(An article about the subsequent return of Forward Air’s systems can be found here.)
Forward Air Corp. (NASDAQ:FWRD) was targeted by a ransomware attack last week and warned that it may defer or lose revenue as a result, the Tennessee-based trucking and logistics firm disclosed in a Securities and Exchange Commission filing Monday.
“Although the company is actively managing this incident, it has caused and may continue to cause a delay in parts of the company’s business and may result in a deferral or loss of revenue as well as incremental costs that may adversely impact the Company’s financial results,” Forward Air said in the filing.
Forward Air provided few details about the Tuesday attack, but noted that it impacted both operational and information technology systems. The company said that its terminals and facilities are all fully operational, but it is still actively responding to the attack.
“The company’s internal security teams, supplemented by leading cyber defense firms, took active steps to assess, contain and remediate this incident. Systems recovery efforts are in process and the Company currently estimates those efforts to be largely complete in the coming week,” Forward Air said.
The SEC filing provides the most detailed account from the company since the attack but still leaves many questions. Nonetheless, the disruptions at Forward Air and the delays to customers suggest the impacts were extensive.
The attack also underscores the vulnerability of the U.S. supply chain to cyberattacks that disrupt the movement of goods. Forward Air, in particular, has a large network of terminals that provide vital links to airlines’ cargo operations.
While Forward Air joins an increasingly long list of trucking and logistics providers targeted by ransomware attacks, few incidents have resulted in such extensive operational disruption.
‘Hades’ ransomware gang left note on Forward Air computers after attack
The attack appears to have been the work of a new ransomware gang called Hades. The group left a text file on Forward Air computers following the attack last Tuesday.
“By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise you cant get back your data (NEVER),” the message states.
The group did not name its ransom for restoring access, but instead provided a link to a site on the dark web and instructions for initiating contact.
Hades has emerged only recently, involved in just a handful of known incidents. Reached on a secure messaging service by FreightWaves, Hades declined to comment on the Forward Air attack, stating “No info will be provided about FW.”
Brett Callow, a threat analyst at software firm Emsisoft, told FreightWaves that Hades resembles other gangs that have extorted companies around the world.
“There’s nothing unique about them, as far as we can tell,” Callow said.
Ransomware gangs have increasingly targeted transportation and logistics companies in recent months, most recently Cardinal Logistics. They encrypt data and attempt to steal it, demanding ransom payments in exchange for unlocking it and promising not to post it.
Forward Air did not reveal any details about any sum demanded, and whether the company decided not to pay. The extended outage of systems including its website suggests the company may not have paid.
It also did not address whether any data was stolen. Companies that have refused to pay the attackers often face extensive leaks of internal files in retaliation.
Forward Air previously said it had notified law enforcement about the attack. The FBI and Tennessee Bureau of Investigation have yet to confirm to FreightWaves whether the agencies are probing the attack.
The Greeneville, Tennessee-based company provides less-than-truckload and asset-light logistics services. Forward Air beat analysts’ expectations in third-quarter financial results, reporting almost $17 million in net income on $332 million of revenue.
If you have a story to share, please send an email here. Your name or information will not be used without your permission.