Software AG caught in double extortion ransomware hit

German software giant Software AG is racing to contain a major data leak resulting from a double extortion attack that saw its files encrypted and stolen by the operators of the Clop ransomware.

The firm first came under attack on 3 October, and was forced to shut down its internal systems, forcing its helpdesk and internal communications offline, although its core customer-facing services, including its cloud-based services, were unaffected.

At the time of writing, its online support system remained offline and customers were being asked to email a support address with details of their problem instead of using the standard interface.

Clop’s operators are understood to have demanded an exceptionally high ransom payment of $20m, but Software AG has refused to pay, so the gang has now begun to publish its confidential data on the dark web. Screenshots obtained by ZDNet show the leaked data to include scans of employees’ identification, including passport details, internal emails and financial information.

Such double extortion attacks are becoming increasingly common after first emerging about 12 months ago, because they give cyber criminals an additional means to apply pressure to their victims.

“On 5 October 2020, Software AG disclosed that it is affected by a malware attack,” said the company in a statement. “The malware is not fully contained yet, and Software AG’s systems remain being affected by the attack.

“Today, Software AG has obtained first evidence that data was downloaded from Software AG’s servers and employee notebooks. There are still no indications for services to the customers, including the cloud-based services, being disrupted. The company is refining its operations and internal processes continuously.

“Software AG is further investigating the incident and is doing everything in its power to contain the data leak and to resolve the ongoing disruption of its internal systems, in particular to restart its internal systems as soon as possible which had been shut down for security reasons.”

Gurucul founder and CEO Saryu Nayyar said: “Ransomware gangs are becoming bolder and more sophisticated, going after larger and more lucrative targets with their criminal attacks.

“This recent attack against Germany’s Software AG is one of the largest ransomware attacks, but it will certainly not be the last. Even with a complete security stack and a mature security operations team, organisations can still be vulnerable. The best we can do is keep our defences up to date, including behavioural analytics tools that can identify new attack vectors, and educate our users to reduce the attack surface.”

Nayyar added: “With little risk of punishment and potentially multimillion-dollar payoffs, these attacks will continue until the equation changes.”

Germany’s second-largest software company – after SAP – Software AG dates back to the late 1960s, and started life as a supplier of database software. It now bills itself as a supplier of digital transformation and internet of things software. It makes annual sales of around €900m and employs about 5,000 people.