The US trucking and freight logistics company Forward Air has been targeted in a ransomware attack by a new ransomware group called Hades that has impacted the company's operational and information technology systems and caused shipping delays for customers.
In a Securities and Exchange Commission filing the company said that the incident took place on December 15, 2020, but did not provide details on who is the culprit behind the attack, or what ransom the attackers demanded to restore access.
“On December 15, 2020, Forward Air Corporation detected a ransomware incident impacting its operational and information technology systems, which has caused service delays for many of its customers. Promptly upon its detection of the incident, the Company initiated response protocols, launched an investigation and engaged the services of cybersecurity and forensics professionals. The Company has also engaged with the appropriate law enforcement authorities,” Forward Air said.
“Although the company is actively managing this incident, it has caused and may continue to cause a delay in parts of the company’s business and may result in a deferral or loss of revenue as well as incremental costs that may adversely impact the Company’s financial results” the trucking giant added.
A text file left on Forward Air computers by the hackers suggests that the attack is the work of the Hades ransomware crew, a relatively new player on the ransomware scene. The ransomware note did not name a ransom for restoring access, but instead contained a link to a site on the dark web and instructions for initiating contact with the group.
According to security researchers, the Hades ransomware gang resembles other groups that have extorted companies around the world.
Once infecting the system, the ransomware creates a ransom note named 'HOW-TO-DECRYPT-[extension].txt' similar to notes used by the REvil ransomware group. The ransom note includes a URL unique to each victim, which leads to a Tor site containing information about the attack and a Tox messenger address for contacting the attackers.