De: Darkside threat actors attempted to extort Möbelstadt Sommerlad

Malfunction Notice -- German
Sommerlad Notice - English

Möbelstadt Sommerlad is a retail furniture store in Germany. This week, its managing director, Frank Sommerlad, disclosed that they had been the victim of a ransomware attack and extortion attempt. Marc Schäfer reports Sommerlad’s statement (machine translation):

“We got away with it with a black eye,” says Frank Sommerlad, managing director of the R. Sommerlad GmbH & Co. KG furniture store. “We will have to replace up to 400 hard drives on our computers, but we can open again on Friday in the Schiffenberger Tal.”

On the night of April 30th, the furniture store was attacked by professional hackers with a so-called ransomware attack. Despite the existing protection of the IT, all of the company’s servers were encrypted and backups deleted, the Möbelstadt writes in an email to its customers.

As of yesterday’s report, the firm did not yet know whether data has been leaked, but they encouraged their customers to change any passwords.

According to the rest of their statement, it was DarkSide threat actors who were responsible for the attack and ransom demand.


Because DarkSide’s leak site has been down since shortly after their attack on Colonial Pipeline, it is not possible to check whether Sommerlad had even been listed on their leak site, but there is a strong likelihood that it was never listed if the attack was on April 30. Unlike some other threat actors, DarkSide generally gave their pressure techniques and attempts at negotiation more time before listing targets on their site — and even then, they were very slow/reluctant to start dumping data.

But that doesn’t mean that they didn’t exfiltrate a lot of data that may still be in criminals’ hands. While some of their servers were reportedly taken down by hosts, learned today at at least one server was still live with victim data on it.  Whether Sommerlad was one of the victims whose data is on that server is unknown to  But in their notice to affiliates, DarkSide told the affiliates that they were providing them with the decryption keys for the victims who had not yet paid, and that the affiliates were then free to do what they wanted — meaning that they could contact the victims directly and continue to try to extort them?

As of today, a notice on the furniture store’s web site asks customers for their understanding.

Reporting by Chum1ng0 and Dissent.

About the author: chum1ng0

Comments are closed.