Cyber Incident Victim: PDI Group
Date:
Mar 2021
Location:
United States of America
Summary
A US military contractor specializing in ground support equipment manufacturing suffered a ransomware attack by the Babuk Locker group, resulting in the theft and subsequent leak of over 700 GB of sensitive data, including proprietary schematics and customer purchase orders containing some expired credit card details. The attackers employed a multi-stage extortion strategy, escalating from encryption to partial data publication to pressure the victim. The company declined to comment on the incident, while relevant government agencies deferred inquiries. This breach reflects a broader pattern of ransomware groups targeting defense supply chains, with Babuk Locker emerging as a new threat actor focusing on high-value military contractors, paralleling other incidents involving critical infrastructure and weapons systems providers.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around March 22, 2021, the Babuk Locker ransomware gang targeted the PDI Group, an Ohio-based military contractor specializing in ground support equipment for the US Air Force and global militaries. The attackers executed a multi-stage extortion scheme, beginning with encrypting PDI’s files and privately demanding payment for decryption keys. On March 23, Babuk Locker escalated to the second stage by creating a dedicated leak site entry for PDI, threatening to release over 700 GB of stolen data unless ransom demands were met. To substantiate their claims, the group published screenshots of internal documents, including schematics for military equipment such as aircraft engine trailers. These materials demonstrated unauthorized access to proprietary designs critical to PDI’s operations supplying dollies, trollies, and weapon transport platforms.
The incident advanced to its third stage the same day when Babuk Locker leaked a 120 MB archive labeled cc.zip, containing purchase orders for more than 350 past PDI customers. This cache included unencrypted credit card details, though most cards appeared expired. PDI’s spokesperson terminated a call when contacted by media about the breach, and neither the US Department of Defense nor CISA confirmed whether PDI reported the incident to customers. The attack exposed sensitive customer financial data and proprietary military equipment designs, escalating risks of regulatory fines and legal action. Babuk Locker, a newly active ransomware group since early 2021, identified PDI as its largest known target. The incident aligned with broader trends of ransomware gangs targeting defense contractors, including prior attacks on Electronic Warfare Associates, Dassault Falcon, Bombardier, Asco, Kopter, and Embraer. REvil ransomware affiliates had previously claimed access to critical military infrastructure, underscoring systemic vulnerabilities in the defense supply chain. PDI’s breach highlighted the operational shift among ransomware actors toward data theft and phased leaks to coerce payments, leveraging stolen information as collateral beyond encryption-based disruption.