Cyber Incident Victim: GWG Wohnungsbaugesellschaft
Date:
Nov 2020
Location:
Germany
Summary
A ransomware attack targeted the GWG housing association, compromising much of the organization's IT infrastructure and data. The incident rendered critical systems inoperable, with attackers encrypting primary data and backup servers to inhibit recovery efforts. Hackers demanded payment in exchange for decryption keys, though the association's response regarding ransom negotiations remains undisclosed. Operational disruptions impacted services, though specific details on data exfiltration or customer impact were not publicly confirmed. The attack highlighted vulnerabilities in backup resilience against sophisticated threats.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On November 19, 2020, the Munich-based GWG Wohnungsbaugesellschaft (GWG housing association) publicly disclosed it had fallen victim to a ransomware attack. The incident was first detected the previous day, indicating operational disruptions began on or around November 18. Attackers successfully encrypted a significant portion of GWG's IT infrastructure, including primary systems and stored organizational data. The ransomware operators also compromised backup servers and secondary data repositories during the attack, eliminating conventional restoration options. This tactical approach prevented GWG from recovering encrypted files through standard backup procedures. The threat actors issued a ransom demand, explicitly conditioning data decryption on payment. No specific ransom amount or cryptocurrency type was disclosed in public reports. GWG did not immediately confirm whether critical tenant management systems or financial records were among the encrypted assets, though the broad reference to "much of the company’s IT systems" suggested wide-ranging effects.
The encryption of both production systems and backup infrastructure created severe operational paralysis, though GWG did not detail immediate service interruptions to tenants. The attack's success in compromising backups indicated either persistent network access prior to deployment or exploitation of backup system vulnerabilities. No data exfiltration claims were publicly asserted by the attackers or confirmed by GWG, focusing the incident impact primarily on availability rather than confidentiality. The housing association did not release technical specifics regarding the ransomware variant used or initial attack vectors such as phishing or exposed remote access points. Public reporting did not document GWG's incident response timeline, including whether external cybersecurity firms were engaged or law enforcement notified. The organization's post-attack communications remained limited to confirming the encryption event and ransom demand without disclosing payment decisions or data recovery progress.