Cyber Incident Victim: Wonderbox
Date:
Jan 2021
Location:
France
Summary
Wonderbox experienced a ransomware attack attributed to the Darkside group, which compromised systems but resulted in limited data theft confined to a single workstation. The attackers claimed to have exfiltrated 30GB of data, though the company asserted no server-side or customer data was compromised, characterizing the volume as insignificant relative to its operations. After unsuccessful attempts to decrypt files using a Bitdefender tool, the organization restored affected systems from backups. Darkside, active since late 2020, targets both Windows and Linux environments and has impacted numerous entities, including several French organizations prior to this incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On January 30, 2021, Wonderbox experienced a ransomware attack attributed to the Darkside group, with the incident commencing in the evening. The company's IT teams detected the intrusion and confirmed the deployment of ransomware, which encrypted systems and resulted in data theft limited to a single workstation. According to Wonderbox Chief Information Officer Mickaƫl Lenoir, attackers exfiltrated approximately 30GB of data from this endpoint, though no server infrastructure or customer information was compromised. Initial remediation efforts focused on utilizing Bitdefender's decryption tool released in mid-January 2021, but these attempts proved unsuccessful against the Darkside ransomware variant. By January 31, Wonderbox shifted to restoring affected systems from available backups as its primary recovery strategy. The organization maintained that the operational impact remained contained due to the localized nature of the data theft and the integrity of backup repositories.
Darkside ransomware, first observed in August 2020, targeted both Windows and Linux systems and had compromised at least 31 organizations by early 2021, including ECS Group and OMV System France. Security analysts estimated the group's actual victim count could approach 90 based on their operational success rates, which paralleled prominent ransomware families like NetWalker and Sodinokibi. Wonderbox joined multiple French entities affected by ransomware attacks during early 2021, alongside SVI Assurances, the municipality of Houilles, Clinique de l'Anjou, Vienne departmental administration, vehicle rental firm Ucar, and the city of Angers. The company characterized the 30GB data theft as insignificant relative to its total data assets while emphasizing the absence of customer data exposure. Restoration efforts proceeded without public disclosure of additional technical details regarding compromised systems or downtime duration.