Porsche South Africa’s headquarters in Johannesburg suffered a disruptive ransomware attack over the weekend, taking down several of the company’s systems and at least some backups.
MyBroadband understands the attackers used a relatively new ransomware strain called Faust to encrypt the company’s files and lock it out of corporate systems.
Security researchers have reported that Faust is derived from the Phobos ransomware family.
This malware family is typically deployed via hacked Remote Desktop Protocol connections.
But according to PCRisk.com, the first to identify Faust in November, the variant is spread through downloads from malicious websites or torrents, online scams, attachments in spam emails, activation tools for pirated software, and fake updates.
Like other ransomware, it encrypts potentially critical data, making it unusable until decrypted with tools for which the victim must pay the attackers a specified amount in cryptocurrency.
Aside from encrypting the data, Faust modifies file names by adding a unique ID for the victim, an email address belonging to the attacker, and a .faust extension.
It then generates a pop-up window displaying the ransom demand, which is stored in a text file.
The ransom note states that the victim’s files have been encrypted and that they must pay a certain amount in Bitcoin to get the tools needed to decrypt their files.
The victim is also warned that renaming the encrypted files or using third-party tools to decrypt them could lead to permanent data loss.
PCRisk.com said the amount payable would depend on how fast a victim contacted the malicious actors.
Victims are also allowed to decrypt five files with certain specifications at no charge, as an apparent illustration that the decryption tools work as promised.
It is currently impossible to decrypt the files without intervention from the attackers. Free decryption tools are often available for older ransomware strains. No More Ransom maintains a list of decryption tools.
Although many newer forms of ransomware don’t have decryptors, cooperating with attackers would not guarantee that they provide victims with the necessary decryption tools.
Typically, companies with solid contingency measures in place would be able to purge the infected machines, fix the security hole the attackers used to get in, and restore systems from backups.
Porsche South Africa says “no comment”
MyBroadband contacted Porsche South Africa for further details about the incident, but it declined to comment — neither confirming nor denying the attack.
When we pressed the company on its responsibility to report any incidents in which customer data might have been exposed, a spokesperson said that “all protocols would be observed”.
It was unclear what the attackers demanded from the company or whether it had paid a ransom to regain access to its system.
It was also unknown whether the attackers had compromised or stolen sensitive operational or customer data for further use.
Vehicle dealerships often deal with people’s personal identifiable information, as it is often required for car financing and service or maintenance plans.
However, Paraflare’s Digital Forensics and Incident Response team has found that Phobos ransomware operators were not known for exfiltrating data to be used in double-extortion style attacks.
In such “double-extortion” cases, attackers threaten to publish the data they had stolen, typically on the dark web but also on clearweb platforms like Telegram. Other malicious actors can then use this data.
Paraflare also found that Phobos-affiliated attackers generally operated with greater autonomy, had lower ransom amount demands, and were less professional than operators using other ransomware families.
Porsche Japan suffered a cyberattack in February 2018 that led to customers’ data being leaked to hackers.
In that incident, details like customer names, home addresses, contact numbers, annual salaries, and owned cars were exfiltrated.