German logistics giant Hellmann has warned its customers and partners to be on the lookout for fraudulent calls and mail after the company was hit with a ransomware attack two weeks ago.
In an update about the cyberattack that initially forced them to remove all connections to their central data center, the company said business operations are back up and running but the “number of so-called fraudulent calls and mails has generally increased.”
“The forensic investigation has meanwhile confirmed that data was extracted from our servers before our systems were taken offline on December 9. We are currently investigating what type of data was extracted and will proactively provide further information as soon as possible. We are in regular contact with relevant government authorities,” Hellmann said.
“Whilst communication with Hellmann staff via email and telephone remains safe (inbound and outbound), please make sure that you are actually communicating with a Hellmann employee and beware of fraudulent mails/calls from suspicious sources, in particular regarding payment transfers, change bank account details or the like.”
When news of the attack first broke on December 9, the company said the shutdown was having a “material impact” on their business operations.
The German company operates in 173 countries, running logistics for a range of air and sea freights as well as rail and road transportation services. Air Cargo News, which first reported the attack, said the company had a revenue of nearly $3 billion last year.
BleepingComputer reported last week that ransomware group RansomEXX has claimed responsibility for the attack. After negotiations with Hellmann fell apart, the group published 70.64 GB of stolen documents on their leak site that included business agreements, intra-company emails, and more, the outlet explained. They added that the leaks explained the increase in scam calls.
In February, the criminal group that deploys the RansomExx ransomware was caught abusing vulnerabilities in the VMWare ESXi product allowing them to take over virtual machines deployed in enterprise environments and encrypt their virtual hard drives.
They were also identified by the FBI in November as one of the ransomware groups that use “significant financial events” as leverage during their attacks.
“Ransomware groups are using events like mergers and acquisitions to target companies and force them into paying ransoms,” the FBI said.
“A November 2020 technical analysis of Pyxie RAT, a remote access trojan that often precedes Defray777/RansomEXX ransomware infections, identified several keyword searches on a victim’s network indicating an interest in the victim’s current and near-future stock share price. These keywords included 10-q, 10-sb, n-csr, nasdaq, marketwired, and newswire.”