Yamaha Motor’s subsidiary in the Philippines, Yamaha Motor Philippines, Inc. (YMPH), fell victim to a ransomware attack in late October. The breach was detected on October 25, prompting the motorcycle manufacturer to engage external security experts for a thorough investigation.
Scope and Impact:
The unauthorized access targeted a server managed by YMPH, leading to a ransomware infection and partial leakage of employee personal information. Yamaha Motor, in collaboration with its IT Center and external internet security experts, swiftly formed a countermeasures team to mitigate the breach’s impact and prevent further damage.
Isolation and Attribution:
Yamaha clarified that the breach was confined to a single server at Yamaha Motor Philippines, leaving the headquarters and other subsidiaries within the Yamaha Motor group unaffected. While the company has not officially attributed the attack, the INC Ransom gang has claimed responsibility, boasting the leak of data stolen from Yamaha Motor Philippines’ network.
Modus Operandi of INC Ransom:
INC Ransom, emerging in August 2023, employs double extortion tactics across sectors such as healthcare, education, and government. The threat actors gain access through spearphishing emails and, notably, exploit Citrix NetScaler CVE-2023-3519 vulnerabilities. Once inside the network, they harvest sensitive files for ransom leverage before deploying ransomware payloads for system encryption.
Public Disclosure and Ultimatum:
INC Ransom’s modus operandi involves adding victims to its dark web leak site and issuing a 72-hour ultimatum for negotiations. Failure to comply results in public disclosure on the gang’s leak blog. The leaked data, approximately 37GB in this instance, includes employee ID information, backup files, corporate, and sales data.
Response and Negotiation:
Yamaha Motor is actively cooperating with Philippine authorities to assess the full impact of the attack. INC Ransom typically provides assurances to those complying with ransom demands, offering assistance in decrypting files and sharing details about the initial attack method, network security guidance, evidence of data destruction, and a purported guarantee against future attacks.