Georgia Wire Manufacturer Struck by RansomwareSouthwire Says It's Bringing Systems Back Online
A large Atlanta-area manufacturer of wire and cable says it has brought some systems back online after what appears to be a ransomware infection.
See Also: A Toolkit for CISOs
Southwire Co., based in Carrollton, Georgia, tweeted on Thursday that "we are doing all we can to minimize and resolve this disruption."
The company has $6 billion in annual revenue and more than 8,000 employees worldwide. It produces wire for electrical lines, homes, data centers and for a variety of other uses.
Southwire's network was affected by a cyber security incident on Monday. We are doing all we can to minimize and resolve this disruption.— Southwire (@Southwire) December 11, 2019
To keep our valued partners and customers up to date on this incident, we have created a temporary website at https://t.co/PVUbXI4P5q. pic.twitter.com/TGfgOHFXcg
The company hasn't described the incident, but comments and an image posted by Reddit users claiming to be employees point to a ransomware attack. And Bleeping Computer reports that those behind the Maze ransomware are claiming responsibility.
Bleeping Computer also reports the Maze gang says it has demanded a ransom of 850 bitcoins, worth about $6.1 million, from Southwire, and threatened to release data it has exfiltrated from the company's systems if it doesn't pay.
An image of the ransomware note was posted by an employee on Reddit who claimed to work at Southwire's plant in Rancho Cucamonga, California.
"We have also downloaded a lot of data from your network, so in case of not paying this data will be released," it warns. "If you don't believe we have any data, you can contact us and ask a proof. Also you can Google 'Allied Universal Maze Ransomware.'"
In November, the Maze gang leaked 700MB of data from Allied Universal, a California-based security services firm. The group told Bleeping Computer at that time it had stolen 5 GB and planned to send the rest to Wikileaks if the company didn't pay 300 bitcoins (see: Ransomware Attackers Leak Stolen Data).
The Maze ransomware, sometimes referred to as "ChaCha," reportedly also recently infected the city of Pensacola, Florida (see: City of Pensacola Recovering From Ransomware Attack).
Experts have warned that ransomware operators could potentially ramp up the pressure on victims by stealing data first before encrypting the data and threatening to release it. Unfortunately, that forecast is coming to fruition.
Southwire did not immediately reply to a request for comment, but the company has released some limited information.
In a letter on Wednesday, Southwire President and CEO Rich Stinson said the incident started on Monday. The company quarantined its network and began an investigation with a cyber security partner, he said.
"As early as Tuesday morning, we began bringing key business systems back online, prioritizing manufacturing and logistics functions that enable us to make and ship quality products to our customers," Stinson wrote. "I'm happy to share that we've seen major improvements at many of our plants and customer service centers in the last 24 hours. Our employees are returning to work, product is moving across our scales and functionality is improving."
Whether Southwire negotiated a ransom or recovered under its own power is unknown, says Bret Callow of Emsisoft, a New Zealand security vendor that develops tools to counteract ransomware.
"A complete recovery could hint at payment, but they only claim to have brought 'key systems' back online," Callow says. "That could potentially be doable, depending on how many of those 'key systems' there were."
One person who identified as an employee wrote on Reddit Wednesday. "I went into the offices yesterday afternoon," Sooze16 wrote. "Everyone was headed home - no computers. Looks like their site is still down. The IT guy that was there told me that the plant called him at 5AM asking how to shut the servers down. Bad time of year not to be shipping."
On the same thread, Bo_And_Arrow wrote on Wednesday: "We are semi-functional as of 7AM this morning."
A person identifying as a production employee wrote that it was possible to produce standard stock tags but "no new production orders can be produced or raw material billed to orders. Basically if it's already been produced, we can chop it down and package it to be sent but nothing other than that."