German Engineering Firm HVB Ingenieurgesellschaft Hit by Cloak Ransomware
Ransomware Attack on HVB Ingenieurgesellschaft by Cloak
HVB Ingenieurgesellschaft mbH, a well-established German engineering firm, has recently fallen victim to a ransomware attack orchestrated by the notorious Cloak ransomware group. The attack, discovered on August 22, 2024, resulted in a significant data breach, compromising 138GB of sensitive information.
About HVB Ingenieurgesellschaft
Founded in 1993, HVB Ingenieurgesellschaft mbH is a prominent player in the engineering sector, specializing in structural engineering and project management. Headquartered in Wandlitz, Germany, the firm also operates offices in Berlin, Dresden, Leipzig, and Spangenberg. With a workforce of approximately 30 employees, HVB Ingenieurgesellschaft is known for its comprehensive planning and consulting services, emphasizing flexibility and high-quality service delivery.
The company stands out in its industry due to its tailored solutions and holistic approach to project management, ensuring all aspects of a project are coordinated among stakeholders. This commitment to quality and customer satisfaction has been a cornerstone of its operations for over 30 years.
Vulnerabilities and Attack Overview
Despite its strong reputation, HVB Ingenieurgesellschaft's relatively small size and specialized focus made it a target for threat actors like the Cloak ransomware group. The attack leveraged compromised employee credentials, likely obtained through info-stealers such as Lumma, Aurora, and Redline. The ransomware used the infected machine's own resources to exfiltrate and encrypt data, leading to the significant breach.
The attack underscores the growing threat of ransomware on critical infrastructure and highlights the need for enhanced cybersecurity measures, especially for small to medium-sized enterprises (SMEs) in specialized sectors.
About Cloak Ransomware Group
Cloak ransomware is a relatively new but highly active group that emerged between late 2022 and early 2023. The group is financially motivated and primarily targets sectors such as medical, real estate, construction, IT, food industry, and manufacturing, with a particular focus on Europe. Cloak operates a data leak site where they sell and publish stolen data from victims, employing double extortion tactics to maximize their financial gain.
The group distinguishes itself by purchasing initial access from Initial Access Brokers (IABs) on underground marketplaces and using sophisticated methods to exfiltrate and encrypt data. As of mid-2023, Cloak had accessed 23 databases of small-medium businesses, with a high ransom payment rate of 91-96%.
See Halcyon in action
Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!