Ransomware victim disclosure
← All victimsKochs GmbH
Claimed by Aurora · listed 12 days ago
Status timeline
- ListedJun 22, 2026
- Data leakeddate unknown
At a glance
- Group
- Aurora
- Status
- Data leaked
- Country
- Germany
- Sector
- Manufacturing
- Listed on leak site
- Jun 22, 2026
About the victim
AI dossier — public-source company profileKochs GmbH is a family-owned German manufacturer specializing in windows, doors, and aluminium façade systems. Headquartered in Herzogenrath, North Rhine-Westphalia, the company operates across Germany, the Netherlands, and Hungary with approximately 240 employees.
- Industry
- Building Materials & Façade Systems Manufacturing
- Address
- Herzogenrath, Nordrhein-Westfalen, Germany
- Employees
- 240
Attack summary
Severity: critical — Confirmed exfiltration of GDPR special category health data (Art. 9), large-scale PII (payroll, tax IDs, social insurance numbers, medical records), privileged communications, and critical infrastructure credentials (Active Directory, VPN, SSL/TLS keys) enabling domain impersonation and further compromise.The Aurora group claims to have exfiltrated 22 GB of payroll databases with employee personal and financial data, DATEV records, Active Directory credentials, proprietary ERP and CRM source code with hardcoded credentials, SSL/TLS private keys, VPN configuration files, medical imaging of a Managing Director, employee disciplinary and identity documents, and complete financial records spanning 2024.
Data the group says was taken
AI dossier — extracted from the leak post- Payroll database backups (MSSQL, 2016–2023)
- DATEV payroll records (through May 2026)
- Active Directory passwords (plaintext)
- Proprietary application source code (WinPro ERP, Apertum CRM, MES)
- Hardcoded database credentials
- SSL/TLS private keys (2021–2026)
- VPN pre-shared keys (LANCOM gateway)
- Managing Director's medical imaging (MRI/X-ray)
- Employee disciplinary records
- Driver's license scans
- Attorney-client privileged litigation files
- Financial records (2024 annual accounts, P&L, balance sheets)
- General ledger and cost accounting
What the group claims
[manufacturer] *** — a family-owned German manufacturer of windows, doors, and aluminium façade systems headquartered in Herzogenrath, Nordrhein-Westfalen, with ~240 employees across Germany, the Netherlands, and Hungary. The exposed material includes: 22 GB of payroll database backups (7 MSSQL .bak files, 2016–2023) — every employee's salary, bank IBAN, tax class, social insurance number, pension contributions, and wage garnishments. 2.3 GB of DATEV payroll records (through May 2026) — individual named salary documents, garnishment data, company car records for all three entities. 7 Active Directory passwords in plaintext batch scripts — including both Managing Directors, with one MD's credentials spanning three separate AD domains. 28+ proprietary application source code repositories — WinPro ERP, Apertum CRM, MES integrations, production viewers, time-tracking, and rack-management systems. Each one hardcodes its database credentials. SSL/TLS private keys for kochs.de (2021–2026) — enabling domain impersonation and man-in-the-middle attacks. 77 VPN pre-shared keys from the LANCOM gateway configuration — the complete remote-access roster since 2018. Managing Director's MRI and X-ray scans — brain and spine medical imaging, GDPR Art. 9 special category health data. 16 named employee disciplinary records, 11 driver's license scans, attorney-client privileged litigation files from two active employment lawsuits. Complete financial records — 2024 annual accounts, P&L, balance sheets, SFirm banking database, Syska ProFI general ledger, cost accounting through December 2024.
Sources
Source
Indexed 12 days agoThis page surfaces a public ransomware disclosure indexed by Darkfield. Original posts come from the operator's own leak site; we cross-check against ransomware.live, RansomLook and RansomWatch where applicable. Share this URL freely.
Is this your supplier? Your competitor? You?
Pro plans monitor your domain, corporate emails, and crypto wallets across every new ransomware leak-site post, breach dump and Telegram callout — alerts within 5 minutes.

