New Ransomware Group Leaks Data Belonging to a Important US Military Contractor
A Large Entity that Supplies Military Equipment to US Air Force and Militaries Across the Globe Might Have Fallen Victim to a Ransomware Attack.
PDI Group is an Ohio-based company manufacturing different types of ground support equipment for military needs, like dollies, trollies, and platforms for transporting weapons, engines, and airplane parts during servicing operations.
The attacker, Babuk Ransomware is quite new to this landscape, being discovered in 2021. It attacked at least five big enterprises and works by the modus operandi known as the Big-Game hunting strategy.
The criminal group behind the Babuk Locker ransomware created a page on their website under the PDI company name. On this page, they are threatening to leak more than 700 GB of data they claim to have stolen from PDI’s internal network unless the company meets their ransom demands.
It’s is known that the attackers usually leak proof of the breach in order to convince the victim that they really have in their possession important data. The Babuk Locker attackers posted a few screenshots containing several internal documents that they are claiming to have stolen from PDI’s internal network. The data included schematics, with one appearing to describe one of PDI’s aircraft engine trailers.
This stolen data is leveraged in order to put additional pressure on companies that may want to restore from backups but might not want to have proprietary and customer data leaked online.
Recently the PDI Group incident went into the third stage of the extortion scheme, with the attacker group publishing a 120 MB archive file that contained purchase orders for more than 350+ of PDI’s past customers.
The leaked files were provided in an archive labeled cc.zip, which also contained clear text, full credit card details of some of the company’s past customers. On the bright side, it looks like the vast majority of card numbers appear to belong to cards that have long expired.
For the time being the attack was not officially communicated to PDI’s customers, with the Department of Defense and the Cybersecurity and the Infrastructure Security Agency, deferring to the PDI Group in regards to the incident.
Let’s remember that earlier this month, the public spokesperson for the REvil ransomware said their operators often gain access to military-related targets.
I know at the very least that several affiliates have access to a ballistic missile launch system, one to a US Navy cruiser, a third to a nuclear power plant, and a fourth to a weapons factory.