{
	"id": "a81c9265-43bd-4461-8200-80e6648e296b",
	"created_at": "2026-04-06T00:06:09.084743Z",
	"updated_at": "2026-04-10T13:12:31.465393Z",
	"deleted_at": null,
	"sha1_hash": "eeb6e5dd73a53883376c5d6600e45c31c2138ad0",
	"title": "Major German manufacturer still down a week after getting hit by ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 495906,
	"plain_text": "Major German manufacturer still down a week after getting hit by\r\nransomware\r\nBy Written by Catalin Cimpanu, ContributorContributor Oct. 21, 2019 at 12:15 p.m. PT\r\nArchived: 2026-04-05 18:53:37 UTC\r\nImage: Pilz\r\nPilz, one of the world's largest producers of automation tools, has been down for more than a week after suffering\r\na ransomware infection.\r\nSee als\r\n\"Since Sunday, October 13, 2019, all servers and PC workstations, including the company's communication, have\r\nbeen affected worldwide,\" the Germany-based company wrote on its website.\r\n\"As a precaution, the company has removed all computer systems from the network and blocked access to the\r\ncorporate network.\"\r\nAll the company's locations across 76 countries were impacted and were disconnected from the main network,\r\nunable to file orders and check customer statuses.\r\nIt took Pilz staff three days to regain access to its email service, and another three days to restore email service for\r\nits international locations. Access to the product orders and delivery system was restored only today.\r\nProduction capabilities weren't impacted, but unable to check orders, they've been hampered and going at slower\r\nrates.\r\nBlame BitPaymer\r\nhttps://www.zdnet.com/article/major-german-manufacturer-still-down-a-week-after-getting-hit-by-ransomware/\r\nPage 1 of 3\n\nThe German company -- known for its automation relays, controllers, and sensors -- is the latest in a long line of\r\nBitPaymer victims, Maarten van Dantzig, Lead Intelligence Analyst at FoxIT, told ZDNet today.\r\nVan Dantzig was able to tie the Pilz infection to BitPaymer after he found and analyzed a BitPaymer sample\r\nuploaded on VirusTotal. The sample contained a ransom note with Pilz-related contact details, customized for the\r\ncompany's network.\r\nBitPaymer is a ransomware strain that appeared in the summer of 2017 and has been tied to several high-profile\r\nincidents at Scottish hospitals, the PGA, two Alaskan towns (Matanuska-Susitna and Valdez), Arizona Beverages,\r\nin attacks leveraging an iTunes zero-day, and, most recently, at French TV station M6.\r\nBut BitPaymer is not your regular ransomware strain. BitPaymer's authors engage in what's called \"big game\r\nhunting,\" a term coined by Crowdstrike and which describes the act of going only after high-value targets -- in the\r\nhopes of extracting a large ransom payment, instead of extorting home consumers for meager profits.\r\nBitPaymer's Dridex partnership\r\nDuring the past two years, BitPaymer has been distributed exclusively via the Dridex botnet, van Dantzig told\r\nZDNet.\r\nAn ESET report from January 2018 claimed the ransomware was the work of the Dridex authors themselves.\r\nCurrently, most experts believe the Dridex gang spends their time sending email spam that infects users with the\r\nDridex trojan, compiles a list of victims, and then deploys BitPaymer on the networks of large companies, in the\r\nhopes of extracting huge ransoms after encrypting their files.\r\nHistorically, this tactic has been pretty lucrative, and BitPaymer has been tied to ransomware demands going as\r\nhigh as $1 million, Van Dantzig told ZDNet today in a phone call.\r\nThis cybercrime model of botnet-ransomware partnership is extremely popular these days. A similar \"working\r\nrelationship\" also exists between the operators of the Emotet and TrickBot botnets and the Ryuk ransomware\r\ngang.\r\nA surge in activity since April this year\r\nYou can easily see BitPaymer's modus operandi in the chart below, consisting of submissions to ID-Ransomware,\r\nan online service sponsored by the MalwareHunterTeam and Emsisoft where ransomware victims can upload\r\nsamples and detect the type of ransomware they've been infected.\r\nbitpaymer-last-year.jpg\r\nBitPaymer submissions to ID-Ransomware in the last 12 months\r\nSource: ID-Ransomware (supplied)\r\nMost ID-Ransomware activity charts are smooth, as there are daily submissions from victims who get infected\r\nafter opening emails or installing ransomware-infected files.\r\nhttps://www.zdnet.com/article/major-german-manufacturer-still-down-a-week-after-getting-hit-by-ransomware/\r\nPage 2 of 3\n\nHowever, for BitPaymer, this is different. The spikes show occasional infections as the ransomware is deployed on\r\na handful of carefully selected targets, rather than spammed out in every direction. This pattern is specific to \"big-game hunting\" ransomware operations.\r\nVan Dantzig says companies must understand that once they recover from a BitPaymer infection, their job is not\r\ndone. System administrators must also remove the Dridex trojan from infected hosts, otherwise they'll be\r\nreinfected again.\r\nIn fact, van Dantzig has seen this happen in the past.\r\nPilz was not immediately available for comment at the time of publishing.\r\nCybercrime and malware, 2019 predictions\r\nSecurity\r\nSource: https://www.zdnet.com/article/major-german-manufacturer-still-down-a-week-after-getting-hit-by-ransomware/\r\nhttps://www.zdnet.com/article/major-german-manufacturer-still-down-a-week-after-getting-hit-by-ransomware/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.zdnet.com/article/major-german-manufacturer-still-down-a-week-after-getting-hit-by-ransomware/"
	],
	"report_names": [
		"major-german-manufacturer-still-down-a-week-after-getting-hit-by-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775433969,
	"ts_updated_at": 1775826751,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/eeb6e5dd73a53883376c5d6600e45c31c2138ad0.pdf",
		"text": "https://archive.orkl.eu/eeb6e5dd73a53883376c5d6600e45c31c2138ad0.txt",
		"img": "https://archive.orkl.eu/eeb6e5dd73a53883376c5d6600e45c31c2138ad0.jpg"
	}
}