Cyber Incident Victim: Fasana
Date:
May 2025
Location:
Germany
Summary
The paper napkin factory in Stotzheim suffered a cyberattack that caused its printers to output extortion notes and disabled all IT systems, halting production. This led to substantial revenue losses, prevented timely payment of May wages, and prompted an insolvency filing, while IT specialists restored limited functionality using isolated parallel systems. The attack, described as financially motivated with ransom notes delivered via the darknet, followed similar incidents affecting local municipalities, and the insolvency administrator noted ongoing efforts to secure a buyer and retain jobs.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On May 19, 2025, printers at the Fasana paper napkin factory in Stotzheim began outputting ransom notes, signaling a cyberattack that rendered all computing systems, laptops, and PCs inoperable. Employees reported that nothing could be processed and production ceased, except for orders already loaded in the machines that could still be completed. The attack caused immediate financial strain, with the company unable to execute orders valued at over 250,000 Euro on May 20 and experiencing negligible revenue for approximately two weeks, equating to a loss of about two million Euro. By June 1, Fasana filed for insolvency due to resulting payment incapacity, affecting the timely payment of May wages for its 240 employees. The insolvency administrator noted that the machines continued to run for one or two days after the attack before the plant effectively stopped, leaving only maintenance and cleaning tasks feasible.
In response, Fasana collected approximately 190 laptops and PCs, had them scanned, and reinstalled all programs while IT specialists established digital parallel environments to restore communication and attempt to resume production. Three weeks after the incident, only a single computer was usable in the customer‑service department, where ten staff members worked, and the IT system was described as running halbwegs stabil, allowing at least basic work capability. The attack also disrupted the Pfingstmontag production because a required permit request to the Bezirksregierung remained stuck in the internet, forcing the factory to rely on analog communication such as notes written with Edding on doors. Police Bonn cyber experts were involved after Fasana filed a complaint against unknown perpetrators, and the incident was contextualized within a series of cyberattacks affecting Euskirchen, Schleiden, the Kreisverwaltung, and the November 2023 ransomware attack on Südwestfalen IT that incurred at least 2.8 million Euro in costs. Insolvenzverwalter Dr. Dirk Wegener stated that a creditor committee was being installed to facilitate the search for a buyer, with an eight‑week window to find a successor due to the early wage payment issue, and that initial expressions of interest had been received.