Foxconn says some North American factories are resuming production after a cyberattack claimed by the Nitrogen ransomware group.
A major electronics manufacturer is working to get production back on track after a ransomware claim that has now been confirmed by Foxconn.
The company, which describes itself as operating a vast manufacturing footprint across North America, said some of its North American factories suffered a cyberattack. Foxconn made the confirmation after claims circulated earlier this week on a ransomware leak site operated by the Nitrogen group.
Foxconn’s response centers on continuity.. In an emailed statement to confirm the reports. a company spokesperson said its cybersecurity team immediately activated a response mechanism and put multiple operational measures in place to keep production and deliveries moving.. The affected factories, the spokesperson added, are currently resuming normal production.
The Nitrogen ransomware operation says it stole data before or during the intrusion. asserting the theft involved 8 TB of data and more than 11 million documents.. On its leak site. the group also claims the materials include what it describes as confidential instructions. projects. and drawings tied to a range of major technology customers.
Among the customers Nitrogen says are represented in the stolen files are Apple. Intel. Google. Nvidia. and AMD. alongside other Foxconn clients.. If those claims are accurate. it highlights how ransomware incidents can put not only operational systems at risk. but also sensitive product and engineering information in the spotlight.
Foxconn is not new to ransomware pressure. This is not the first time the company has faced claims from well-known cybercrime groups, including LockBit and DoppelPaymer, both of which have targeted different Foxconn entities and production locations in past years.
Earlier ransomware claims tied to the company include what LockBit said in January 2024 about an attack on Foxconn subsidiary Foxsemicon.. LockBit also claimed a Foxconn production plant in Tijuana. Mexico. in late May 2022. underscoring how multiple regional operations can become separate targets depending on the attacker’s access and strategy.
In December 2020, the DoppelPaymer operation also claimed it hit Foxconn’s CTBG MX facility in Ciudad Juárez and demanded a $34 million ransom. That earlier claim described alleged theft of 100GB of data, encryption of up to 1,400 servers, and destruction of 20 to 30TB of backup data.
The Nitrogen operation itself has a history that suggests it has been refining its tooling over time. The threat actors behind the group first surfaced in 2023 with a malware loader using the same name that was used to deploy BlackCat/ALPHV ransomware.
Later, the group developed its own ransomware strain based on leaked Conti 2 builder code. However, security researchers have pointed out that a coding mistake in the ESXi-related malware caused files to be encrypted using the wrong public key, which they said would irreversibly corrupt them.
Even if the ransomware’s technical execution has had setbacks, the group has still maintained a steady presence. Researchers indicated that while Nitrogen ransomware is not among the most active operations, it has added dozens of victims to its leak site since 2024.
For manufacturers like Foxconn, incidents of this kind can carry broader implications beyond immediate downtime.. When ransomware groups claim large volumes of documents and technical artifacts. it can raise the stakes for downstream customers who rely on secure design data. supplier instructions. and product drawings throughout development cycles.
The immediate question after Foxconn’s confirmation is how quickly the company can validate what was accessed and what was impacted. especially in the context of ongoing production.. Foxconn says the affected factories are now resuming normal production. but the long-tail effects of data theft—such as compliance reviews. customer notification workflows. and internal audits—often extend well beyond the restoration of day-to-day operations.
Meanwhile, the Nitrogen group’s focus on engineering-focused file types, as it claims, aligns with a broader ransomware trend: attackers increasingly try to convert technical data exposure into leverage, even when the operational systems are brought back online.
As Foxconn works through the aftermath, the incident also serves as a reminder that ransomware campaigns continue to adapt. Nitrogen’s evolution—moving from use of existing payloads to attempting its own strain—shows how criminal groups iterate on tooling, even when earlier versions contain flaws.
Foxconn cyberattack Nitrogen ransomware cybersecurity response ransomware leak site BlackCat ALPHV LockBit ransomware