Internal Documents Published After Stadler Refuses $6MM Ransom

Written by David Burroughs, News & Features Writer, International Railway Journal
image description

Stadler HQ. Photo via:

Internal documents stolen during a cyber-attack on Stadler’s headquarters have been published online after the manufacturer refused to give in to ransom demands.

Stadler announced the attack on May 7, and said the hackers subsequently demanded a $6 million ransom, to be paid in Bitcoin.

“Stadler is not and was at no time willing to make payments to the blackmailers and has not entered into the negotiations,” the company told IRJ. “As a result, the perpetrators published internal documents of Stadler in order to harm Stadler and its employees.

“These are confidential documents and data, which were stolen from Stadler by means of criminal machinations. The use and distribution of these documents and data is illegal, supports the criminal perpetrators and promotes the steady increase in further cyber-attacks on companies of all kinds.”

Stadler says it has filed charges at its headquarter in Switzerland, and has also contacted the data protection authorities in all countries where it has subsidiaries.

Brett Callow, a Canadian-based threat analyst with New Zealand-based cybersecurity firm Emsisoft, told IRJ that around 4GB of information had been published so far, along with a list of files the hackers had accessed and could have potentially extracted.

Callow says the attack appeared to be from a group called Nefilim, which has previously targeted other corporations such as Austrian logistics group Toll.

“This is simply a warning shot to Stadler; should it not pay, whatever other data Nefilim obtained will be published,” Callow says. “In previous cases, the group has published data in as many as seven installments in order to gradually ramp up the pressure.”

Callow says the information already shared is likely to be only a small percentage of the total amount stolen.

“Ransomware groups used to simply encrypt their victims’ data but, since the tail end of last year, they’ve been stealing it too,” he says. “They then use the threat of publishing the stolen data as additional leverage to extort payment. This means that ransomware incidents are effectively data breaches and represent a risk to both the target company and its customers and business partners.

“Companies in this situation are without a good option: they’ve been breached and their data is in the possession of cybercriminals. Should they not pay the ransom, their data will be published. Should they pay it, they’ll simply receive a ‘pinky promise’ from a bad faith actor that the data will be destroyed and not misused.”

Tags: ,