Nefilim ransomware gang began publishing sensitive files leaked during the attack
Dussmann Group, one of the largest multi-service providers, has fallen victim to Nefilim ransomware gang, which is now posting its sensitive information online via a specially crafted website. The incident is a direct consequence of a ransomware attack on the company's refrigeration subsidiary Dresdner Kühlanlagenbau GmbH (DKA), which employs 570 people.
Dussmann Group is an international service provider from Germany, headquartered in Berlin. It employs more than 64,000 people in 22 countries and obtains billions of euros in revenue each year. The company offers facility management, building system, childcare, retail, and other services.
According to the industry giant, the subsidiary had its services shut down for some time, although the operations are now back to normal:
Operational processes in the business unit for refrigeration air-conditioning plant engineering are secure. DKA has already informed clients and employees about the cyber-attack and the data outflow. Due to ongoing investigations, we cannot say more at present
In the meantime, Dussmann Group representatives claimed that DKA has information clients and other related parties of the data breach, as well as the State Office of Criminal Investigation in Saxony. The company is also in close cooperation with the relevant authority agencies, as well as forensic cybersecurity investigators.
It is currently unclear how cybercriminals behind Nefilim managed to breach Dresdner Kühlanlagenbau GmbH networks, but previous Nefilim gang's attacks point at insufficiently protected Remote Desktop (RDP) connections.
Sensitive information discovered on the Dark Web
The incident of Dussmann Group first came to light on Tuesday, when a @ransomleaks posted a screenshot of the cybercriminals' uploaded data. The screenshot implied that the exposed information is just a first part of the leak, and included files like filelist_archive33.txt, filelist_archive33.txt, DUSSMANN_GROUP_Leak_archive33.7z, and DUSSMANN_GROUP_Leak_archive36.7z. Additionally, the post of the dark web revealed personal details of the company's executives, including phone numbers, emails, and mobiles.
Security researchers from Cyble have analyzed the data that was posted on the dark web by Nefilim actors. As it turned out, 15.7 GB worth of accounting documents, AutoCAD drawings, legal contracts, compulsory security mortgages documents, cooperation agreements, company's settlement documents, images and some other sensitive files that are related to the refrigeration air-conditioning plant Dresdner Kühlanlagenbau GmbH, were enclosed within the dump. Cybersecurity firm also said that, in total, 16,805 files were published by cybercriminals.
Ransomware gangs steal sensitive data to increase the chance of victims paying ransom
A ransomware attack can be devastating to any company, especially if data backups were not maintained or encrypted as well. In late 2019, cybercriminal gangs that apply the big game hunting tactics to attack high-profile businesses and organizations came up with new tricks that could cripple any company even more. Maze ransomware group began a trend of stealing sensitive information from the attacked companies in order to threaten a public exposure in no ransom is paid in a particular time frame.
Nefilim is one of the ransomware gangs that attacks high-profile companies with the intent to encrypt servers, steal sensitive data, and later post it online if the ransom demands are not fulfilled on time. The malware is a rebranded version of Nemty, which previously suffered several blows during its operation of 10 months.
Nonetheless, the Nefilim ransomware gang now has a goal to infect the largest companies worldwide and is succeeding at the job. Besides Dussmann Group, actors previously attacked such giants as Toll Group, Lion, Fisher and Paykel, Orange, and many others.