# Trucking giant Forward Air hit by new Hades ransomware gang **[bleepingcomputer.com/news/security/trucking-giant-forward-air-hit-by-new-hades-ransomware-gang/](https://www.bleepingcomputer.com/news/security/trucking-giant-forward-air-hit-by-new-hades-ransomware-gang/)** Lawrence Abrams By [Lawrence Abrams](https://www.bleepingcomputer.com/author/lawrence-abrams/) December 21, 2020 04:23 PM 0 Trucking and freight logistics company Forward Air has suffered a ransomware attack by a new ransomware gang that has impacted the company's business operations. Forward Air is a leading trucking and air freight logistics company based out of Tennessee, USA. The company generated $1.4 billion in revenue for 2019 and employs over 4,300 people. Last week, FreightWaves [reported that Forward Air suffered a cyberattack that forced them](https://www.freightwaves.com/news/news-alert-forward-air-suffering-significant-it-outage) to take their systems offline to prevent the attack's spread. Forward Air later confirmed this attack in a statement to BleepingComputer. "On December 15, Forward Air detected an IT security incident that impacted the functionality of certain computer systems. Per our information security protocols, we immediately took our systems offline, notified law enforcement and engaged several third ----- party experts to assist us in conducting an internal investigation. Our IT team is working diligently to restore the affected systems and services and bring them back online as soon as possible," Forward Air shared in a statement to BleepingComputer. According to FreightWaves, the attack has led to business disruption as the paperwork required to release freight from customs was stored on the shutdown systems and is not available. At this time, Forward Air's website is down and just displays a message about the "IT security incident" and that the site is down while they restore affected systems. **Forwardair.com outage** Source: BleepingComputer If you have first-hand information about this or other unreported cyberattacks, you can [confidentially contact us on Signal at +16469613731 or on Wire at @lawrenceabrams-bc.](http://10.10.0.46/tel:+16469613731) ## New Hades ransomware operation is responsible. Sources have told BleepingComputer today that Forward Air suffered a cyberattack by a new ransomware operation known as Hades. _Update 12/21/20 6:37 PM EST: After we published our story, Forward Air filed a Form 8-K_ with the Securities and Exchange Commission disclosing that they suffered a ransomware attack. "On December 15, 2020, Forward Air Corporation (the “Company”) detected a ransomware incident impacting its operational and information technology systems, which has caused service delays for many of its customers. Promptly upon its detection of the incident, the ----- Company initiated response protocols, launched an investigation and engaged the services of cybersecurity and forensics professionals. The Company has also engaged with the [appropriate law enforcement authorities," the Form 8-K states.](https://docoh.com/filing/912728/0000912728-20-000183/FWRD-8K) The Hades ransomware gang behind this attack began operating about a week ago in human-operated attacks against the enterprise. When encrypting a victim, it will create a ransom note named 'HOW-TO-DECRYPT [extension].txt' that resembles notes used by the REvil ransomware group, as can be seen below. **Hades ransom note** Source: BleepingComputer Enclosed in the ransom notes is a Tor site URL that is unique to each victim. This URL brings you to a Tor site containing information about the attack and a Tox messenger address that victims can use to contact the attackers, which is the same for all victims. ----- **Hades Tor site** Source: BleepingComputer When we reached out via Tox to the ransomware actors, they were unwilling to provide any information about their attacks. They did, though, share a Twitter account whose name indicates they will use it to leak files stolen during attacks. It is not known how much money is demanded to recover files, and a sample of the ransomware has not been found. ### Related Articles: [Windows 11 KB5014019 breaks Trend Micro ransomware protection](https://www.bleepingcomputer.com/news/security/windows-11-kb5014019-breaks-trend-micro-ransomware-protection/) [Industrial Spy data extortion market gets into the ransomware game](https://www.bleepingcomputer.com/news/security/industrial-spy-data-extortion-market-gets-into-the-ransomware-game/) [New ‘Cheers’ Linux ransomware targets VMware ESXi servers](https://www.bleepingcomputer.com/news/security/new-cheers-linux-ransomware-targets-vmware-esxi-servers/) [SpiceJet airline passengers stranded after ransomware attack](https://www.bleepingcomputer.com/news/security/spicejet-airline-passengers-stranded-after-ransomware-attack/) [US Senate: Govt’s ransomware fight hindered by limited reporting](https://www.bleepingcomputer.com/news/security/us-senate-govt-s-ransomware-fight-hindered-by-limited-reporting/) [Forward Air](https://www.bleepingcomputer.com/tag/forward-air/) [Hades](https://www.bleepingcomputer.com/tag/hades/) [Ransomware](https://www.bleepingcomputer.com/tag/ransomware/) [Lawrence Abrams](https://www.bleepingcomputer.com/author/lawrence-abrams/) ----- Lawrence Abrams is the owner and Editor in Chief of BleepingComputer.com. Lawrence s area of expertise includes Windows, malware removal, and computer forensics. Lawrence Abrams is a co-author of the Winternals Defragmentation, Recovery, and Administration Field Guide and the technical editor for Rootkits for Dummies. [Previous Article](https://www.bleepingcomputer.com/news/security/exmo-cryptocurrency-exchange-hacked-loses-5-percent-of-total-assets/) [Next Article](https://www.bleepingcomputer.com/news/security/solarwinds-victims-revealed-after-cracking-the-sunburst-malware-dga/) Post a Comment [Community Rules](https://www.bleepingcomputer.com/posting-guidelines/) You need to login in order to post a comment [Not a member yet? Register Now](https://www.bleepingcomputer.com/forums/index.php?app=core&module=global§ion=register) ### You may also like: -----