Full Report
Cybercriminals are extorting the German humanitarian aid group Welthungerhilfe (WHH) for 20 bitcoin. The charity said it will not pay.
Analysis Summary
# Incident Report: Ransomware Attack on German Charity (Welthungerhilfe)
## Executive Summary
Deutsche Welthungerhilfe (WHH), a major German charity focused on sustainable food supplies, was targeted by a Ransomware-as-a-Service (RaaS) group that listed the organization on their darknet leak site, demanding 20 Bitcoin (approx. $2.1 million). The criminals claim to have stolen data, though it is unknown if encryption has occurred. WHH immediately shut down affected systems, engaged external experts, and refused to pay the ransom, successfully ensuring their operational work in project countries remains unchanged.
## Incident Details
- Discovery Date: On or before July 2nd, 2025 (Date RaaS group listed the charity)
- Incident Date: Undisclosed (Date of initial compromise/exfiltration)
- Affected Organization: Deutsche Welthungerhilfe (WHH)
- Sector: Non-Profit / Humanitarian Aid
- Geography: Germany (Headquarters/Victim jurisdiction)
## Timeline of Events
### Initial Access
- Date/Time: Initial compromise/exfiltration date is **Undisclosed**.
- Vector: Ransomware-as-a-Service (RaaS) group compromise/listing.
- Details: The RaaS group listed WHH on its darknet leak site, indicating data theft.
### Lateral Movement
- **Not explicitly detailed** in the public report.
### Data Exfiltration/Impact
- **Data Theft:** The attackers are attempting to extort the charity by threatening to sell stolen data for 20 BTC (~$2.1 million).
- **Encryption Status:** It is **not clear** whether WHH's computer networks have also been encrypted at the time of the report.
### Detection & Response
- **Detection:** The incident became publicly known when the RaaS group listed WHH on its leak site.
- **Response actions taken:**
1. Affected systems were immediately shut down.
2. External IT experts specialized in such cases were engaged.
3. Security was strengthened with additional technical protective measures.
4. Relevant data protection authority was informed.
5. Data protection officer was consulted.
6. Police authorities were involved.
## Attack Methodology
- Initial Access: **Undisclosed**, but involved an actor associated with a known RaaS group.
- Persistence: **Unknown**.
- Privilege Escalation: **Unknown**.
- Defense Evasion: **Unknown**.
- Credential Access: **Unknown**.
- Discovery: **Unknown**.
- Lateral Movement: **Unknown**.
- Collection: **Data collection performed** prior to listing (implied to facilitate extortion).
- Exfiltration: **Data exfiltrated** (implied by extortion attempt).
- Impact: **Extortion attempt** leveraging publicized data theft.
## Impact Assessment
- Financial: Extortion demand of **20 Bitcoin (approx. $2.1 million)**, though the charity refused to pay.
- Data Breach: **Unknown type and volume** of data stolen, listed for sale on the darknet.
- Operational: The charity **continued its work** in project countries unchanged, indicating that core humanitarian operations were not critically disabled, likely due to immediate system shutdowns or resilient OPs.
- Reputational: Potential negative impact due to the public listing, though WHH focused communication on continuing aid efforts.
## Indicators of Compromise
- **Network indicators:** None provided (defanged).
- **File indicators:** None provided.
- **Behavioral indicators:** The use of a specific RaaS group known for targeting other healthcare and non-profit entities.
## Response Actions
- **Containment measures:** Immediate shutdown of affected systems.
- **Eradication steps:** Engagement of external, specialized IT experts.
- **Recovery actions:** Strengthening security with additional technical protective measures.
## Lessons Learned
- The organization has a clear policy against paying ransoms, focusing instead on technical remediation and legal/regulatory reporting.
- The immediate notification and cooperation with data protection authorities and police were executed.
- The operational continuity plan appears effective, as mission-critical project work was maintained despite the incident.
- The RaaS group responsible has a history of targeting humanitarian and healthcare entities (citing prior attacks on Lurie Children’s Hospital and Prospect Medical Holdings).
## Recommendations
- Conduct a detailed forensic analysis to determine the initial point of entry and the full scope of data compromised.
- Review and enhance multi-factor authentication, network segmentation, and monitoring to prevent future similar breaches by established RaaS groups.
- Increase proactive threat hunting specifically looking for TTPs associated with the RaaS group that targeted WHH.