Black Basta Ransomware Compromises Wielton S.A., Steals 650GB Data

Incident Date: Jun 17, 2024

Attack Overview
VICTIM
Wielton S.A.
INDUSTRY
Manufacturing
LOCATION
Poland
ATTACKER
Blackbasta
FIRST REPORTED
June 17, 2024

Analysis of the Black Basta Ransomware Attack on Wielton S.A.

Company Profile: Wielton S.A.

Wielton S.A., a leading European manufacturer based in Poland, specializes in the production of trailers, semi-trailers, and truck bodies. With a workforce of approximately 3,450 employees and a revenue of around 2.92 billion PLN, Wielton stands as one of the top five manufacturers in Europe and top ten globally in the transport solutions sector. The company's extensive product range and its strategic acquisitions have significantly broadened its market presence, making it a notable player in the transportation, construction, agriculture, and distribution sectors.

Details of the Ransomware Attack

The Black Basta group, known for its targeted ransomware attacks, recently compromised Wielton S.A., resulting in the theft of approximately 650GB of sensitive data. This data includes corporate information, financial records, project details, and technical drawings, stored across multiple server folders. The breach has raised serious concerns about the company's data security and operational integrity.

Profile of the Black Basta Group

Emerging in early 2022, Black Basta is believed to be an offshoot of the defunct Conti group. The group is notorious for its double extortion tactics, involving data encryption and threats to leak stolen data if ransoms are not paid. Black Basta's operations are characterized by the use of sophisticated tools such as QakBot and Mimikatz for lateral movement and credential harvesting, and Cobalt Strike Beacons for maintaining control over compromised systems.

Potential Vulnerabilities and System Penetration

Wielton S.A.'s extensive digital infrastructure, necessary for its large-scale manufacturing operations, may have presented multiple attack vectors for Black Basta. The group likely exploited vulnerabilities in the company’s network, possibly through spear-phishing or exploiting outdated systems, to gain initial access. Post-access, they would have moved laterally across the network, harvesting credentials and escalating privileges to deploy their ransomware and exfiltrate data.

Sources:

See Halcyon in action

Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!

1
2
3
Let's get started
1
1
2
3
1
1
2
2
3
Back
Next
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.