Cyber Incident Victim: Möbelstadt Sommerlad
Date:
Apr 2021
Location:
Germany
Summary
A German furniture retailer experienced a ransomware attack by DarkSide threat actors, resulting in encrypted servers and deleted backups. The company replaced approximately 400 hard drives and temporarily suspended operations before resuming services. While the full extent of data compromise remained unconfirmed, customers were advised to change passwords due to potential unauthorized access. DarkSide affiliates retained decryption keys and exfiltrated data, enabling continued extortion efforts despite the group’s public leak site being offline. The incident highlighted risks of persistent data exposure even after initial remediation.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On April 30, 2021, Möbelstadt Sommerlad, a German furniture retailer, experienced a ransomware attack by the DarkSide threat actor group. The attackers encrypted all company servers and deleted backups despite existing IT security measures, rendering systems inoperable. Managing director Frank Sommerlad confirmed the incident publicly, noting the attack occurred overnight and forced the temporary closure of the business. The company estimated it needed to replace approximately 400 computer hard drives to restore operations, with plans to reopen physical stores by the following Friday. In an email to customers, Sommerlad acknowledged uncertainty regarding potential data exfiltration but advised precautionary password changes. The attackers issued a ransom demand, though payment status remained undisclosed. DarkSide’s involvement was explicitly identified in the company’s communications, linking the incident to the same group responsible for the Colonial Pipeline attack around the same timeframe.
The attack coincided with DarkSide’s operational disruptions following law enforcement scrutiny of their Colonial Pipeline operations, preventing verification of Sommerlad’s potential listing on the group’s leak site. DarkSide typically delayed publishing victim data to allow negotiation time, suggesting Sommerlad might not have been publicly listed before the group’s infrastructure became inaccessible. However, DarkSide affiliates retained access to exfiltrated data and decryption keys for unpaid victims, enabling continued extortion attempts independent of the main group’s infrastructure. Möbelstadt Sommerlad’s website displayed a notice requesting customer patience during recovery efforts, though no detailed technical remediation steps were disclosed beyond hardware replacement. The company did not confirm whether its data appeared on a still-active DarkSide-associated server identified by third-party researchers, leaving residual risks of data misuse by criminal affiliates unresolved in public reporting.