{ "id": "37f7fc84-6c65-490b-bb13-9b09f0b214ba", "created_at": "2026-04-06T00:14:00.568975Z", "updated_at": "2026-04-10T03:33:15.549882Z", "deleted_at": null, "sha1_hash": "06bcfa19805cbf8d4e44f4efb0c945546c1ca547", "title": "Trucking giant Forward Air reports ransomware data breach", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2742839, "plain_text": "Trucking giant Forward Air reports ransomware data breach\r\nBy Lawrence Abrams\r\nPublished: 2021-09-29 · Archived: 2026-04-05 20:47:45 UTC\r\nTrucking giant Forward Air has disclosed a data breach after a ransomware attack that allowed threat actors to access\r\nemployees' personal information.\r\nIn December 2020, Forward Air suffered a ransomware attack by what was believed to be a new cybercrime gang known as\r\nHades. This attack caused Forward Air to shut down its network, which led to business disruption and the inability to release\r\nfreight for transport.\r\nAn SEC filing by Forward Air states that the company lost $7.5 million of less than load (LTL) freight revenue \"primarily\r\nbecause of the Company’s need to temporarily suspend its electronic data interfaces with its customers.\"\r\nhttps://www.bleepingcomputer.com/news/security/trucking-giant-forward-air-reports-ransomware-data-breach/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/trucking-giant-forward-air-reports-ransomware-data-breach/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nResearchers later revealed that this attack was likely conducted by members of the Evil Corp cybercrime gang, who\r\nroutinely perform attacks under different ransomware names, such as Hades, to evade US sanctions.\r\nAt the time, BleepingComputer was contacted by multiple Forward Air employees concerned that the attack exposed their\r\npersonal information.\r\nAs part of the attack, the threat actors created a Twitter account that they claimed would be used to leak data stolen from\r\nForward Air. However, no data was ever seen leaked by the threat actors.\r\nForward Air discloses a data breach\r\nFast forward almost a year, and Forward Air is now disclosing that current and the ransomware attack exposed former\r\nemployees' data.\r\n\"On December 15, 2020, Forward Air learned of suspicious activity occurring within certain company computer systems.\r\nForward Air immediately launched an investigation to determine the nature and scope of the incident,\" reads a data breach\r\nnotification sent to Forward Air employees.\r\n\"The investigation determined that certain Forward Air systems were accessible in November and early December 2020, and\r\nthat certain data, which may have included your personal information, was potentially viewed or taken by an unknown\r\nactor.\" \r\nThe information that the Evil Corp threat actors potentially accessed includes employees' names, addresses, date of births,\r\nSocial Security numbers, driver's license numbers, passport numbers, or bank account numbers.\r\nWhile Forward Air states that there is no indication that the data has been misused, they are offering affected people a free\r\none-year membership to the myTrueIdentity credit monitoring service.\r\nAs there is no way to determine if a threat actor has used stolen data, even if they promise not to after a ransom payment, all\r\naffected employees should assume that their data has been compromised.\r\nThis means that they should monitor their credit reports, bank statements, and be on the lookout for targeted phishing\r\nattacks. \r\nhttps://www.bleepingcomputer.com/news/security/trucking-giant-forward-air-reports-ransomware-data-breach/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/trucking-giant-forward-air-reports-ransomware-data-breach/\r\nhttps://www.bleepingcomputer.com/news/security/trucking-giant-forward-air-reports-ransomware-data-breach/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/trucking-giant-forward-air-reports-ransomware-data-breach/" ], "report_names": [ "trucking-giant-forward-air-reports-ransomware-data-breach" ], "threat_actors": [ { "id": "8670f370-1865-4264-9a1b-0dfe7617c329", "created_at": "2022-10-25T16:07:23.69953Z", "updated_at": "2026-04-10T02:00:04.716126Z", "deleted_at": null, "main_name": "Hades", "aliases": [ "Operation TrickyMouse" ], "source_name": "ETDA:Hades", "tools": [ "Brave Prince", "Gold Dragon", "GoldDragon", "Lovexxx", "Olympic Destroyer", "Running RAT", "RunningRAT", "SOURGRAPE", "running_rat" ], "source_id": "ETDA", "reports": null }, { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "6c4f98b3-fe14-42d6-beaa-866395455e52", "created_at": "2023-01-06T13:46:39.169554Z", "updated_at": "2026-04-10T02:00:03.23458Z", "deleted_at": null, "main_name": "Evil Corp", "aliases": [ "GOLD DRAKE" ], "source_name": "MISPGALAXY:Evil Corp", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434440, "ts_updated_at": 1775791995, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/06bcfa19805cbf8d4e44f4efb0c945546c1ca547.pdf", "text": "https://archive.orkl.eu/06bcfa19805cbf8d4e44f4efb0c945546c1ca547.txt", "img": "https://archive.orkl.eu/06bcfa19805cbf8d4e44f4efb0c945546c1ca547.jpg" } }