Ransomware: TWL refuses to pay ransom – attackers leak customer data

Authorities, public institutions and companies worldwide are struggling with the consequences of ransomware infections. Those who (must) deal aggressively with the subject in the face of obvious damage often use the vague paraphrase "hacker attack" before gradually disclosing further details.

In the case of the Technische Werke Ludwigshafen (TWL), a hacker attack, reported by heise online at the beginning of last week, officially became a ransomware incident in which confidential customer data was stolen. The company had refused to pay the ransom – a sum in the double-digit million range; thereupon the ransomware gang published all data records in the Darknet.

"The company currently assumes that all of its customers and business partners are affected," says a recent statement. These would now be "personally and individually informed" by TWL by letter or email. According to its own information, TWL supplies around 100,000 households in Ludwigshafen and throughout Germany with energy and drinking water.

According to its own statements, on April 20, 2020, TWL discovered that data had been actively stolen from the systems; this was immediately prevented. However, it later turned out that the criminals had their first access in mid-February via an infected email attachment that "was not recognized by the technical defense systems". Apparently, this was not a classic "hacker attack", but rather a malicious code infection (often initiated by email) as a gateway.

A total of more than 500 GB of data had been stolen, including, according to the current state of investigation, "personal data such as surname, first name and address, the email address or telephone number, if it is stored with TWL, information on the chosen tariff and, if TWL was given a direct debit authorization have been the bank details ". On April 30, the ransomware gang contacted the company and started extortion.

At first glance, it is unusual that the ransomware gang apparently did not blackmail TWL with encrypted data, because the company said it had been able to prevent encryption. Rather, the gang made direct contact with corporate customers to make the incident public and thus put pressure on TWL. "Since May 11, 2020, the company's customers have been emailed to criminals accusing these TWL of lacking cooperation and misconduct (…)." Given the refusal to pay, the extortioners had finally released the data.

In fact, such "public shaming" strategies have not been unusual for a long time. Security experts repeatedly emphasize that infection with ransomware should always be viewed as a data leak and should be treated as such. They generally advise against payment, which, as TWL rightly notes, further fuels criminal activities and, on the other hand, "experience has shown that it does not stop data dissemination on the Internet".

An Israeli IT security company called "Under the Breach" already had last Monday Tied to published TWL data via Twitter. Unlike TWL, the tweet mentions a specific ransomware called "Clop" that has infected the TWL network.

Screenshots of a Darknet post in the Under the Breach tweet are intended to underpin the authenticity of the information. In it, the blackmailers name the number of 500 GB of data (which corresponds to the information from TWL). The leak also contained 18,471 email addresses and a total of 36,411 customer records in an Excel spreadsheet.

Don't miss any news! With our daily newsletter you will receive all heise online news from the past 24 hours every morning.

  • Subscribe to the newsletter now

When asked about the tweet and the included reference to "Clop", a TWL spokeswoman told heise Security only about the information from the press release. On the website of Under the Breach there is no further information and explanations for the "clop" suspicion. It is therefore unclear whether this is just speculation.

(Picture: Under the Breach via Twitter)

TWL has informed the responsible police and data protection authorities about the incident. The investigation is ongoing. Given the risk of misuse of the leaked data, data subjects should Safety instructions from TWL follow:

For this reason, TWL asks its customers

– regularly check your accounts and contact your bank immediately in the event of unusual account movements,
– change passwords that are used in communication with TWL, e.g. when accessing the customer portal,
– delete suspicious emails from unknown senders immediately. Under no circumstances should links or file attachments be opened in such emails.


. (tagsToTranslate) data theft (t) data protection (t) hacking (t) leak (t) Ludwigshafen (t) ransomware (t) TWL (t) Technische Werke Ludwigshafen