German Automotive Supplier Gedia Ransomware Victim

[German]The automotive supplier Gedia has been infected with ransomware. As a result, the IT systems were shut down because the blackmailing Trojan also encrypted data.


The Gedia Automotive Group employs more than 4,300 people at eight production sites and produces pressed body parts and welded assemblies for the automotive industry. Gedia operates worldwide and has production plants in China, Mexico and Poland, among others.

Ransomware attack paralyses company

A few hours ago, German Sauerland-Kurier reported in this article that the automotive supplier Gedia in Attendorn had been the victim of a serious hacker attack. The company issued a press release on Thursday morning (unfortunately there is nothing about this on the company's website).

German site LokalPlus reported of a cyber attack on the headquarters of the Gedia Automotive Group in Attendorn-Ennest (Sauerland). The attack took place in the night from Monday to Tuesday, January 21, 2020. Gedia sales manager Markus Hammer is quoted by LokalPlus as saying that "the company's security systems would have noticed the attack very quickly". In view of the scale of the attack, those responsible quickly decided to shut down all IT systems and immediately called in external experts.

In Gedia's head quarter in Attendorn-Ennest (Germany), 300 to 350 employees were sent on 'forced vacation' as a result of the cyber attack. The supplier's production is to continue, however, according to LokalPlus.

Sodinokibi Ransomware involved?

Colleagues at Bleeping Computer reported in this article today, prior to the release of the Gedia press release, that Sodinokibi Ransomware was involved and the backers threatened to release Automotive Group data. According to Sergiu Gatlan, the Sodinokibi Group published a Microsoft Excel spreadsheet containing an AdRecon report with information about an Active Directory environment.


The sodin attackers appear to use open source tool AdRecon for the AD environment of each of their victims, as they have also released a similar table for a previous victim called Artech Information Systems. However, a request from Bleeping Computer to Gedia for confirmation of the attack remained unanswered (this is now obsolete with the above press release).

In a Russian hacker and malware forum, the people behind the attack write: "Now for the tasty. . They didn't get in touch. All computers on the network are encrypted. More than 50 GB of data was stolen, including drawings, data of employees and customers. All this is carefully prepared for implementation on the stock exchange of information. What they don't buy, we'll post it for free. 7 days before publication."

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *