Cyber Incident Victim: Crowe Foederer
Date:
Mar 2022
Location:
Netherlands
Summary
A ransomware attack targeted the organization, detected overnight, prompting immediate isolation of all internal systems from external networks to contain the incident and safeguard stakeholders. While unrelated phishing emails circulated under the victim's name, the cyberattack investigation focused on restoring affected systems and assessing breach circumstances. No evidence indicated data exfiltration by the attacker at the time of reporting. Updates were promised as more information became available, with direct communication planned for impacted parties if warranted by findings. Urgent inquiries were directed to a specified contact number during recovery efforts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On the night of March 9 to 10, 2022, Crowe Foederer detected a ransomware attack targeting its systems. The organization immediately initiated security protocols by disconnecting and isolating all internal systems from external networks to contain the attack's spread and protect stakeholders including clients, suppliers, partners, and employees. This isolation aimed to prevent further unauthorized access and limit potential data compromise. Two days later, on March 11, the firm issued a public advisory regarding phishing emails circulating under its name, initially suspected to be linked to the ongoing incident. Subsequent investigation confirmed these phishing attempts—urging recipients not to open attachments/links and to forward messages to a designated cybersecurity email—were unrelated to the ransomware event.
Crowe Foederer prioritized system restoration while conducting forensic analysis to determine the attack's origin, methods, and scope. As of March 14, their investigation had not identified evidence of data exfiltration by the threat actor. The organization committed to providing further updates as the inquiry progressed and pledged direct communication to affected parties if business-specific impacts emerged. Clients with urgent concerns were directed to a dedicated phone line. Operational recovery efforts continued alongside the security review, with no public disclosure of technical specifics regarding compromised systems or ransomware variants. The dual incidents prompted coordinated response measures balancing containment, stakeholder protection, and transparency within the constraints of an active investigation.