Crown Equipment Corporation victim of a Ransomware attack (2024)

[German]It seems that what I suspected a week ago has been confirmed: the forklift manufacturer Crown Equipment Corporation has suffered a cyber attack. Ransomware has shut down their production and administration worldwide. In the USA, employees are up in arms because nobody knows anything and the manufacturer is not paying wages.

What was previously known

Crown Equipment Corporation is the world's fifth largest manufacturer of forklift trucks, industrial trucks and high-rack conveyors. The headquarters of the US company is located in New Bremen, Ohio, United States. There is probably also a plant in Germany, and a reader drew my attention to the fact that there are probably massive IT problems there. The staff had been sent home and the management was not forthcoming about the reason for the IT problems.

I did a quick search and found that the Crown website (crown[.]com) is also unavailable. Which then quickly became clear:

• Since Monday, June 10, 2024, production has stopped worldwide at all of the forklift manufacturer's locations, i.e. not only in Roding (Germany), but also at the location in New Bremen, USA. The company's switchboard is dead, so the manufacturer cannot be reached by phone.
• My sources reported that all IT systems have been shut down and therefore there is no access to spare parts catalogs or other IT services. The few employees who are still working are trying to muddle through with paper and pencil.
• There has been no official statement from the manufacturer's management as to what has happened. On the Internet at reddit.com and also on my blog, comments are accumulating from US employees who, on the one hand, are left in the dark as to what has happened. On the other hand, workers who are employed on an hourly basis have probably not been paid for the lost shifts since June 10, 2024 – which is causing financial hardship for some families.

The previous information about the case may be read on my June 13, 2024 blog post Crown Equipment victim of a cyber attack? – sites and production down. However, it was unconfirmed what exactly had happened – I guessed a ransomware attack – and there were rumors that someone had opened a phishing email and triggered a malicious program.

I had also internal messages indicating, that IT had started to restrict access to their internal IT solution 360 (probably based on the Microsoft Cloud and Office 365). Only company devices can now access SharePoint, the Office applications or OneDrive. A source told me that they had heard from a friend of a friend who knows someone who used to work at the plant that the problems were due to a "coding bug". This had sent the Crown 360 solution downhill – but I take that information not as reliable. A request I made to Crown on their Facebook page has been unanswered for a week.

Sources confirm ransomware infection

A source who does not work directly for Crown Equipment in New Bremen, but has contacts with the staff, just told me that Crown management has officially informed the staff that they have been the victim of a ransomware attack. In another message, this source wrote that the attack was "from the inside" – an employee granted an unauthorized person access to the system.

In this reddit.com post, someone wrote a week ago that, according to their information, someone had received a call from a hacker posing as an IT employee. Together they installed a fake VPN program on the Crown employee's computer and the hacker or hackers gained access to everything. They created a privileged account on the network that gave them access to all systems. The network went down on Sunday, June 9, 2024, and has not been restored since.

Whether this is true or the attack was done via phishing (where malware was installed or where access data for a VPN access was tapped) is not yet known to me. A German user on Twitter noticed that all of Crown's VPN accesses had disappeared, indicating that they had been isolated and disconnected from the Internet.

My source also told me that the attackers carried out a successful ransomware attack. Rumors that the attack was detected and the system was automatically shut down as a result have not been confirmed. Ransomware seems to have wreaked havoc in the IT system and encrypted everything. I came across information on reddit.com about a ransom demand of 25 million US dollars – but this is unconfirmed.

A second source who works at Crown Equipment only told me days ago that there were IT problems at Crown. The phones are all dead and computers and IT are not working. The source is responsible for issuing parts for service orders and can no longer access the storage locations where these parts are stored. The company has no overview of the stock and the storage locations, but is completely digitalized in all processes. Even spare parts catalogs are only available digitally via the Crown Cloud. Everything is there.

This source also confirmed that there are probably also payment problems for wages. People are supposed to take vacation or forgo pay for missed shifts. All communication between Crown and employees is via voice mail or telephone. During a phone call last Tuesday (June 11), the source was told at the end of the conversation that she was unemployed – but there was probably no major mass layoff. In the USA, anyone who registers as unemployed will probably only receive unemployment benefits after a week's waiting period.

This source also stated that IT had started to reset all passwords for online access. The restart of operations was announced for Monday, June 18, 2024 and then the employees who were to receive wage payments were supposed to receive manually issued paychecks. My current status is that the restart has now been postponed to June 24, 2024 (i.e. next week Monday).

As of June 18, 2024, this source has also confirmed that the workforce was informed that the company's IT had been hacked by internationally active cyber criminals. The FBI is now involved in the case. IT is currently trying to get the systems up and running again by the 24th of this month. I am not personally aware of any public statement from Crown management to date.