German Firms Breached: Sarcoma Ransomware Exfiltrates Massive Data
Sarcoma, an emerging double extortion group, has allegedly compromised the data of 4 German businesses across different sectors. The victims include F1-Generation, Pfullendorfer Tor-Systeme, IAD GmbH, and KWG.
While the targets do not appear related, they represent the nature of ransomware gangs, where it’s not about the industry; it's about getting fast money. The details of the ransom demand are unknown at this time; however, the group’s dark web leak site offers a glimpse into what was exfiltrated.
F1-Generation is a fashion and accessories retail business, which also provides marketing and PR services. According to Sarcoma’s leak site on Tor, they exfiltrated a 520 GB archive and provided a download link to a parent directory. This contains content that indicates that the attackers compromised one of the company’s SQL server databases.
A brief examination of the 11 screenshots hosted by Sarcoma revealed several passports and identification cards, as well as internal company letters, employee contact information, and Bank/SEPA transfer confirmation documents with IBAN and beneficiary details.
Additionally, the F1 Generation website is no longer available.
Pfullendorfer Tor-Systeme is a German manufacturer of garage doors, courtyard gates, and related systems. The exfiltrated data stolen by Sarcoma is 643 GB and contains a sizable file variety, as well as Microsoft Exchange data.
An analysis of the proof-of-hack images the group shared on their Tor site reveals intellectual property details such as technical schematics, confidential financial records, personal healthcare information for a family member, banking account details, confidential agreements, and legal negotiations. Overall, the leak also contains personal names and addresses, which fall under GDPR protection.
IAD GmbH is a consulting firm that provides training in skill development and operates multiple locations in Germany, including Erfurt, Jena, Leipzig, Marburg, and Nordhausen. The attackers claimed to have leaked a 43 GB archive containing an SQL database, Microsoft Exchange data, and a wide range of files, such as training and course schedules in Excel format, a letter of intent related to healthcare training, and an official cooperation agreement with a federal agency under the German Ordinance on Language Support for job-related German language courses.
Their Microsoft Azure Web-hosted site appears to have been removed.
KWG, also known as Kommunale Wohnungsgesellschaft mbH im Lausitzer Seenland, is based in Senftenberg, Germany, and operates as a municipal housing company that provides housing for different types of tenants, including students, families, and seniors.
The leak contains 989 GB of data, including a dumped SQL database and Microsoft Exchange data. Among the proof-of-hack screenshots is a travel invoice exposing sensitive personal information such as a full name, address, IBAN number, and invoice reference, all of which fall under GDPR protection. Additional images show a maintenance contract, a German identification card, a work order, and a tenant confirmation letter, each containing further exposed personal information.
