Software AG hit with ransomware: Crooks leak staffers' passports, want millions for stolen files

There's only one way to stop this, says counter-ransomware bod

Software AG has seemingly been hit by ransomware, with the German IT giant itself telling the Euro nation's stock market it had been “affected by a malware attack.”

In a notification to the German stock market published earlier this week, Software AG said: “The IT infrastructure of Software AG is affected by a malware attack since the evening of 3 October 2020.”

News of the “malware attack” has been slow to filter into the Anglosphere, though the German Press Agency newswire published a brief note that was syndicated on obscure investment websites yesterday evening. That report states “data from Software AG servers and employees' notebooks were downloaded.”

"While services to its customers, including its cloud-based services, remain unaffected, as a result, Software AG has shut down the internal systems in a controlled manner in accordance with the company's internal security regulations," the firm’s note to the stock market continued.

"The company is in the process of restoring its systems and data in order to resume orderly operation. However, helpdesk services and internal communication at Software AG are currently still being affected."

It added: “Software AG is not aware of any customer information being accessed by the malware attack.”

The Register has asked Software AG for comment. At the time of writing the company’s homepage refers visitors to “important customer information,” but only ‘fesses up to “technical issues with our online support system,” albeit with a link to the stock market note.

At least one customer seemed unaware of what was going on:

Screenshots of the attackers’ ransom webpage, seen by El Reg, show scans of staffers’ passports, internal billing notes, and what appears to be internal directories on a Windows-based system. Folder names suggest the contents could relate to Software AG customers in the US and Canada.

Brett Callow, a threat analyst with ransomware specialist firm Emsisoft, told The Register that the Clop ransomware variant, thought to have been used in this attack, is relatively new.

Nurse erects drip behind privacy curtain at hospital bed. Photo by Shutterstock

Doppelpaymer ransomware crew fingered for attack on German hospital that caused death of a patient


"Clop is a variant of CryptoMix and may be used by the group behind the Dridex banking trojan. Like REvil and NetWalker, it is primarily used to target enterprise networks, with known past victims including Prominent and ExecuPharm. Clop’s demands can run to the millions.”

Speaking in general about the murky world of ransomware, Callow added: “In 2018, the average ransom demand was $5k USD with most victims being small businesses. Today, the average demand is somewhere between $150k and $250k, with multi-million dollar demands increasingly the norm and victims including multinationals. governments and hospitals. As a result, the criminals are better resourced and more motivated than ever.”

Echoing an increasingly common demand, he concluded: “As we’ve said before, the only way to stop this escalation and to put a spoke in the wheel of this multi-billion industry, is to prohibit the payment of demands. If the revenue stream dries up, the attacks will dry up.”

We understand the ransom demand against Software AG runs into millions of dollars and will update this article if the company gives any more details. ®

Tech Resources

Apps are Essential, so your WAF must be effective

You can’t run a business today without applications—and because apps are critical to strategic business imperatives and commerce, they have become the prime target for attackers.

Webcast Slide Deck | How backup modernization changes the ransomware game

If the thrill of backing up your data and wondering if you will ever see it again has worn off, start the new year by getting rid of the lingering pain of legacy backup. Bipul Sinha, CEO of the Cloud Data Management Company, Rubrik, and Miguel Zatarain, Director of Global Infrastructure Technology at PACCAR, Fortune 500 manufacturer of trucks and Rubrik customer, are talking to the Reg’s Tim Phillips about how to eliminate the costly, slow and spotty performance of legacy backup, and how to modernize your implementation in 2021 to make your business more resilient.

Three reasons you need a hybrid multicloud

Businesses need their IT teams to operate applications and data in a hybrid environment spanning on-premises private and public clouds. But this poses many challenges, such as managing complex networking, re-architecting applications for the cloud, and managing multiple infrastructure silos. There is a pressing need for a single platform that addresses these challenges - a hybrid multicloud built for the digital innovation era. Just this Regcast to find out: Why hybrid multicloud is the ideal path to accelerate cloud migration.

Anatomy of a Private Cloud

Learn the key elements that combined, build a true Private Cloud

Biting the hand that feeds IT © 1998–2021