This article is more than 1 year old

Wind turbine maker Vestas confirms recent security incident was ransomware

10 days after attack 'almost all systems' up and running, refuses to say if ransom was paid

Wind turbine maker Vestas says "almost all" of its IT systems are finally up and running 10 days after a security attack by criminals, confirming that it had indeed fallen victim to ransomware.

Alarm bells rang the weekend before last when the Danish organisation said it had identified a "cyber security incident" and closed off parts of its tech estate to "contain the issue."

Today the business - one of the largest worldwide to design, build, install and maintain wind turbines – said it has undertaken "extensive investigations, forensics, restoration activities and hardening of our IT systems and IT infrastructure."

Henrik Andersen, president and chief exec of the firm, said in a statement:

"We have been through some tough days since we discovered the cyber incident, and executive management and the board of directors are thus very pleased that the incident didn't impact wind turbine operations and almost all of our IT systems are running again."

Manufacturing, construction and services team were unaffected, Vestas said.

"There is still a lot of work ahead of us to and we must remain extremely diligent towards cyber threats. I would already now like to take this opportunity to thank our customers, employees and external partners for their understanding and extraordinary support in these challenging circumstances."

The deep probing of the incident continues, Vestas said, and there still remains no evidence that the break-in hit customer or supply chain operations, "which is supported by the forensics investigation carried out with the assistance of third-party experts," it said.

The security incident bore all the hallmarks of a ransomware attack, but Vestas last week refused to comment. Today it confirmed what The Register had previously suspected.

"The cyber incident, which our investigations indicate was ransomware, impacted Vestas' internal systems and resulted in data being compromised. The extent to which data has been compromised is still being investigated, but for now it appears that the data foremost relates to Vestas' internal matters."

We asked the company if it paid the ransom but a spokesperson said: "Due to the situation this is not something we are going to comment on." He also refused "at this point" to go into detail about how the digital break-in occurred.

According to research by Coveware pulbished in January, the average downtime caused by ransomware is 16.2 days and Bitcoin is the cryptocurrency favoured most by criminal gangs. The firm also found that ransomware is more lucrative than cocaine trafficking, that the average payment is just shy of $140,000 per attack and the most common strains are Conti V2, Mespinoza and Sodinokibi. ®

More about


Send us news

Other stories you might like