Cyber Incident Victim: Forward Air

On December 15, 2020, Forward Air, a Tennessee-based trucking and air freight logistics company with $1.4 billion in 2019 revenue and over 4,300 employees, detected an IT security incident impacting certain computer systems. The company immediately took its systems offline following established information security protocols to contain the attack’s spread. Forward Air notified law enforcement and engaged multiple third-party experts to assist with an internal investigation. The IT team prioritized restoring affected systems and services, though the company’s public website remained offline, displaying only a generic message about the ongoing incident and restoration efforts. Operational disruptions emerged when customs-related paperwork required to release freight became inaccessible due to the system shutdowns, directly impeding core logistics functions. FreightWaves initially reported the cyberattack prior to Forward Air’s confirmation in a statement to BleepingComputer, which acknowledged the incident but did not initially disclose its ransomware nature.

The attack was attributed to Hades, a newly observed ransomware operation conducting human-operated enterprise attacks for approximately one week prior to targeting Forward Air. Hades deployed ransom notes titled "HOW-TO-DECRYPT-[extension].txt," mirroring the format used by the REvil ransomware group. These notes contained unique Tor site URLs directing victims to attacker-controlled pages with breach details and a Tox messenger contact for negotiations. BleepingComputer attempted communication via the provided Tox address but received no substantive information from the threat actors. The encryption of systems and subsequent operational paralysis underscored the attack’s severity, though Forward Air did not publicly confirm whether a ransom was demanded or paid. Business continuity challenges persisted during system restoration, particularly affecting freight release processes reliant on compromised documentation.