The Nefilim group of ransomware actors has had a successful breach into Whirlpool’s corporate network, stealing data from the home appliance giant and encrypting a large number of devices. The hackers are already leaking samples of the stolen data on the dedicated leak website, essentially raising the heat of extortion for the victim. The first documents that appeared there include medical information requests, employee background checks, benefit details, accommodation requests, and various other “secondary” files.
According to a report by BleepingComputer claiming expert sources, the attack occurred in the first weekend of December, which is consistent with the time of the leaks. Whirlpool has since restored its systems fully, but they had to admit the ransomware incident now, and they did. In their statement, the firm claims that the detection and containment of the malware happened immediately, and so the production of goods wasn’t impacted at all. Moreover, they gave assurances that no customer information was exposed or compromised, so this affects only Whirlpool employees.
Whirlpool is a very lucrative target for hackers, being a Fortune 500 company employing over 92,000 people, and having an annual revenue figure of more than $21 billion. However, succeeding in delivering a notable blow in its production lines is very unlikely as the firm operates nine individual manufacturing facilities across the United States. This is why threat actors rely on data-stealing more than encrypting and locking.
Nefilim is not among the most active ransomware groups out there, but they are known for targeting the “big fishes” out there. In May 2020, Nefilim compromised the Toll Group's systems, creating massive problems for the transportation and logistics company that lasted for weeks. Later, in October 2020, Nefilim managed to deliver a blow to Luxottica, the world’s largest eyewear manufacturer. The data appeared online a month later, exposing almost 830,000 patients in the United States.
As for Whirlpool, the firm hasn’t demonstrated the best practices in general. Almost a year ago, we reported about a customer database being left exposed online, allowing anyone with a web browser and a valid URL to access 28.1 million records coming from 48,000 home appliance devices. To make matters worse, the records concerned hourly device scans that sent back SAID, model numbers, attributes, and the customers' email address.