In a ransomware and data theft incident affecting Primed Halberstadt Medizintechnik (DE), the aurora threat actor exfiltrated multiple entire server volumes, including Daten (883 GB), EE (807 GB), WINDVSW1 (344 GB), and dmsscan (12 GB), covering employee home directories, production/process data, machine configurations, Apollo ERP and VBANK banking records, DATEV accounting, bank transfers, DMS exports, and scanned documents. The attackers also staged a database backup (spiel.zip.001–010, 100.6 GB) dated 2026-06-03 before compromise. #Germany
Incident Details
- Victim: Primed Halberstadt Medizintechnik
- Sector: Healthcare
- Country: DE
- Actor: aurora
- Source: http://u6lieui2dakbctcjea2bz4r4q32r7t36nwljovqbv7mxs6o2smgxixid.onion/blog/primed-halberstadt-medizintechnik-b278bad0
- Discovered: 2026-06-30T19:51:25.102363+00:00
- Published: 2026-06-30T00:00:00+00:00
Information
- German manufacturer of medical devices, founded in 1946 and now part of the PE-backed PP Medtech group (Wiesmann & Co. KG).
- The exfiltration captured four entire server volumes.
- Daten (883 GB): file server with 289 employee home directories (547 GB), Czech subsidiary data (66 GB), production processes (162 GB), and machine configurations (81 GB).
- EE (807 GB): enterprise system containing Apollo ERP, VBANK banking data for 8 accounts, a complete database backup (100.6 GB, dated June 3), and product images.
- WINDVSW1 (344 GB): Windows server containing DATEV accounting data, including 115+ data directories with LODAS payroll, bank transfers, and DMS exports.
- dmsscan (12 GB): scanned documents from 51+ employee DMS mailboxes.
- A database backup (spiel.zip.001–010, 100.6 GB) was created on 2026-06-03.

Disclaimer: This post is based on public claims made by the ransomware group "aurora". I cannot confirm the accuracy of the information. However, I would be happy to share any official statement from the affected organization to provide clarification.