Table of Contents
Ransomware Attack on Yamaha Motor Philippines
In November 2023, Yamaha Motor Philippines, a subsidiary of Yamaha Motor, fell victim to a ransomware attack. A server was accessed without authorization by a third party and hit with a ransomware attack. As a result, a partial leakage of employees' personal information was confirmed. The organization clarified that the unauthorized access was limited to a single server and did not impact the headquarters or other subsidiaries within the Yamaha Motor group.
Detailed Circumstances of the Ransomware Attack
Yamaha reported that the threat actors had breached one of their servers, leading to the observed attack. While they hadn't linked the threat to a particular operation, the INC RANSOM gang took credit for the attack and allegedly leaked what they claim is data stolen from Yamaha Motor Philippines' network. The extent of the data breach is not definitively known at this time and investigations are ongoing.
Impact on Yamaha and Employees
The breach led to an unfortunate violation of privacy for numerous Yamaha Motor Philippines' employees since the ransomware attack resulted in a confirmed leak of their personal information. The stolen data was subsequently leaked online by the perpetrators. Yamaha is currently working on damage control and reassessing their security measures to prevent similar incidents in the future.
Investigation and Countermeasures
Upon discovering the unauthorized access and ransomware attack on one of its servers, Yamaha Motor Philippines responded swiftly by setting up a countermeasures team. This team, involving both the IT center at Yamaha Motor headquarters in Japan and YMPH, was tasked with preventing further damage while also investigating the extent of the attack's impact.
Reporting to the Philippine authorities
In addition to their internal response, Yamaha was transparent in its communication about the incident. The company reported the ransomware attack to the Philippine authorities, as part of its compliance with local regulations and commitment to dealing with the issue responsibly.
Revealing compromised personal information
Investigations into the attack confirmed the unfortunate breach of some employees' personal information. While the specifics of the data leakage have not been fully disclosed, the company confirmed that personal data stored by Yamaha Motor Philippines had been leaked online by the attackers.
Restoration of unaffected systems
As part of its response to the attack, Yamaha announced that servers and systems not compromised by the attack have already been restored. Moreover, it has reassured that the impact of the attack was limited to one server managed by Yamaha Motor Philippines, and did not affect other parts of the Yamaha Motor group. Nevertheless, counteractive work to fully restore the systems damaged in the attack continues unabated.
Perpetrators and Their Method
The ransomware attack on Yamaha Motor Philippines was claimed by the INC Ransom gang, a group notorious for carrying out similar attacks on other organizations. Although Yamaha Motor had not assigned responsibility to a particular group, INC Ransom was quick to take credit for the breach, leaking alleged stolen data from Yamaha Motor Philippines on their dark web site.
Opportunistic Approach of the Ransomware Group
The INC Ransom gang operates with an opportunistic approach. They typically target organizations across various sectors, leveraging their vulnerabilities to gain unauthorized access and control of their systems and networks. Their notorious method of operation, known as "double extortion attacks," involves first harvesting sensitive files, deploying ransomware to encrypt systems, and then threatening organizations with public disclosure of their pilfered data if the ransom demands are not met.
Exploitation of CVE-2023-3519 Vulnerability
Among the methods INC Ransom is known to employ in their attacks, they've been observed exploiting the CVE-2023-3519 vulnerability. This is a critical-severity vulnerability in Citrix NetScaler ADC and Gateway. The exploitation of such vulnerabilities provides them with unchecked network access, facilitating subsequent lateral movement, and enabling the in-depth attacks that have given them their notorious reputation.
Post-Attack Actions of INC Ransom
Once they've breached their victims' cybersecurity defenses, INC Ransom places a 72-hour ultimatum on the victim organization. This timeframe is offered as the window within which negotiations should be opened, after which point the group threatens to disclose all stolen data publicly. Interestingly, organizations that acquiesce to their demand are offered help in decrypting their files and securing their networks against future threats.
Consequence of the Breach
Following the ransomware attack, INC Ransom published what it claimed as stolen data from Yamaha Motor Philippines on its leak site. The cybercriminal group allegedly leaked around 37GB of Yamaha's data, compromising employee ID information, backup files, and corporate and sales information. This public disclosure represents a significant violation of Yamaha's data security and privacy, highlighting the severity of the breach and its implications.
Recent Activities of INC Ransom
INC Ransom has been highly active since surfacing in August 2023. The group has targeted a range of organizations spanning various sectors, including healthcare, education, and government. Since its inception, it has added about 30 victims to its leak site, suggesting a formidable list of successful breaches. However, this number could be higher, as only the organizations that refuse to pay the ransom are publicly disclosed on the site.
Post-attack Procedures of INC Ransom
In its typical modus operandi, following a successful attack, the group issues a 72-hour ultimatum to its victims to negotiate the ransom payment. If the ransom demand is met, the victims receive help to decrypt their files, insights about the initial attack method, guidance on fortifying their networks, and evidence of data destruction. Notably, they also receive an unreliable "guarantee" from the attackers that they won't be targeted again by the same ransomware operators.
