Cyber Incident Victim: Dresdner Kühlanlagenbau GmbH

On or around July 28, 2020, the Nefilim ransomware operation attacked Dresdner Khlanlagenbau GmbH (DKA), a refrigeration specialist subsidiary of German multi-service provider Dussmann Group. The attackers encrypted data across four domains and exfiltrated approximately 200GB of archived files from DKA’s network. Following the encryption and data theft, Nefilim operators published two archives containing 14GB of stolen files on their data leak site as leverage to pressure payment. The published data included Word documents, images, accounting records, and technical AutoCAD drawings. DKA, which employs 570 people, proactively shut down its servers as a containment measure upon discovering the breach. The company notified Saxony’s data protection authorities and State Office of Criminal Investigation, with charges filed against the perpetrators.

The incident caused significant operational disruption through forced server shutdowns and compromised sensitive corporate data. Nefilim’s data leak contained proprietary technical documents and financial records, amplifying reputational and compliance risks. Dussmann Group’s corporate communications head, Michaela Mehls, publicly confirmed the subsidiary’s breach, data encryption, and theft while emphasizing law enforcement engagement. Forensic analysis by cybersecurity firm Bad Packets found no evidence of compromised VPN gateways or devices on DKA’s network. While the exact initial access vector remained unconfirmed, industry data suggested exposed Remote Desktop Protocol (RDP) servers or phishing as probable entry points given their prevalence in similar attacks. The attackers’ focus on data exfiltration prior to encryption aligned with Nefilim’s double-extortion tactics, threatening further leaks to coerce ransom payments. DKA’s containment response prioritized infrastructure isolation and regulatory compliance through mandatory breach notifications.