ctipilot.ch

Foxconn confirms Nitrogen ransomware crippled North-American manufacturing sites — 8 TB/11M files claimed, ESXi decryptor mathematically broken

incident · incident:foxconn-nitrogen-2026

Coverage timeline
2
first 2026-05-13 → last 2026-05-13
Briefs
1
1 distinct
Sources cited
4
4 hosts
Sections touched
2
action_items, active_threats
Co-occurring entities
1
see Related entities below
2026-05-132 appearances2026-05-13

Story timeline

  1. 2026-05-13CTI Daily Brief — 2026-05-13
    active_threatsFoxconn confirmed 2026-05-12; Nitrogen leak-site claim of 8TB; Coveware ESXi-encryptor bug noted as decryption-impossible.
  2. 2026-05-13CTI Daily Brief — 2026-05-13
    action_itemsAction item referencing in-brief detail.

Where this entity is cited

  • active_threats1
  • action_items1

Source distribution

  • 9to5mac.com1 (25%)
  • coveware.com1 (25%)
  • therecord.media1 (25%)
  • theregister.com1 (25%)

Related entities

All cited sources (4)

Items in briefs about Foxconn confirms Nitrogen ransomware crippled North-American manufacturing sites — 8 TB/11M files claimed, ESXi decryptor mathematically broken (1)

Foxconn confirms Nitrogen ransomware crippled North-American manufacturing sites; 8 TB / 11M files claimed

From CTI Daily Brief — 2026-05-13 · published 2026-05-13 · view item permalink →

Foxconn Technology Group confirmed on 2026-05-12 that several North-American factories — including Mount Pleasant (Wisconsin), Houston (Texas), and additional sites in Ohio, Virginia, Indiana and Mexico — suffered a cyberattack starting at approximately 07:00 ET on 2026-05-01, when the Mount Pleasant Wi-Fi failed and core infrastructure was disrupted by 11:00 ET; production halted for roughly a week before "affected factories are currently resuming normal production" (The Register, 2026-05-12; The Record, 2026-05-12). The Nitrogen ransomware crew — a Conti 2 leaked-builder derivative active since 2023 — listed Foxconn on its leak site on 2026-05-11 and claims 8 TB / 11 million files, alleging "confidential technical drawings and project documentation" for Apple, Nvidia, Intel, Google and Dell engagements (9to5Mac, 2026-05-12). None of the named third-party vendors has confirmed any compromise of their own systems; the 8 TB number is the attacker's claim, not a Foxconn-confirmed exfiltration volume.

Why it matters to us: Foxconn is the dominant EMS supplier for endpoints widely procured by Swiss / EU government and critical-infrastructure operators (Apple, Dell, Nvidia, Intel hardware). The operationally critical defender-side data point on Nitrogen is independent of the headline: a Coveware analysis (2026-02-02) documents a programming error in Nitrogen's ESXi encryptor — a QWORD variable overwrites four bytes of the Curve25519 public key during ChaCha8 key-exchange, producing a corrupted key that is mathematically irrecoverable even with the operator's private key. If Nitrogen encrypts an ESXi host in your estate, paying does not restore your VMs. Backup integrity at the hypervisor layer (not just guest-level) is the only recovery path. Generic hypervisor-recovery detection concepts apply: alert on vmkfstools / esxcli invocations from non-administrator sessions on ESXi /var/log/shell.log, and on unexpected vmx process terminations preceding mass-rename events. The cited sources do not document the specific initial-access TTP chain Nitrogen has used at Foxconn — defenders should rely on standard hunting for the broader Conti-derivative cluster (Cobalt Strike beaconing, Rclone exfiltration) and let attribution-specific IOCs follow the in-flight forensics.