Cyber Incident Victim: Wilken Software Group
Date:
Oct 2022
Location:
Germany
Summary
A ransomware attack targeted Wilken Software Group, prompting the organization to proactively shut down internal systems and disable its customer portal as a security measure, severing all internet-based communication channels including email. Initial assessments indicated only internal infrastructure was compromised, with no anomalies detected in customer environments hosted within the company's TÜV-certified data center, which activated emergency protocols. The incident response involved collaboration with external cybersecurity specialists and coordination with national law enforcement and federal IT security agencies. Precautionary shutdowns extended to other company locations while ongoing analysis continued, with status updates provided via the corporate website due to disrupted communication capabilities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On October 12, 2022, the Wilken Software Group, an Ulm-based software company, experienced a ransomware attack that forced an immediate shutdown of its internal systems and customer portal. The company disconnected all internet-based communication channels, including email, rendering it temporarily unreachable through standard methods. Preliminary investigations indicated the compromise was confined to Wilken’s internal infrastructure, with no observable anomalies in customer environments hosted at the company’s TÜV-certified data center operated by Wilken Data Service GmbH. As a precautionary measure, Wilken extended the shutdown to other company locations, including Greven, to prevent potential lateral movement of the attack. The data center activated its emergency response plan, and external cybersecurity specialists specializing in IT security and ransomware were engaged to assist with containment and forensic analysis. CEO Dominik Schwärzel publicly acknowledged the incident, emphasizing that the full scope of the attack remained unclear but expressing cautious optimism that customer systems had not been breached.
Wilken filed a criminal complaint with the Ulm police following the attack and initiated collaboration with relevant state authorities and Germany’s Federal Office for Information Security (BSI). With standard communication channels disabled, the company directed stakeholders to its website, wilken.de, for ongoing updates regarding system availability and the status of the cyber investigation. The incident disrupted Wilken’s operational capabilities, particularly its internal administrative functions, though customer-facing services hosted in the isolated data center environment appeared unaffected. No ransomware group claimed public responsibility for the attack, and the company did not disclose technical specifics of the intrusion, data exfiltration attempts, or ransom demands. The response prioritized system isolation, external expertise, and regulatory compliance through law enforcement engagement, reflecting a containment-focused strategy amid ongoing impact assessments.