How was the Attack Carried Out?
Gedia has more than 4,300 employees working at eight different production sites worldwide. Their production plants are located in Germany, China, Mexico, Poland, Hungary, India, Spain and in the US. The attack was carried out on Gedia’s German headquarters in Attendorn-Ennes, Sauerland, on the night of the 20th of January. It is not yet known who the attackers were. However, from initial analyses, security experts believe that the attack originated from Eastern Europe. Security experts believe that the company’s systems were breached, and malware introduced, using the open-source ADRecon tool. This tool gathers information about an Active Directory (AD) and generates a report that provides a picture of the current state of the AD environment. The tool is normally used by security professionals and system administrators. Furthermore, experts believe that Gedia’s systems were encrypted using Sodinokibi ransomware. However, before encrypting Gedia’s systems, the hacking group stole a Microsoft Excel spreadsheet containing over 50GB of data from the company’s AD.
Consequences of Ransomware Attack on Gedia
Fortunately, the company’s security systems picked up the attack very quickly. However, the extent of the attack was such that the company was forced to shut down its headquarters’ IT systems. This was done to prevent the complete failure of Gedia’s IT infrastructure. Nonetheless, Gedia said today that this shutdown is likely to have far-reaching consequences for the entire Gedia group of companies. This is because all locations are connected to the central IT infrastructure in Attendorn-Ennes and are dependent on it. Although the system shutdown has led to staff working in central administration being sent home on forced vacation, Markus Hammer, Gedia’s sales manager, emphasized that production would continue. He said: “An emergency plan ensures production, material supply and the processing of customer deliveries. The critical systems are running.” Nevertheless, according to Markus Hammer, it will take weeks or months for all functional processes to be completely restored.”
Attackers Threaten to Sell Gedia Data Online
The hacking group reported that they had stolen Gedia data related to technical drawings, as well as employee and customer data. They also threatened to sell this information on online data exchange forums if Gedia does not pay their demanded sum in Cryptocurrency in time. The hacking group wrote today on a Russian hacking forum: “Now for the tasty, gedia.com. They didn’t get in touch. All computers on the network are encrypted. More than 50 GB of data was stolen, including drawings, data of employees and customers. All this is carefully prepared for implementation on the stock exchange of information. What they don’t buy, we’ll post it for free. 7 days before publication.” It is not known if Gedia intend to pay the ransom, but the company says that they intend to put the systems back into operation when required.
