Westermans International Hit by Cloak Ransomware: Data Compromised
Ransomware Attack on Westermans International by Cloak Group
Westermans International Ltd, a UK-based company specializing in the sale and rental of used and refurbished welding and cutting machinery, has recently fallen victim to a ransomware attack orchestrated by the Cloak ransomware group. The attack, which was claimed on July 19, has resulted in the unauthorized access and subsequent leaking of less than 100 GB of sensitive data.
Company Overview
Established in 1966, Westermans International operates from a 30,000 square foot facility in Groby, Leicester. The company is renowned for providing high-quality welding equipment and exceptional customer service. Their product offerings include automatic orbital tube, pipe, and tube-to-tubesheet welding systems, utilizing advanced technologies such as Gas Tungsten Arc Welding (GTAW). They serve various industries, including semiconductor manufacturing, food and dairy processing, biotechnology, pharmaceuticals, aerospace, shipbuilding, and power generation.
Westermans International not only sells machinery but also provides extensive aftercare support, ensuring that all equipment is serviced to high standards before delivery. The company has a strong export presence, delivering machinery worldwide and catering to diverse industrial sectors such as vessel fabrication, oil and gas, structural steel, and renewable energy.
Attack Overview
The ransomware attack on Westermans International has compromised sensitive information, posing significant risks to the company's operations and reputation. The breach has highlighted vulnerabilities in the company's cybersecurity measures, making them a target for threat actors like the Cloak ransomware group.
About Cloak Ransomware Group
Cloak ransomware is a relatively new group that emerged between late 2022 and early 2023. The group is financially motivated and primarily targets small to medium-sized businesses in Europe, with a focus on sectors such as medical, real estate, construction, IT, food industry, and manufacturing. Cloak operates a data leak site where they sell and publish stolen data from victims, using double extortion tactics by encrypting files and threatening to leak stolen data.
Penetration and Extortion Tactics
Cloak likely purchases initial access from Initial Access Brokers (IABs) on underground marketplaces. They may leverage compromised employee credentials obtained through info-stealers like Lumma, Aurora, and Redline. The ransomware uses the infected machine's own resources to exfiltrate and encrypt data. Encrypted files are renamed with extensions like .crYptA, .crYptB, up to .crYptE. As of mid-2023, Cloak had accessed 23 databases of small-medium businesses, with a high payment rate from victims.
Sources
See Halcyon in action
Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!