Major manufacturing company completely shut down its operations for weeks due to ransomware attack

Information security specialists reported a serious ransomware infection at automation company Pilz, based in Germany. For more than a week, the company’s operations have been disrupted due to infection with the dangerous encryption malware variant known as BitPaymer.

On its website, the company released a statement that says: “Pilz has been the victim of a cyberattack specifically targeting our systems; it has crippled operations in all our computer and server-based jobs, including the company’s communication networks.” For now, the company is working forced march to meet its pre-established commitments, in addition to restoring all affected operations.

This Monday, October 21, it was completed one week after the infection was detected. Although the company has already managed to restore some of its functions (scheduled deliveries, among others), many of the systems remain paralyzed. “We have integrated an information security team to resolve some technical issues, identify the source of the attack, among other activities,” as mentions one of the latest updates on the incident.

As mentioned by company officials, the full re-establishment of Pilz’s operations is expected to take a few more days.

Speaking to the specialized platform ZDNet, information security expert Maarten van Dantzig mentioned that this is the typical attack linked to the hacker group known as BitPaymer. The expert claims that he discovered some samples of the malware used by this group on the VirusTotal platform, including the ransom note used during this incident, with custom details related to the German company.

Although the amount of ransom demanded from Pilz is unknown, Van Dantzig adds that operators of this ransomware variant have come to demand ransoms of up to $1 million USD in cryptocurrency. Finally, the expert adds that, usually, the BitPaymer ransomware is delivered to victims using the Trojan known as Dridex.  

Specialists from the International Institute of Cyber Security (IICS) add that this Trojan is dropped at unsuspecting Windows users via an attached document sent by email. When opened, Dridex is unloaded, opening the door to other threats, as in the case of the affected company.