Clop Ransomware attack at Technische Werke Ludwigshafen

[German]The power/energy supplier of Ludwigshafen, Technische Werke Ludwigshafen (TWL), was victim of a ransomware attack last week. Now the responsible Clop Ransomware Group has published captured customer data. 

First information about a cyber attack

Last week I had already mentioned that in a short note in the blog post Sicherheitsmeldungen 5. Mai 2020.  But it only said that hackers had access to the business and customer data of the utility Technische Werke Ludwigshafen (TWL). In this heise article, referring to the utility, it was reported that unknown persons had had access to customer data such as names, addresses and account details.

The municipal power supplier had informed the authorities and ordered additional support from a cybersecurity company. The company did not want to disclose the time of the attack or the amount of data copied, citing ongoing investigations.

The TWL statement

In an undated statement Technische Werke Ludwigshafen (TWL) writes that despite massive security measures taken in the past, the company has become the target of a successful hacker attack. 

Nevertheless, a still unknown group of hackers has succeeded in penetrating the network of the energy supplier Technische Werke Ludwighafen AG, TWL. Immediately after noticing the attack, TWL initiated countermeasures. Among other things, servers on which suspicious activities were recorded were immediately shut down.

The security of supply for the citizens of Ludwigshafen and the company's customers was and is guaranteed. The company immediately informed the responsible investigating authorities and called in a cyber security company. The investigations are ongoing. Due to the ongoing investigations by the responsible authorities, no further details were given about the course and extent of the hacker attack.

Data has been stolen

Due to the immediately initiated countermeasures, the theft of data could be interrupted but not completely prevented, says the TWL statement. The hackers succeeded in capturing customer data such as names, addresses and account details as well as business data.

For this reason, the company asks its customers to check their accounts regularly and to contact their bank in case of unusual account movements. Passwords used in communication with TWL, for example when accessing the customer portal, should be changed.

Clop Ransomware group leaks stolen data

However, I have received the following information from a security researcher via my Twitter channels. According to this information, the Clop Ransomware group successfully attacked the Ludwigshafen utility company. The name of the ransomware comes from the file name extension .CLOP, which is used for encrypted files. Trend Micro has information about the CLOP ransomware, so it seems, that the malware dropper are known.

This has become known because the Ransomware Group has published more than 30,000 records with sensitive customer data. Among them are the names and e-mail addresses of the customers, their tariffs and the billing account numbers. Obviously the group behind the ransomware has switched to mirroring the files on their own servers before encrypting them. I conclude from the publication of the data that the TWL did not respond to the blackmail and did not pay a ransom.

This entry was posted in Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *