Global building supply manufacturer Knauf is still battling the fallout from a cyberattack it suffered three weeks ago, it has been revealed. To isolate the attack, Knauf’s IT team shut down all operations across its business, some of which are still down with temporary workarounds in place. Ransomware gang Black Basta has claimed responsibility for the attack, and has leaked information purporting to be from the company on the darkweb.
Based in Germany, the Knauf Group employs over 30,000 people globally and says it has an 81% of the worldwide wallboard market. It supplies materials to UK customers, and has two factories in Britain, in Kent and Lincolnshire.
How the Knauf cyberattack unfolded
The cyberattack on Knauf took place on June 29 and, according to a statement recently posted on the building company’s website, it is still working to become fully operational again
“We are currently working heavily to mitigate the impact to our customers and partners – as well as to plan a safe recovery. However, we apologize for any inconvenience or delays in our delivery processes that may occur,” the statement says. Temporary workarounds for customers are being released onto the company’s cyber attack updates page.
Has Knauf been the victim of a ransomware attack?
Though the company has not been specific about the type of cyberattack it is currently handling, ransomware gang Black Basta has taken responsibility, and posted Knauf’s details to its ransomware blog along what it says is 20% of the files lifted from the company.
The low percentage of files posted on the dark web hints that the ransom negotiations could be ongoing. The documents uploaded appear to be examples of health insurance information, as well as user credentials, employee contact information, product documents and ID scans.
Pictures of Black Basta’s dark web blog displaying Kauf’s information have been posted on Twitter.
Black Basta continues its rise to prominence
Black Basta is a ransomware group thought to be based in Russia, that operates mainly using double extortion tactics. This means it lifts the data of victim companies before encrypting it, leaving the companies to pay for both the decryption key and to prevent sensitive information from being released online.
It was first spotted in action in February, and since then has hit almost 50 victims across the manufacturing, construction, transportation, telecom, pharmaceutical, plumbing, and heating sectors. It has been closely linked to prolific ransomware gang Conti, which shut down its operations earlier this year.
In April, Black Basta posted its intentions to buy and monetise corporate network access for a share in the profits. The post, written in Russian, specified that it was looking for organizations based in the United States, Canada, United Kingdom, Australia, and New Zealand, according to a report from security company CyberReason.
Tech Monitor is hosting a roundtable in association with Intel vPro on how to integrate security into operations. For more information, visit NSMG.live.