Cyber Incident Victim: Sandhills Global
Date:
Sep 2021
Location:
United States of America
Summary
Sandhills Global experienced a ransomware attack attributed to the Conti group, disrupting its operations and causing widespread outages across its hosted machinery marketplace platforms and internal systems. The incident forced the company to proactively shut down its IT infrastructure to contain the threat, resulting in inaccessible websites, non-functional phone lines, and Cloudflare connectivity errors for users. Conti, known for data theft prior to encryption in similar attacks, likely employed extortion tactics, though specific ransom demands and confirmed data exfiltration remained unverified. The organization engaged cybersecurity experts to investigate and restore services while acknowledging operational delays in customer communications during recovery efforts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around October 1, 2021, Sandhills Global experienced a ransomware attack that severely disrupted its operations and online services. The attack, attributed to the Conti ransomware gang, prompted the company to proactively shut down all IT systems in the early morning hours of October 1 to contain the threat’s spread. This immediate containment action resulted in the unavailability of Sandhills Global’s primary website and all hosted industry publications, including Truck Paper, TractorHouse, AuctionTime, Machinery Trader, ForestryTrader, HiBid, RentalYard, Motorsports Universe, CraneTrader, MarketBook, RV Universe, Oil Field Trader, Aircraft, LiveStockMarket, Controller, and Aircraft.com. Users attempting to access these platforms encountered Cloudflare Origin DNS errors, indicating a loss of connectivity to Sandhills’ servers. The company’s phone systems also became non-operational, further hampering communication channels. Sandhills Global, a prominent U.S.-based provider of trade publications and online marketplaces for industries such as agriculture, transportation, heavy machinery, and aviation, confirmed the ransomware incident in an email to customers, stating it had retained cybersecurity experts to assist with the investigation and restoration efforts. The company emphasized its focus on protecting data and information while working to remediate the attack, though it acknowledged delays in responding to inquiries.
The incident caused significant operational paralysis, halting marketplace activities where dealers typically list new and used machinery for sale. Conti’s involvement aligned with its established pattern of stealing data prior to encryption to pressure victims with double extortion tactics, though Sandhills did not publicly confirm whether data exfiltration occurred or disclose any ransom demands. Conti had previously targeted high-profile entities like Ireland’s Health Service Executive and Advantech, often demanding multi-million-dollar ransoms. Sandhills’ response prioritized system isolation to prevent further compromise, collaboration with external cybersecurity professionals, and incremental recovery efforts. The company issued a public apology for the disruption, expressing regret for the inconvenience while committing to provide updates as restoration progressed. No specific timeline for full operational restoration was disclosed, and Sandhills did not respond to media inquiries regarding technical details of the attack or its long-term mitigation strategies at the time of reporting.