Oleksandr – stock.adobe.com
Glasgow-based Arnold Clark – one of the UK’s largest car dealer networks, which made a billionaire out of its founder – is facing a multimillion-pound ransom demand from the Play double extortion ransomware cartel following a cyber attack on its systems.
The attack on the organisation took place in the run-up to Christmas and saw staff resorting to pen and paper to record customer transactions after being locked out of their systems. It was also unable to complete handovers of new vehicles as a result.
In the wake of the attack, Arnold Clark disconnected its systems voluntarily after an external security consultant warned it of suspicious traffic on its network. It then conducted an extensive review of its IT estate in collaboration with its cyber partners. It said its priority had been to protect customer data, its own systems and its third-party partners, and that this had been achieved.
However, according to the Mail on Sunday, which was first to report the latest developments, an individual claiming association with Play posted a 15GB tranche of customer data stolen in the incident to the dark web. The data is understood to include addresses, passport data and national insurance numbers. Predictably, they are threatening to release a much larger amount of data if not paid off.
In a statement provided to Automotive Management magazine, Arnold Clark said its investigations were ongoing, and it was now trying to establish what data had been compromised as a priority, at which point it will contact affected customers. It has also been working with law enforcement, and the incident has been notified to the Information Commissioner’s Office (ICO) in accordance with its legal obligations. The organisation did not respond to a request for comment from Computer Weekly.
After springing to prominence in mid-2022 with a string of cyber attacks on organisations in Latin America, the Play ransomware cartel has become one of the more active and dangerous groups currently operating.
Most famously, it was behind the 2 December 2022 attack on Rackspace, which saw customers left out in the cold after the IT services supplier was forced to shut down its Hosted Exchange business.
Rackspace later revealed the gang accessed the Personal Storage Tables (PSTs) of 27 of its customers, out of a total of 30,000, but said there was no evidence that the data was viewed, obtained, misused or disseminated in any way.
The gang was confirmed to have hit Rackspace by chaining a pair of vulnerabilities tracked as ProxyNotShell/OWASSRF in a server-side request forgery that allowed it to achieve remote code execution (RCE) through Outlook Web Access (OWA).
Prior to its enthusiastic take-up of OWASSRF, the group favoured compromised virtual private network (VPN) accounts, as well as domain and local accounts, and exposed remote desktop protocol (RDP) servers, to gain initial access. It also exploited disclosed vulnerabilities in Fortinet’s FortiOS operating system.
Play draws its name from the .play extension it appends to encrypted files, and has been observed exhibiting broadly similar behaviour to the Hive and Nokoyawa operations, according to intelligence gleaned by researchers at Trend Micro, who suggested they may be run by the same people. There exists also the possibility of a link to the Quantum ransomware, itself thought to be a splinter group of Conti.
Whether or not Arnold Clark fell victim to the same attack chain is unconfirmed.
Mitigating risks from generative AI tools such as ChatGPT means involving humans in final decision-making and establishing …
An economic slowdown may be inescapable, but IT leaders must maintain focus on ESG initiatives. Discover why IT operations should…
CIOs must do more with less as economic concerns grow, and continue to drive environmental, social and governance efforts. …
The FBI infiltrated Hive’s network in July 2022 and obtained decryption keys, which it distributed to victims to prevent $130 …
Supply chain attacks, double extortion and RaaS were just a few of the ransomware trends that plagued 2022 and will continue to …
A security contractor for Baltimore County Public Schools mistakenly opened a suspicious phishing email attachment in an unsecure…
Network certifications can span networking fundamentals to product-specific knowledge. Evaluate six certifications, and weigh …
As Wi-Fi is now a critical component of enterprise network connectivity, Wi-Fi mapping helps teams evaluate their wireless …
Cloud-managed Wi-Fi provides IT groups with several benefits, including policy enforcement, network management and consistent AP …
Dogged by stalled PC sales and tighter IT spending, Intel once again reported down revenues. CEO Pat Gelsinger highlighted …
Data centers use a lot of energy, and it can be difficult to navigate how to reduce energy use. ISO 50001:2018 provides guidance …
Admins who aren’t familiar with a command can use Linux man pages for better understanding. This tutorial outlines how to access …
Organizations are using cloud technologies and DataOps to access real-time data insights and decision-making in 2023, according …
Data lakes and data warehouses are both commonly used in enterprises. Here are the main differences between them to help you …
The past year focused heavily on data intelligence, lakehouse development and observability as vendors innovated to help …
All Rights Reserved, Copyright 2000 – 2023, TechTarget
Privacy Policy
Cookie Preferences
Do Not Sell or Share My Personal Information