Ransomware gang Lockbit 3.0 has posted data supposedly belonging to global power product manufacturer Phihong on its dark web blog. This latest claim of an attack comes hours after LockBit posted all the data it says it stole during a recent attack on Royal Mail.

Phihong data posted to LockBit victim blog. (Photo by Michael Vi/Shutterstock)

Phihong, based in Taiwan, has been given a deadline of February 19 to pay up, or it will see its data posted online in full, LockBit said. The company makes power supplies and charges for electronic equipment and electric vehicles (EVs), which it supplies to clients around the world. Last year it announced a major deal to supply EV chargers to Shell.

LockBit is a Ransomware-as-a-Service gang that emerged in 2020. It is known for its ability to encrypt the files of its victims as well as their backups, optimising the likelihood of the ransom being paid. The gang now offers three different types of malware to its clients, LockBit, LockBit Black and now LockBit Green.

According to the US DoJ, the gang has made at least $100m in ransom demands and has “extracted tens of millions in payments” since 2020.

The NHS is among the group’s most high-profile victims, with the gang having struck the 111 non-emergency service last summer, gathering the data of approximately 16 institutions. Hospital staff were reduced to using pen and paper to triage patients at the time of the attack, in the absence of digital systems.

Phihong ransomware attack: LockBit claims responsibility

LockBit claims to have personally identifiable information for Phihong employees and customers. “After working with this company, we have a large amount of critical company data in our hands,” the gang’s blog states. “Such as contracts and agreements with customers, sales data, project documentation of manufactured products, financial documents, as well as a large amount of databases.” 

The cost to destroy all information is just under $500,000, as is the cost to download any important data during the negotiations. The company has the option of extending the deadline at a cost of $1,000, according to the blog.

Tech Monitor has contacted Phihong Technology about the alleged attack, but has not received a response at the time of publication

The blog reiterates the clear deadline, printed in bold and in red, by stating, “All data will be published to the public, and all databases are sold on the black market.”

Royal Mail cyberattack

Meanwhile, LockBit announced today that it has published all the files stolen in an attack on Royal Mail. However researchers like John Fitzpatrick, CTO at security company Jumpsec, have cast doubt on the veracity of these claims.

Royal Mail is still suffering from the fallout from the attack, according to its update page, with international parcel delivery still being disrupted. Last month the company’s international package dispatch service ground to a halt after the attack.

If LockBit’s update is correct, the data, currently unspecified, is now for sale on dark web forums and could be used by cybercriminals for identity theft and to carry out phishing attacks.

The Royal Mail attack is particularly significant due to the target and the type of data it holds, argues Terry Greer-King, vice president for the EMEA region at security company Sonic Wall. “Due to the magnitude of this critical infrastructure, not only is vital service not working but sensitive personal information is at stake: people’s home addresses, full names and postal codes are at risk of going public,” Greer-King says.

“This attack is another example of how relentless cybercriminals are in their search for profit and the importance of keeping our critical infrastructure safe in this evolving threat landscape.”

Read more: VMware EXSi servers targeted by ransomware criminals