Continental AG LockBit ransomware (Germany, 2022)
LockBit operators infiltrated parts of German auto-parts giant Continental AG's IT systems in August 2022. Containment was initially declared, but in November the group put 40 terabytes of stolen Continental data on its dark-web leak site, offered for sale or destruction for $50 million.
- Victim
- Continental AG
In August 2022, the German automotive-parts giant Continental AG โ one of the largest tier-1 suppliers in the global auto industry โ was breached by LockBit ransomware operators. The initial response declared the intrusion contained. The November leak proved otherwise: LockBit listed approximately 40 terabytes of stolen Continental data on its dark-web leak site, with a public price tag of $50 million.
What happened
Attackers infiltrated parts of Continental's IT systems in early August 2022. Continental detected the activity and stated that it had "averted" the intrusion. Then, in September, LockBit operators contacted Continental, claimed responsibility for the August event, demanded a ransom, and threatened to publish the data.
On 4 November 2022, LockBit's public countdown clock for the Continental data expired. Continental publicly confirmed on 7 November that the criminals had stolen "a significant amount" of data โ reversing the August containment claim. Days later, LockBit listed approximately 40 TB of Continental data on its leak site, offering it "for sale or destruction" for $50 million.
The scale alone โ 40 terabytes โ placed this among the largest single-victim data thefts publicly disclosed by a ransomware operation at the time. Germany's BKA (Federal Criminal Police Office) and the FBI joined the investigation.
Impact
- Significant amount of internal Continental data โ claimed at ~40 TB โ stolen.
- $50 million demand placed on the leak site.
- Containment narrative collapsed three months after initial detection.
- Triggered renewed attention to LockBit's industrial-target operations in Germany.
Why it matters
The Continental case is a cautionary example of the difference between detecting attackers and removing them: early containment claims do not necessarily reflect what attackers have already exfiltrated, and ransomware operations often delay extortion specifically to maximise leverage. The 40 TB scale of the theft also previewed what LockBit would later inflict on Boeing and ICBC.
Financial impact
Reported costs in USD
Timeline
Attackers infiltrate parts of Continental's IT systems; Continental detects the intrusion in early August and reports having averted it.
LockBit operators contact Continental, claim responsibility for the August intrusion, demand a ransom, and threaten to publish the stolen data.
LockBit's countdown clock for Continental data expires at 15:45:36 UTC.
Continental publicly confirms cybercriminals stole 'a significant amount' of data, reversing the August claim of full containment.
LockBit lists approximately 40 TB of Continental data on its dark-web leak site, offered 'for sale or destruction' at $50 million. Germany's FBI counterpart (BKA) joins the investigation.
Sources
- bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/lockbit-ransomware-claims-attack-on-continental-automotive-giant/
- securityaffairs.cohttps://securityaffairs.co/wordpress/138062/cyber-crime/lockbit-gang-claims-continental-hack.html
- bankinfosecurity.comhttps://www.bankinfosecurity.com/lockbit-claims-attack-on-german-auto-parts-giant-continental-a-20418
- techmonitor.aihttps://www.techmonitor.ai/technology/cybersecurity/continental-cyberattack-ransomware-lockbit-fbi