News on the ransomware attack on Ludwigshafen supplier

[German]New information about the attack by clop ransomware group on the energy supplier of Ludwigshafen, Technische Werke Ludwigshafen (TWL), has become public. Customer data was stolen in the ransomware attack and has now been published.


The attack on the energy supplier Technische Werke Ludwigshafen (TWL) already took place on April 20, 2020. I disclosed some details within my blog post Clop Ransomware attack at Technische Werke Ludwigshafen and revealed, that it was a ransomware attack by the Clop group and that they published captured data. At that time TWL did not yet provided any information about this.

Background information: TWL supplies around 100,000 households in Ludwigshafen and throughout Germany with energy and water. So in my eyes it's a smaller energy supplier.

The energy supplier was blackmailed

In a statement (German) TWL now states that 'Due to forensic investigations, security work and investigations by law enforcement authorities, the company was required not to disclose details of the security incident until 11 May 2020'. But now more details are published.

On April 20, a cyber attack was discovered by TWL. The utility company writes that it was seen that criminals were stealing data from the systems. Measures were immediately taken to stop the further data theft.

Furthermore they write: Unfortunately, more than 500 GB of data could be stolen successfully. In the meantime, the company is aware that the criminals' first access in mid-February was via an infected e-mail attachment that was not recognized by the technical defense systems.

After the discovery of the attack, TWL, according to its own statements, immediately contacted the responsible criminal investigation department, the Cybercrime Department of the State Criminal Police Office (LKA) of Rheinland-Pfalz and the Federal Office for Information Security (BSI). Investigations have begun and are still ongoing.


The responsible state data protection authority was informed of the incident. An external company for IT security was commissioned with the forensic investigation and defence of the incident. An encryption of the systems as well as access to the process control system could be successfully prevented. The supply of the city of Ludwigshafen was and is therefore not at risk.

The bad and the ugly: Attackers active for weeks

The worse truth behind the incident is, that the attackers was able to intrude the TWL network undetected for months. TWL wrote: In the following weeks, the criminals managed to spread undetected in the network of TWL despite numerous security measures.

On 30 April 2020, the hacker group then contacted TWL and tried to extort ransom money in the double-digit million Euro range. They threatened to publish the stolen data. As I have already reported, the stolen data includes customer information (name, e-mail, Bank accounts, etc.).

The management of Technische Werke Ludwigshafen (TWL) did not comply with this demand of the blackmailers, 'because they don't do business with criminals' and the saw the risk that the data would be passed on anyway. The consequences were of course foreseeable.

Since May 11 , 2020, the company's customers have been contacted by criminals by e-mail, accusing TWL of lack of cooperation and misconduct in order to exert further pressure on the company. At the same time, the criminals have started to publish the stolen data on Darknet.

The data published in the Darknet currently includes personal data such as name, first name and address, the e-mail address or telephone number, if it is stored at TWL, details of the chosen tariff and, if TWL has been granted a direct debit authorization, the bank account details. The company currently assumes that all its customers and business partners are affected.

TWL draws its customers' attention to the fact that there is a risk that criminals could use the data captured by the attack for further crimes. This includes, for example:

  • Identity theft
  • Phishing
  • Sending viruses and Trojans by e-mail

Customers should now take the following precautions to protect themselves against consequential damage.

  • Check bank accounts regularly and contact their bank immediately in the event of unusual account movements,
  • Change passwords used in communication with TWL, e.g. when accessing the customer portal,
  • Delete suspicious e-mails from unknown senders immediately. Under no circumstances should links or file attachments in such mails be opened.

All persons concerned are currently being informed personally and individually by the company by letter or e-mail.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *