische Stahlgesellschaft became a target of the ransomware group LockBit. The attack led to significant disruptions within the company's IT systems, impacting both production operations and goods handling. Critical data including production data, accounting information, personal data of employees and clients, databases, and production models were reportedly exfiltrated. The company has publicly acknowledged the cyberattack and is actively working with cybersecurity experts to mitigate the damage and restore operations. The attackers have set a ransom deadline of July 10, 2024, and the full extent of the data breach and its implications are still under evaluation.

Ransomware Group: LockBit

LockBit, is a sophisticated ransomware-as-a-service (RaaS) operation active since September 2019. Known for its high activity level, LockBit employs a modular ransomware framework that encrypts its payload until execution, complicating malware analysis and detection efforts. The group uses a combination of RSA-2048 and AES-256 encryption algorithms to secure the files of its victims. LockBit is notorious for its "double extortion" tactic, where it not only encrypts the victim's data but also exfiltrates it and threatens to release it publicly if the ransom demands are not met. Payments are typically demanded in Bitcoin, and the group is known to exploit vulnerabilities in Remote Desktop Protocol (RDP) services and unsecured network shares to propagate within networks.

Vulnerabilities and System Penetration

The specific vulnerabilities exploited in the attack on Westfälische Stahlgesellschaft have not been disclosed. However, LockBit 3.0's known tactics suggest possible exploitation of inadequately secured network shares or RDP services. The steel industry, with its complex supply chains and extensive data flows, presents numerous attack vectors for cybercriminals. Companies like Westfälische Stahlgesellschaft, with significant digital and physical assets, must continuously evolve their cybersecurity strategies to address these vulnerabilities.

Sources

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.