Cyber Incident Victim: Ehrmann SE
Date:
Apr 2021
Location:
Germany
Summary
Ehrmann SE, a German dairy multinational with international production and sales operations, experienced a cyberattack involving hackers demanding a multi-million dollar ransom. The company confirmed the incident but did not disclose the breach's scope or whether systems were encrypted. Law enforcement indicated the attackers attempted extortion, though the dairy refused payment and reported the incident to authorities. The attack raised questions about potential threat actor origins, given Ehrmann's Russian production facility and typical avoidance of CIS targets by Russian-linked groups. No attribution or confirmation of the hackers' identity was provided by the company at the time of reporting.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Ehrmann SE, a German-based multinational dairy company with production facilities in Russia and Brazil and sales offices across multiple countries, experienced a cyberattack around April 29, 2021. The company confirmed the incident to Augsburger Allgemeine but declined to disclose the scope of the breach or operational impacts. German police verified that unidentified threat actors demanded a ransom amounting to millions of dollars, though the exact figure remained unspecified following a translation correction from initial reports of a "million dollar sum." Ehrmann refused payment and notified law enforcement authorities. The attack’s technical details, including whether data exfiltration or system encryption occurred, were not publicly disclosed by the company.
The incident raised questions about the attackers’ origins due to Ehrmann’s operational presence in Russia, where many threat groups historically avoid targeting local entities. Media speculation centered on whether the perpetrators were non-Russian actors or Russian-aligned hackers who inadvertently compromised a Russia-linked organization. No group claimed responsibility, and Ehrmann did not provide attribution details despite external inquiries. Public reporting relied on police confirmation of the ransom demand and the company’s decision to involve authorities, with no further updates on containment measures, forensic findings, or long-term consequences such as data leaks or financial losses. The breach highlighted Ehrmann’s exposure to cyber threats but yielded minimal verifiable information about attacker methodologies or post-incident recovery actions.