Clop ransomware encrypts 1,000 Symrise computers

Symrise was forced to stop its production after a ransomware attack

Fragrance maker Symrise attack: Clop ransomware encrypts 1,000 computers and steals 500GB of corporate data

Flavor and fragrance producer Symrise was hit by a ransomware attack last week. According to sources, cybercriminals managed to break into the company's network, encrypt more than 500GB of data on almost 1,000 computers.^[1] While initially, the source of malware was unknown, the cybercriminal gang behind Clop ransomware^[2] has claimed responsibility for the attack.

Symrise is one of the leading fragrance makers globally, established in 2003 in Holzminden, Germany. It employs more than 10,000 people worldwide with average yearly sales of 3.4 billion euros. The company produces flavorings for such industry giants as Coca-Cola, Nestle, Danone, Henkel, and many others.

According to German news outlet Handelsblatt that first reported on the case (after being alerted by security researcher chum1ng0), the company had to hold all the production while the attack is being contained by the internal IT teams:^[3]

As a result of the attack, large parts of the company departments such as production facilities had to temporarily stop production in order to be able to analyze the effects of the virus as best as possible.

Employees messaged via WhatsApp

While Symrise had to completely shut down many of its production lines, The employees were informed about the situation on Sunday, December 12, and production has been on a standstill since then. Overall the company is said to be very limited in its production, and the workforce is communicated via social media WhatsApp or directly via the phone. As stated by Handelsblatt, internal communication was also heavily restricted due to the cybersecurity incident.

After stopping production and containing the attack, Symrise immediately contacted the relevant authorities and State Criminal Police Office in Germany.

Cyberattack has also affected the company's stock prices, which fell by 2.3% since the attack occurred. It is also unknown whether Symrise will agree to pay the ransom to save sensitive information from being displayed publicly by the ransomware gang.

Clop ransomware authors threaten to publish all data online if demands are not met

When the incident was first reported by German news outlets, there were no details provided on who could be behind the attack. During last week, some security researchers managed to get a hold of a ransom note that was found on the company's network,^[4] and it soon became evident that Clop actors are the ones responsible.

In the ransom note, the attackers refer to the company as “HELLO DEAR SYMRISE” and then proceed with several lines of information that was allegedly stolen from the compromised network. A warning is also issued, which claims that if Symrise would not cooperate, the perpetrators would publish all the sensitive information of a specially crafted website for everybody to see.

The initial attack vector, according to cybercriminals themselves, was a targeted phishing email.^[1] Malicious actors also provided some solid proof that they actually hold files hostage and posted some passport scans, emails, accounting documents, and some other data.

Clop ransomware is just one of many strains that use the double extortion technique. Initially “invented” by now shut down ransomware Maze,^[5] many high-profile actors adapted the scheme, essentially making the illegal money extortion much more effective. Previous victims of the strain include the Maastricht University, ExecuPharm, and other high-profile targets.