[German]Strange story that's going around right now. In German factories of car maker Mercedes Benz (Daimler AG) production computers are supposed to be infected with WannaCry ransomware. Also vendor Festo is claimed to be infected with WannaCry.
First of all, I must say, that the story isn't officially confirmed (from the companies – but I have my own sources). German news site heise.de has published yesterday the article Daimler: WannaCry hat offenbar neue Opfer gefunden (translation means Daimler: WannaCry found new victims).
First reports – after reader tips
The editorial team at heise refers to reports from different readers that production at Daimler sites is affected. According to these sources, a WannaCry infection is believed to have taken place in Mercedes-Benz plants such as Bremen, Hamburg and Untertürkheim.
Unpatched Windows XP systems are involved?
How can this happens at end of September 2017? It is reported that industrial robots, using Windows XP for control, were no longer functional. So it seems, that unpatched Windows XP systems was involved into this case. Manufacturer Festo is also said to have been affected by the WannaCry Trojan horse.
Note: I'm aware, that Windows XP, Windows 8.x and Windows 10 are probably not vulnerable for WannaCry. But maybe there are Windows 7 machines involved – or it's a modified version of this trojan. And it is known, that WannaCry infections forces Windows XP systems into a blue screen – so reports, that industry robots controlled by Windows XP makes a lot of sense. Windows XP isn't the source to spread a WannaCry infection, but will be affected too.
Not confirmed by speakers of Daimler and Festo …
The editorial team at heise has reached out to Daimler and Festo for a statement. A speaker from Festo states that no attacks are known. A speaker from Daimler/Mercedes Benz explained that production is running – but no statement has been made about WannaCry infection.
The WannaCry Trojan has led to a number of failures in the automotive industry. At Renault, the initial infection in May 2017 led to production stoppages, and Honda was also affected by something like this. And Korean electronic producer LG was still a victim of WannaCry in South Korea in August 2017.
Remark: I've covered the production stops in the car manufacturing industry within my German blog in several blog posts. Links may be found within my German article.
… but my source confirmed it also
Update: An reliable source (that will stay anonymous) has told me today (September 30, 2017) that the German Daimler plant in Rastatt is/was also affected. My source spoke of a 'quite upset mood' within the IT department.
Update 2: Another source (that will stay anonymous) has send me the following details – I've translated it to English.
… but the production IT of Daimler in Kölleda (motor factury) and Kamenz (LiIon battery factory) almost breathed a sigh of relief yesterday at 9h, after [Mercedes Benz production IT at] Untertürkheim reported more than 1500 cases.
This infections affects massively virtual machines from plant suppliers, personal measuring computers and systems in 24/7 operation.
Update 3: I've reached out to Daimler Press department and received the following statement from a speaker:
Our production is running. Please understand that we do not comment on IT security issues.
Update 4: I found a German Tweet – which makes a lot sense, if we know the context.
Auf Dads Arbeit wird das sogar für die Steuerung von Industrierobotern benutzt. Gestern wurde es von WannaCry befallen.
— Relaxo (@Flusslied) 30. September 2017
A raw translation says: 'On some computers at my parents workplaces, Windows XP is still in use. That's digitalisation in Germany. In dad's company they are using still Windows XP to control industry robots. Yesterday they had a WannaCry infection.'
So, independent from what speakers of Mercedes Benz/Daimler told us, the incident seems real.
Petya ransomware is back – using WannaCry vulnerabilties
Ransomware WannaCry infected worldwide thousands of Windows systems
WannaCry & Co.: EternalBlue Vulnerability Checker and Crysis Ransomware Decryptor
Cookies helps to fund this blog: Cookie settings