The Knauf Group has disclosed that it was the victim of a cyberattack that interfered with its business operations and compelled its worldwide IT team to shut down its IT systems in order to contain the situation.

On the evening of June 29, a cyberattack occurred, and as of the time of writing, Knauf is still engaged in forensic investigation, incident response, and remediation.

We are now putting a lot of effort into planning a safe recovery as well as minimising the impact on our partners and customers.

Knauf apologises for any inconvenience or delays that may result in our delivery operations in a brief message that was posted on the company’s home page.

Emails discovered by BleepingComputer cautioned that while mobile phones and Microsoft Teams were still functional for communication, email services had been shut down as part of the reaction to the attack.

Knauf, a multinational manufacturer of building and construction materials with headquarters in Germany, currently controls around 81 percent of the global wallboard industry.

The company owns USG Corporation and Knauf Insulation in addition to operating 150 production facilities across a number of nations.

Notably, Knauf Insulation has also announced the cyberattack on their website, meaning that organisation has also been affected.

Black Basta claimed responsibility

The prolonged duration, effect, and difficulties in recovering the IT systems hint to a ransomware outbreak even though Knauf’s announcements do not specifically describe the type of intrusion they experienced.

In fact, the Black Basta ransomware gang claimed credit for the attack in a statement posted on their extortion website on July 16, 2022, citing Knauf as a victim.

 Knauf listed on the Black Basta extortion portal
Knauf listed on the Black Basta extortion portal

Over 350 visitors have accessed 20 percent of the material the ransomware gang reportedly exfiltrated during the attack on Knauf.

 Black Basta leaked 20% of the stolen files
Black Basta leaked 20% of the stolen files

Email communication samples, user credentials, employee contact information, production papers, and ID scans have all been accessed by Bleeping Computer.

Not all of the files have yet been released online, which suggests that the threat actors still hold out hope for a successful negotiation and a ransom payment.

The Black Basta rise

In April 2022, the Black Basta ransomware group started its RaaS operation. With a number of high-profile victims, it soon rose to prominence in the double-extortion market.

Many professionals in the sector believed that Black Basta was a rebranded version of Conti because of the early demonstration of knowledge and capability and the similarity in the negotiation style.

By June 2022, Black Basta and the Qbot (QuakBot) operators had developed a payload delivery partnership that was also utilised to drop Cobalt Strike and facilitate lateral network movement.

The developers of the latest ransomware strain also produced a Linux variant that specifically targeted VMware ESXi virtual machines running on Linux-based servers.