[BreachExchange] A Volkswagen Dealership Has Been Hit by “Conti” Ransomware

Destry Winant destry at riskbasedsecurity.com
Fri Aug 28 10:36:43 EDT 2020


https://www.technadu.com/volkswagen-group-hit-conti-ransomware/184319/

The Conti ransomware group is showing its teeth right away, by
compromising a Volkswagen dealership.

The actors targeted a franchise in Salzkotten, so the entity and the
incident fall under the GDPR.

The leaked details include invoices that reveal the customer names,
addresses, and products bought.

According to multiple sources, including French media and Cyble, a
German dealership belonging to the Volkswagen Group has fallen victim
to the “Conti” ransomware group. The actors stole data in the process
and are now publishing them on their dedicated leaks portal. The data
includes thousands of invoices that come from workshop service and the
sales of spare parts.

In total, there are 8,325 invoices in PDF form, exposing details that
could be used in scamming or phishing attacks against the clients.
Also, these invoices could help BEC actors targeting VW.

Volkswagen is a German car manufacturer which also happens to be among
the most successful in the world based in sales numbers. They sell
over 10 million cars every year, and they were the highest-selling
marque in the world between 2016 and 2017, surpassing other giants in
the field like Toyota, Ford, General Motors, and Hyundai.

This event places the firm in GDPR trouble, as the leaked invoices
contain client names, postal addresses, the products they purchased,
etc. Having to cover the payment of GDPR fines couldn’t come at a
worse time, as all automakers are going through a rough period of
dramatic sales drop.

Of course, Conti doesn’t care about the timing or the 304,000 people
employed by Volkswagen. They want a piece of that massive $282.9
billion yearly revenue, and they have probably been extorting the
company for a while now. However, having published even a small sample
of the stolen documents means they burnt the GDPR card, as the Germans
will now have to go through investigations by the data protection
authorities anyway.

Conti is the Ryuk group’s successor, and they operate as a private
“ransomware as a service” (RaaS). They only recently launched a leak
site and flooded it with data from previously undisclosed ransomware
infections.

According to the researcher Vitali Kremez, Conti has been mostly
joined by experienced and capable hackers who were promised a generous
cut from the ransomware payment. Thus, we see a spike in the Conti
infections, and the compromise of VW Group’s systems is just an
indicative example of what’s about to come.

The Volkswagen Group hasn’t made any announcements on the incident.
Still, according to Cyble, the part of the firm that has been targeted
and compromised is a franchise in Salzkotten, Germany. Thus, the leak
comes from authorized workshops in that area.

If you live there and you’ve taken your car for a service at a VW
service point, you’d better start taking precautions against scammers
and phishing actors.

We have received the following statement from a representative of the
VW Group in relation to the above story:

“A dealership in Germany has reported a hacker attack on its data.
There was no unauthorized attempt to access Volkswagen’s own IT
systems. The dealership concerned has already taken extensive measures
to secure its systems. Volkswagen offered the dealership support with
the investigation and analysis.”


More information about the BreachExchange mailing list