heise PlusAbo
Anzeige

Bicycle manufacturer Woom: IT breach by cyber gang INC Ransom

Two weeks ago, there was an IT breach at children's bike manufacturer Woom. The cyber gang INC Ransom is threatening to publish data.

listen Print view
Several bicycles in an office space

(Image: Woom)

2 min. read
Security
By

The popular bicycle manufacturer Woom, which specializes in the production and distribution of children's bicycles, experienced a cyberattack about two weeks ago. The ransomware gang INC Ransom has now claimed responsibility for the incident and is extorting the company.

On the darknet site of INC Ransom, the gang threatens to publish the data stolen from Woom.

(Image: heise medien)

Visible in the data snapshots on INC Ransom's darknet site are documents from various departments, including accounting and finance. Many dealer customer names appear in the PDF filenames, indicating that business contacts are affected. Domain and access information also seem to be included – INC Ransom states that this is an “AD Dump,” meaning data extracted from Woom's Active Directory.

Woom quickly back on track

In a press release states the Austrian manufacturer “Together with an international team of experts from the Cyberschutz agency, woom immediately analyzed, contained, and successfully addressed the incident. Due to the swift reaction and coordinated approach, all systems were restored quickly and completely. There are indications that some customer information may be affected, but no sensitive data.” The actual cyberattack took place on Friday, November 7, 2025. It was a large-scale cyberattack.

In response to an inquiry from heise online, the company clarified that the attackers gained access through “a previously unknown firewall vulnerability” – a zero-day exploit –. Recently, several firewalls from renowned providers have been targeted by cybercriminals, as security vulnerabilities in them allow for network compromise, for example in WatchGuard's Firebox, Fortinet's FortiWeb, or Cisco firewalls.

Videos by heise

When asked what data was copied, the company stated: “Data from customers, employees, and dealers were affected by the encryption. Our experts currently assume that the attackers do not have access to the data.”

Apparently, there was initial contact between Woom and INC Ransom.

(Image: heise medien)

A screenshot on the Darknet leak site suggests that INC Ransom has contacted Woom to initiate ransom negotiations. However, after a request for data samples, Woom apparently broke off contact.

Such cyberattacks are apparently happening daily now. At the end of last week, for example, the cyber gang cl0p added several well-known companies to the list on its darknet leak site, including Broadcom, Canon, Mazda (plus Mazda USA), or the tire manufacturer Michelin.

(dmk)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten