Automotive parts manufacturer Denso Corporation announced that it suffered a cyber attack by a new ransomware, Pandora, on March 10, and confirmed the leak of data allegedly stolen during the attack.
Denso has confirmed that on March 10, 2022, the network of a group company in Germany was illegally accessed by a third party. After detecting the unauthorized access, DENSO promptly shut down the network connections of the devices that received the unauthorized access and confirmed that other DENSO facilities were not affected. The details of the incident are currently under investigation, and there has been no interruption to production activities. All plants are operating as usual.
Denso is one of the world’s largest automotive parts manufacturers, supplying a variety of specialized components to brands such as Toyota, Mercedes-Benz, Ford, Honda, Volvo, Fiat, and General Motors.
Although the company operates in Japan, it has more than 200 subsidiaries and 168,391 employees worldwide, with revenues of $44.6 billion in 2021.
Denso announces that on March 10, 2022 its corporate network in Germany was compromised.
The company says it detected the unauthorized access and responded immediately, isolating the intruder from other network equipment and limiting the impact to the German division only.
A disruption to Denso’s supply chain would have a domino effect on vehicle production at multiple facilities around the world, hitting an industry already struggling with chip shortages and plant closures in Ukraine.
Although Denso says its operations have not been affected by the cyber attack, a new ransomware group, Pandora, has begun leaking 1.4 TB of files that were allegedly stolen during the network breach.
Samples of the leaked data include purchase orders, technical schematics, and non-disclosure agreements, and at this time we are unable to confirm whether the leaked files were stolen in the recent incident.
Because Denso has reported the leak to local law enforcement authorities, if the leaked files are authentic, their copying, sharing, or publication would constitute a violation of the company’s intellectual property rights.
What is Pandora Ransomware?
Pandora ransomware is a new group that appeared in March 2022 and targets corporate networks, stealing data and launching a double extortion attack.
When it gains access to the network, it spreads laterally through the network, stealing unencrypted files and using them for blackmail requests.
Security researcher Arkbird discovered that Pandora uses the same executable packer as “NightSky,” a rebrand of the LockFile/AtomSilo ransomware.
Rook is also believed to be based on the Babuk ransomware source code that was leaked on hacker forums last September.
The ransomware operation changes the name of the group to avoid potential law enforcement or government sanctions in what the security community calls a “rebrand.”
If Pandora is a rebrand of Rook, it is expected to operate under this name for some time until it is rebranded under another name again, as has been seen with other versions of this ransomware.
Comments