Software AG targeted by double extortion ransomware attack, LogRhythm comments
October 2020 by LogRythm
German software giant Software AG has been hit with a major data leak stemming from a ransomware attack that saw its files encrypted and stolen by the operators of the Clop cyberciminal gang. Following Software AG being targeted by the ransomware attack, and the company refusing to be extorted, troves of employee details and financial information were leaked on to the dark web.
Andrew Hollister, head of LogRythm labs, comments below:
"Ransomware attacks are really hitting the headlines at the moment, with no sign of slowing as attackers look for new ways to leverage the chaos they can cause. Double extortion ransomware attacks, such as this incident with Software AG, are extremely concerning as they serve the dual purpose of making ransomware more damaging for victims and more lucrative for criminals.
“Ransomware groups are diversifying their approach by taking copies of data before performing the encryption, as we’re seeing in this case. This gives them a couple of options, each of which we have seen playing out in the wild. First, it proves to the victim – and, indeed, the public – that this isn’t a bluff and they really have breached the organisation. It also makes possible a second layer of extortion with the threat of a public data leak if payment isn’t made. What’s particularly concerning is that, even if an organisation decides to restore the information from its own backup rather than pay the ransom, that data is still valuable and the threat of leakage is not diminished. Who knows where it could end up, or when. On the other hand, if a ransom is paid and the cybercriminals assure the victim that they’ve upheld their side of the bargain and deleted the information, there’s nothing to say that the same data won’t be reused for another extortion attempt later down the line.
“This sort of attack really is becoming the cybersecurity scourge of our time, and whilst there is no silver bullet, organisations should review their approach to patching, maintain up to date backups, and implement continuous monitoring for detection and response. An appropriately configured security monitoring solution that has full visibility into the environment could provide the opportunity to respond to an intrusion before it turns into a damaging data breach. Organisations should also ensure that they have appropriate staff training, since many of these attacks can start with a phishing email.”