Westermans International Hit by Cloak Ransomware: Data Compromised

Incident Date: Aug 21, 2024

Attack Overview
VICTIM
Westermans International
INDUSTRY
Manufacturing
LOCATION
United Kingdom
ATTACKER
Cloak
FIRST REPORTED
August 21, 2024

Ransomware Attack on Westermans International by Cloak Group

Westermans International Ltd, a UK-based company specializing in the sale and rental of used and refurbished welding and cutting machinery, has recently fallen victim to a ransomware attack orchestrated by the Cloak ransomware group. The attack, which was claimed on July 19, has resulted in the unauthorized access and subsequent leaking of less than 100 GB of sensitive data.

Company Overview

Established in 1966, Westermans International operates from a 30,000 square foot facility in Groby, Leicester. The company is renowned for providing high-quality welding equipment and exceptional customer service. Their product offerings include automatic orbital tube, pipe, and tube-to-tubesheet welding systems, utilizing advanced technologies such as Gas Tungsten Arc Welding (GTAW). They serve various industries, including semiconductor manufacturing, food and dairy processing, biotechnology, pharmaceuticals, aerospace, shipbuilding, and power generation.

Westermans International not only sells machinery but also provides extensive aftercare support, ensuring that all equipment is serviced to high standards before delivery. The company has a strong export presence, delivering machinery worldwide and catering to diverse industrial sectors such as vessel fabrication, oil and gas, structural steel, and renewable energy.

Attack Overview

The ransomware attack on Westermans International has compromised sensitive information, posing significant risks to the company's operations and reputation. The breach has highlighted vulnerabilities in the company's cybersecurity measures, making them a target for threat actors like the Cloak ransomware group.

About Cloak Ransomware Group

Cloak ransomware is a relatively new group that emerged between late 2022 and early 2023. The group is financially motivated and primarily targets small to medium-sized businesses in Europe, with a focus on sectors such as medical, real estate, construction, IT, food industry, and manufacturing. Cloak operates a data leak site where they sell and publish stolen data from victims, using double extortion tactics by encrypting files and threatening to leak stolen data.

Penetration and Extortion Tactics

Cloak likely purchases initial access from Initial Access Brokers (IABs) on underground marketplaces. They may leverage compromised employee credentials obtained through info-stealers like Lumma, Aurora, and Redline. The ransomware uses the infected machine's own resources to exfiltrate and encrypt data. Encrypted files are renamed with extensions like .crYptA, .crYptB, up to .crYptE. As of mid-2023, Cloak had accessed 23 databases of small-medium businesses, with a high payment rate from victims.

Sources

See Halcyon in action

Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!

1
2
3
Let's get started
1
1
2
3
1
1
2
2
3
Back
Next
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.