Westermans International Hit by Cloak Ransomware: Data Compromised
Incident Date:
August 21, 2024
Overview
Title
Westermans International Hit by Cloak Ransomware: Data Compromised
Victim
Westermans International
Attacker
Cloak
Location
First Reported
August 21, 2024
Ransomware Attack on Westermans International by Cloak Group
Westermans International Ltd, a UK-based company specializing in the sale and rental of used and refurbished welding and cutting machinery, has recently fallen victim to a ransomware attack orchestrated by the Cloak ransomware group. The attack, which was claimed on July 19, has resulted in the unauthorized access and subsequent leaking of less than 100 GB of sensitive data.
Company Overview
Established in 1966, Westermans International operates from a 30,000 square foot facility in Groby, Leicester. The company is renowned for providing high-quality welding equipment and exceptional customer service. Their product offerings include automatic orbital tube, pipe, and tube-to-tubesheet welding systems, utilizing advanced technologies such as Gas Tungsten Arc Welding (GTAW). They serve various industries, including semiconductor manufacturing, food and dairy processing, biotechnology, pharmaceuticals, aerospace, shipbuilding, and power generation.
Westermans International not only sells machinery but also provides extensive aftercare support, ensuring that all equipment is serviced to high standards before delivery. The company has a strong export presence, delivering machinery worldwide and catering to diverse industrial sectors such as vessel fabrication, oil and gas, structural steel, and renewable energy.
Attack Overview
The ransomware attack on Westermans International has compromised sensitive information, posing significant risks to the company's operations and reputation. The breach has highlighted vulnerabilities in the company's cybersecurity measures, making them a target for threat actors like the Cloak ransomware group.
About Cloak Ransomware Group
Cloak ransomware is a relatively new group that emerged between late 2022 and early 2023. The group is financially motivated and primarily targets small to medium-sized businesses in Europe, with a focus on sectors such as medical, real estate, construction, IT, food industry, and manufacturing. Cloak operates a data leak site where they sell and publish stolen data from victims, using double extortion tactics by encrypting files and threatening to leak stolen data.
Penetration and Extortion Tactics
Cloak likely purchases initial access from Initial Access Brokers (IABs) on underground marketplaces. They may leverage compromised employee credentials obtained through info-stealers like Lumma, Aurora, and Redline. The ransomware uses the infected machine's own resources to exfiltrate and encrypt data. Encrypted files are renamed with extensions like .crYptA, .crYptB, up to .crYptE. As of mid-2023, Cloak had accessed 23 databases of small-medium businesses, with a high payment rate from victims.
Sources
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.