Cyber Incident Victim: Southwire Company, LLC
Date:
Dec 2019
Location:
United States of America
Summary
A leading wire and cable manufacturer suffered a Maze ransomware attack causing companywide disruption, including halted manufacturing and shipping operations. The attackers demanded 850 Bitcoin (approximately $6 million) and claimed to have exfiltrated data, threatening publication unless paid. The victim immediately shut down its entire network to contain the incident, later restoring critical systems to resume production and delivery. While prioritizing employee safety and customer commitments, the organization engaged law enforcement and continued investigating the attack, which impacted its extensive workforce and multibillion-dollar operations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around December 11, 2019, Southwire Company, LLC experienced a ransomware attack attributed to the Maze Ransomware group. The attack began during the early hours of Monday, December 9, 2019, affecting computing systems companywide and prompting immediate containment measures. Southwire's IT staff shut down the entire network to self-quarantine infected systems, causing significant operational disruptions that impaired manufacturing capabilities and product shipments. The ransomware operators demanded 850 Bitcoin (approximately $6 million at the time) and claimed to have exfiltrated company data, threatening to publish it unless paid. This contradicted earlier rumors of a $9 million ransom demand circulating on Reddit, which the attackers explicitly refuted in communications with BleepingComputer while providing proof of stolen Southwire data. Maze operators, previously linked to TA2101 threat actors through malspam campaigns impersonating government agencies, had recently targeted other organizations including the City of Pensacola and Allied Universal with similar tactics.
Southwire prioritized restoring critical manufacturing and shipping systems within one day of the attack, though their public website remained offline as of December 12, 2019. Jason Pollard, Vice President of Talent Acquisition and Communications, confirmed the company was evaluating all investigative avenues, including potential engagement with law enforcement, but did not disclose whether the ransom was paid. The incident impacted Southwire's 7,500 employees and operations across multiple facilities, including its Rancho Cucamonga plant where an employee shared the ransom note. With $6.1 billion in 2018 revenue and ranking among America's largest private companies, the disruption threatened both production timelines and potential exposure of sensitive corporate data. The company maintained public focus on employee safety, product quality, and customer commitments throughout the response while working to fully restore systems and resume normal operations.