Hellmann Worldwide is warning customers of an increase in fraudulent calls and emails regarding payment transfers and bank account changes after a recent ransomware attack.
The attack took place on December 9 and forced the logistics company to shut down its systems to contain the spread of the virus.
However, by the time the company’s IT team responded, the actors had already exfiltrated sensitive files from the consulted servers to be used as leverage during the negotiation phase of the ransom payment.
Through an update on its site, Hellmann Worldwide admits that the ensuing forensic investigation confirmed a data breach, but is still investigating what was stolen.
In the meantime, they receive several reports from clients targeted by actors who exploit the stolen data.
As the company warns in the latest update:
“Please note that the number of so-called fraudulent calls and emails has generally increased. While communication with Hellmann staff by email and telephone remains secure (inbound and outbound), make sure that you are actually communicating with a Hellmann employee and beware of fraudulent mail / calls from suspicious sources, especially concerning payment transfers, modification of bank details, etc.
Hellmann Worldwide is an international logistics company with a turnover of 2.53 billion euros ($ 2.85 billion), 263 offices in 56 countries, 10,601 employees and handles 16 million shipments per year.
Its partner network is even larger, encompassing an additional 20,500 agents in 489 offices, so the opportunities for crooks and compromised business email (BEC) phishing actors are virtually endless.
RansomEXX claims responsibility
Bleeping Computer has discovered that the actor responsible for the ransomware attack on Hellmann Worldwide is RansomEXX, a resurgent threat group.
The actors published all the stolen data on their leak portal, totaling 70.64 GB of documents, IDs, correspondence, agreements, orders, etc.
The publication of these files is an indication that negotiations for the payment of a ransom have been concluded without success.
In addition, the fact that all of this sensitive data is available for download to anyone is directly linked to the increase in fraudulent calls and emails reported by Hellmann Worldwide.
Some notable ransomware incidents attributed to RansomEXX this year include attacks against:
In September of this year, cybersecurity company Profero released a working decryptor for RansomEXX infections, which can help victims of specific strains of Linux targeting.