This article is more than 1 year old

Software AG hit with ransomware: Crooks leak staffers' passports, want millions for stolen files

There's only one way to stop this, says counter-ransomware bod

Software AG has seemingly been hit by ransomware, with the German IT giant itself telling the Euro nation's stock market it had been “affected by a malware attack.”

In a notification to the German stock market published earlier this week, Software AG said: “The IT infrastructure of Software AG is affected by a malware attack since the evening of 3 October 2020.”

News of the “malware attack” has been slow to filter into the Anglosphere, though the German Press Agency newswire published a brief note that was syndicated on obscure investment websites yesterday evening. That report states “data from Software AG servers and employees' notebooks were downloaded.”

"While services to its customers, including its cloud-based services, remain unaffected, as a result, Software AG has shut down the internal systems in a controlled manner in accordance with the company's internal security regulations," the firm’s note to the stock market continued.

"The company is in the process of restoring its systems and data in order to resume orderly operation. However, helpdesk services and internal communication at Software AG are currently still being affected."

It added: “Software AG is not aware of any customer information being accessed by the malware attack.”

The Register has asked Software AG for comment. At the time of writing the company’s homepage refers visitors to “important customer information,” but only ‘fesses up to “technical issues with our online support system,” albeit with a link to the stock market note.

At least one customer seemed unaware of what was going on:

Screenshots of the attackers’ ransom webpage, seen by El Reg, show scans of staffers’ passports, internal billing notes, and what appears to be internal directories on a Windows-based system. Folder names suggest the contents could relate to Software AG customers in the US and Canada.

Brett Callow, a threat analyst with ransomware specialist firm Emsisoft, told The Register that the Clop ransomware variant, thought to have been used in this attack, is relatively new.

Nurse erects drip behind privacy curtain at hospital bed. Photo by Shutterstock

Doppelpaymer ransomware crew fingered for attack on German hospital that caused death of a patient


"Clop is a variant of CryptoMix and may be used by the group behind the Dridex banking trojan. Like REvil and NetWalker, it is primarily used to target enterprise networks, with known past victims including Prominent and ExecuPharm. Clop’s demands can run to the millions.”

Speaking in general about the murky world of ransomware, Callow added: “In 2018, the average ransom demand was $5k USD with most victims being small businesses. Today, the average demand is somewhere between $150k and $250k, with multi-million dollar demands increasingly the norm and victims including multinationals. governments and hospitals. As a result, the criminals are better resourced and more motivated than ever.”

Echoing an increasingly common demand, he concluded: “As we’ve said before, the only way to stop this escalation and to put a spoke in the wheel of this multi-billion industry, is to prohibit the payment of demands. If the revenue stream dries up, the attacks will dry up.”

We understand the ransom demand against Software AG runs into millions of dollars and will update this article if the company gives any more details. ®

More about


Send us news

Other stories you might like