Software AG caught in double extortion ransomware hit

German software giant Software AG is racing to contain a major data leak resulting from a double extortion attack that saw its files encrypted and stolen by the operators of the Clop ransomware.

The firm first came under attack on 3 October, and was forced to shut down its internal systems, forcing its helpdesk and internal communications offline, although its core customer-facing services, including its cloud-based services, were unaffected.

At the time of writing, its online support system remained offline and customers were being asked to email a support address with details of their problem instead of using the standard interface.

Clop’s operators are understood to have demanded an exceptionally high ransom payment of $20m, but Software AG has refused to pay, so the gang has now begun to publish its confidential data on the dark web. Screenshots obtained by ZDNet show the leaked data to include scans of employees’ identification, including passport details, internal emails and financial information.

Such double extortion attacks are becoming increasingly common after first emerging about 12 months ago, because they give cyber criminals an additional means to apply pressure to their victims.

“On 5 October 2020, Software AG disclosed that it is affected by a malware attack,” said the company in a statement. “The malware is not fully contained yet, and Software AG’s systems remain being affected by the attack.

“Today, Software AG has obtained first evidence that data was downloaded from Software AG’s servers and employee notebooks. There are still no indications for services to the customers, including the cloud-based services, being disrupted. The company is refining its operations and internal processes continuously.

“Software AG is further investigating the incident and is doing everything in its power to contain the data leak and to resolve the ongoing disruption of its internal systems, in