[German]Has the defense contractor Rheinmetall fallen victim to a ransomware attack? At least the Babuk2 ransomware group claims to have carried out a successful attack on the company. However, I currently have very little information, as the Babuk2 website is currently not accessible. And the group spread a lot of fake news.
Babuk2 claims an attack
It was a quick question on Facebook posted by a reader in a private message: "Did you notice that Rheinmetall had another cyber attack?". Of course I hadn't, and then it was time for beauty sleep, gardening and a walk. You don't treat yourself to anything else …
The information from the screenshot above was added later. However, it remains unclear which division of the technology company, which is active in the automotive and defense sectors and offers components, systems and services for the security and civilian industry, is affected. During a search at around 7:30 pm, I came across the following tweet with the same information on X.
In a tweet, VenariX announces that the Babuk group claims to have successfully compromised the IT systems of Rheinmetall AG.
Babuk claims to have extracted 750 GB of data and gained access to email credentials. The group allegedly provided a sample of Rheinmetall Defense with 1400 files. The samples were said to include military contracts, emails, business transactions, product images, etc. However, the Babuk pages do not appear to be accessible at present.
VenariX writes: "It is still unclear whether data has been leaked or whether material losses have been incurred as a result of the incident."
This is the third suspected case
Rheinmetall has already been the victim of successful cyber attacks. In September 2019, I reported in the article Cyber attacks at Rheinmetall and Airbus contractors, that the Düsseldorf-based armaments company Rheinmetall had fallen victim to a cyber or hacker attack. The attack disrupted the company's production at plants in Brazil, Mexico and the USA.
The defense contractor Rheinmetall and its subsidiaries were also affected by a cyber attack in April 2023. The attack became public on Friday, April 14, 2023, although few details were made public. According to my information, the Blackbasta ransomware group was behind this attack. At the time, the attack only affected the Group's civilian business.
At the time, this was the second attack within a few months in 2023. Before that, the Russian group Killnet attempted an attack. I reported on this in the blog post Cyber attack on Rheinmetall Group (April 2023) – civil branches affected.
Who is Babuk2?
The Babuk (Babyk) ransomware group was first actively detected in January 2021. According to this source, it primarily targeted large companies and government agencies in Europe and North America. They have attacked companies in the transportation sector, governments, healthcare organizations, industrial equipment suppliers and more.
Babuk used the Ransomware-as-a-Service (RaaS) model and uses a double ransomware strategy (encrypted files and data theft). The group favored targets with strong payment capabilities and attacks Windows, ESXi and NAS devices.
At the end of April 2021, Babuk announced the cessation of its activities and disclosed part of its source code under pressure from US law enforcement authorities. However, this announcement was soon deleted and the group announced in May 2021 that it would turn to data theft and extortion and set up a platform for data leaks and data trading. The turmoil surrounding Babuk can be read on the linked pages.
The hacker group Babuk2 (Babuk Locker 2.0), also known as Bjorka or SkyWave, has been publishing leaked data from various companies and organizations on its dark web page since January 2025 and demanding a ransom from victims.
According to investigations, Babuk2 is not a continuation of the original Babuk ransomware group. Rather, it is an independent hacker group called Bjorka, which has adopted Babuk's name and attack templates.
One problem is that much of the data allegedly harvested comes from previous leaks by other ransomware groups (the original Babuk, RansomHub, Sodinokibi and KillSec). Babuk2's operating model has sparked widespread controversy because it sells databases on BreachForums and Telegram.
Babuk2 announced its return in January 2025 and opened a data leak site on the dark web to send blackmail messages to victims. However, several security researchers, analysts and media outlets have questioned the authenticity of the claims (see also). Therefore, the above message should be treated with caution, it could well be old data.
Who is Rheinmetall?
Rheinmetall AG is a listed German defense contractor and automotive supplier headquartered in Düsseldorf, Germany, which posted sales of €6,255 billion in 2019. Founded back in 1889, the company had around 25,500 employees in 2022 and has been experiencing a steep economic development in the military sector since the beginning of 2023 – due to the Ukraine war. The company was admitted to Germany's leading DAX index on March 20, 2023, having previously been a founding member of the MDAX since 1996 and listed in this share index without interruption since then.
Similar articles:
Cyber attacks at Rheinmetall and Airbus contractors
Cyber attack on Rheinmetall Group (April 2023) – civil branches affected
