Ransomware Attack on Hoerbiger Holding AG by Akira Group

Hoerbiger Holding AG, a global technology company headquartered in Zug, Switzerland, has recently been targeted by the Akira ransomware group. The attack, which occurred on July 29, 2024, resulted in the exfiltration of over 50 gigabytes of sensitive data and caused significant disruptions to the company's operations.

About Hoerbiger Holding AG

Founded in 1895, Hoerbiger Holding AG specializes in performance-critical components and systems across various industries. The company operates in 43 countries with 127 production and service locations, employing approximately 6,174 individuals worldwide. Hoerbiger's business is structured into five main operating units: Compression, Automotive, Rotary, Engine, and Safety. The company is recognized for its innovation and commitment to sustainability, particularly in the fields of gas compression technologies, automotive components, and explosion protection solutions.

Attack Overview

The ransomware attack led to a partial failure of Hoerbiger's global IT systems, causing temporary disruptions in production at several locations. Forensic analysis revealed that the unauthorized access and encryption of data occurred on two of the 800 affected servers. Despite the breach, Hoerbiger's core systems for processing personal and business data, such as Microsoft 365 and its ERP, CRM, and HR systems, remained unaffected as they are managed by external service providers. The company has not disclosed whether a ransom was paid but has successfully restored its production facilities and is actively working on enhancing its IT infrastructure.

About the Akira Ransomware Group

Akira is a rapidly growing ransomware family that first emerged in March 2023. The group targets small to medium-sized businesses across various sectors, including manufacturing, technology, and telecommunications. Akira is believed to be affiliated with the now-defunct Conti ransomware gang, sharing similarities in their code. The group employs double extortion tactics, stealing data before encrypting systems and demanding a ransom for both decryption and data deletion. Akira's ransom demands typically range from $200,000 to over $4 million.

Penetration and Impact

Akira's tactics include unauthorized access to VPNs, credential theft, and lateral movement to deploy the ransomware. They have been observed using tools like RClone, FileZilla, and WinSCP for data exfiltration. In some cases, Akira has deployed a previously unreported backdoor. The attack on Hoerbiger highlights the vulnerabilities that even well-established companies face, particularly in managing and securing their extensive IT infrastructure.

• Hoerbiger Holding AG
• Trend Micro: Ransomware Spotlight - Akira
• Sophos News: Akira Ransomware
• Tripwire: Akira Ransomware
• Trellix: Akira Ransomware