Cyber Incident Victim: Hensoldt
Date:
Dec 2021
Location:
United Kingdom
Summary
A multinational defense contractor experienced a ransomware attack compromising systems at its UK subsidiary, attributed to the Lorenz ransomware gang. The attackers exfiltrated data and published most stolen files as password-protected archives, threatening to release decryption keys unless ransom demands were met. Lorenz typically monetizes attacks by extorting payments, selling stolen data to other threat actors, and auctioning network access. The gang's tactics include incremental pressure through partial leaks followed by full exposure of archived data. A subsequent decryptor tool became available to recover certain file types affected by this ransomware variant.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around December 17, 2021, the Lorenz ransomware gang compromised systems belonging to the UK subsidiary of Hensoldt, a multinational defense contractor headquartered in Germany. The attackers claimed to have stolen an undisclosed quantity of files during the intrusion. Hensoldt, which develops sensor solutions for military applications including radar systems for M1 Abrams tanks, avionics, and laser rangefinders for US Armed Forces platforms, confirmed the incident on January 12, 2022, following inquiries from BleepingComputer. A company spokesperson, Head of Public Relations Lothar Belz, acknowledged that "a small number of mobile devices in our UK subsidiary" had been affected but declined to provide further details, citing standard operational security protocols for such incidents. The Lorenz group established a dedicated leak page for Hensoldt on their data extortion site on December 17, 2021, and subsequently published approximately 95% of the stolen data as password-protected RAR archives through this portal.
The ransomware operators employed a double-extortion strategy, threatening to release archive passwords if ransom demands remained unmet, which would enable public access to sensitive files. Lorenz maintained its characteristic operational pattern of selling stolen data to third-party threat actors while also offering access to compromised networks. By January 2022, the gang had not disclosed either the ransom amount demanded from Hensoldt or whether negotiations occurred. Hensoldt implemented containment measures limited to the affected UK subsidiary's mobile devices, though the company did not publicly specify remediation actions beyond confirming the compromise's scope. The defense contractor continued normal operations, announcing a contract on January 12, 2022, to supply digital optronics equipment for German-Norwegian submarines. Security researchers noted that victims could potentially recover certain file types encrypted by Lorenz, including Office documents and PDFs, using a free decryptor released by Dutch firm Tesorion in June 2021—six months prior to the Hensoldt intrusion. No data recovery efforts or financial impacts were formally disclosed by the company following the attack.