Arnold Clark cyber attack claimed by Play ransomware gang

Glasgow-based Arnold Clark – one of many UK’s largest automotive supplier networks, which made a billionaire out of its founder – is dealing with a multimillion-pound ransom demand from the Play double extortion ransomware cartel following a cyber attack on its methods.

The attack on the organisation came about within the run-up to Christmas and noticed employees resorting to pen and paper to report buyer transactions after being locked out of their methods. It was additionally unable to finish handovers of recent autos in consequence.

In the wake of the attack, Arnold Clark disconnected its methods voluntarily after an exterior safety advisor warned it of suspicious site visitors on its community. It then carried out an in depth overview of its IT property in collaboration with its cyber companions. It mentioned its precedence had been to guard buyer knowledge, its personal methods and its third-party companions, and that this had been achieved.

However, in keeping with the Mail on Sunday, which was first to report the newest developments, a person claiming affiliation with Play posted a 15GB tranche of buyer knowledge stolen within the incident to the darkish internet. The knowledge is known to incorporate addresses, passport knowledge and nationwide insurance coverage numbers. Predictably, they’re threatening to launch a a lot bigger quantity of information if not paid off.

In a press release offered to Automotive Management journal, Arnold Clark mentioned its investigations had been ongoing, and it was now making an attempt to determine what knowledge had been compromised as a precedence, at which level it should contact affected clients. It has additionally been working with legislation enforcement, and the incident has been notified to the Information Commissioner’s Office (ICO) in accordance with its authorized obligations. The organisation didn’t reply to a request for remark from Computer Weekly.

After springing to prominence in mid-2022 with a string of cyber assaults on organisations in Latin America, the Play ransomware cartel has turn out to be one of many extra lively and harmful teams presently working.

Most famously, it was behind the two December 2022 attack on Rackspace, which noticed clients overlooked within the chilly after the IT companies provider was pressured to close down its Hosted Exchange enterprise.

Rackspace later revealed the gang accessed the Personal Storage Tables (PSTs) of 27 of its clients, out of a complete of 30,000, however mentioned there was no proof that the info was seen, obtained, misused or disseminated in any means.

The gang was confirmed to have hit Rackspace by chaining a pair of vulnerabilities tracked as ProxyNotShell/OWASSRF in a server-side request forgery that allowed it to attain distant code execution (RCE) by means of Outlook Web Access (OWA).

Prior to its enthusiastic take-up of OWASSRF, the group favoured compromised digital non-public community (VPN) accounts, in addition to area and native accounts, and uncovered distant desktop protocol (RDP) servers, to achieve preliminary entry. It additionally exploited disclosed vulnerabilities in Fortinet’s FortiOS working system.

Play attracts its title from the .play extension it appends to encrypted information, and has been noticed exhibiting broadly related behaviour to the Hive and Nokoyawa operations, in keeping with intelligence gleaned by researchers at Trend Micro, who urged they could be run by the identical folks. There exists additionally the opportunity of a hyperlink to the Quantum ransomware, itself regarded as a splinter group of Conti.

Whether or not Arnold Clark fell sufferer to the identical attack chain is unconfirmed.

Read extra on Hackers and cybercrime prevention

• SSRF assaults hit 100,000 companies globally since November

  

  By: Alex Scroxton

• KFC, Pizza Hut dad or mum shuts UK eating places after cyber attack

  

  By: Alex Scroxton

• Risk & Repeat: Analyzing the Rackspace ransomware attack

  

  By: Alexander Culafi

• 10 of the most important ransomware assaults of 2022

  

  By: Arielle Waldman