{"id":601375,"date":"2023-01-26T06:49:42","date_gmt":"2023-01-26T12:49:42","guid":{"rendered":"https:\/\/news.sellorbuyhomefast.com\/index.php\/2023\/01\/26\/arnold-clark-cyber-attack-claimed-by-play-ransomware-gang\/"},"modified":"2023-01-26T06:49:42","modified_gmt":"2023-01-26T12:49:42","slug":"arnold-clark-cyber-attack-claimed-by-play-ransomware-gang","status":"publish","type":"post","link":"https:\/\/newsycanuse.com\/index.php\/2023\/01\/26\/arnold-clark-cyber-attack-claimed-by-play-ransomware-gang\/","title":{"rendered":"Arnold Clark cyber attack claimed by Play ransomware gang"},"content":{"rendered":"<div>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.computerweekly.com\/rms\/computerweekly\/Car-vehicle-park-adobe_searchsitetablet_520X173.jpg\" data-credit=\"Oleksandr - stock.adobe.com\"  width=\"520\" height=\"173\" alt><\/p>\n<p>Oleksandr &#8211; stock.adobe.com<\/p>\n<\/p><\/div>\n<div id=\"content-header\">\n<h2>A cyber attack that struck car dealer Arnold Clark prior to Christmas has been claimed as the work of the Play ransomware cartel<\/h2>\n<\/div>\n<div id=\"content-center\">\n<ul>\n<li><i data-icon=\"1\"><\/i><\/li>\n<li><i data-icon=\"2\"><\/i><\/li>\n<\/ul>\n<div id=\"contributors-block\">\n<p><img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/computerweekly\/Alex-Scroxton-CW-Contributor-2022.jpg\" alt=\"Alex Scroxton\">\n\t\t\t\t\t<\/p>\n<p><span>By<\/span><\/p>\n<ul>\n<li>\n\t\t\t\t\t<a href=\"https:\/\/www.techtarget.com\/contributor\/Alex-Scroxton\">Alex Scroxton,<\/a><br \/>\n\t\t\t\t\t\t<span>Security Editor<\/span>\n\t\t\t\t\t\t<\/li>\n<\/ul>\n<p>\n\tPublished: <span>25 Jan 2023 14:30<\/span>\n<\/p>\n<\/div>\n<section id=\"content-body\">\n<p>Glasgow-based <a href=\"https:\/\/www.arnoldclark.com\/\">Arnold Clark<\/a> \u2013 one of the UK\u2019s largest car dealer networks, which made a billionaire out of its founder \u2013 is facing a multimillion-pound ransom demand from the <a href=\"https:\/\/www.techtarget.com\/searchsecurity\/news\/252528594\/Play-ransomware-actors-bypass-ProxyNotShell-mitigations\">Play double extortion ransomware cartel<\/a> following a cyber attack on its systems.<\/p>\n<p>The attack on the organisation took place in the run-up to Christmas and saw staff resorting to pen and paper to record customer transactions after being locked out of their systems. It was also unable to complete handovers of new vehicles as a result.<\/p>\n<p><a href=\"https:\/\/twitter.com\/ArnoldClark\/status\/1610260969510297600\/photo\/1\">In the wake of the attack, Arnold Clark<\/a> disconnected its systems voluntarily after an external security consultant warned it of suspicious traffic on its network. It then conducted an extensive review of its IT estate in collaboration with its cyber partners. It said its priority had been to protect customer data, its own systems and its third-party partners, and that this had been achieved.<\/p>\n<p>However, <a href=\"https:\/\/www.dailymail.co.uk\/news\/article-11662535\/Drivers-warned-identity-theft-car-dealers-giant-Arnold-Clark-hit-cyber-attack.html\">according to the <em>Mail on Sunday<\/em><\/a>, which was first to report the latest developments, an individual claiming association with Play posted a 15GB tranche of customer data stolen in the incident to the dark web. The data is understood to include addresses, passport data and national insurance numbers. Predictably, they are threatening to release a much larger amount of data if not paid off.<\/p>\n<p>In a statement provided to <em><a href=\"https:\/\/www.am-online.com\/news\/dealer-news\/2023\/01\/23\/arnold-clark-blackmailed-by-hackers-following-cyber-attack-data-breach\">Automotive Management<\/a><\/em> magazine, Arnold Clark said its investigations were ongoing, and it was now trying to establish what data had been compromised as a priority, at which point it will contact affected customers. It has also been working with law enforcement, and the incident has been notified to the <a href=\"https:\/\/ico.org.uk\/\">Information Commissioner\u2019s Office<\/a> (ICO) in accordance with its legal obligations. The organisation did not respond to a request for comment from Computer Weekly.<\/p>\n<p>After springing to prominence in mid-2022 with a string of cyber attacks on organisations in Latin America, the Play ransomware cartel has become one of the more active and dangerous groups currently operating.<\/p>\n<p>Most famously, it was behind the <a href=\"https:\/\/www.computerweekly.com\/news\/252528085\/Rackspace-email-outage-confirmed-as-ransomware-attack\">2 December 2022 attack on Rackspace<\/a>, which saw <a href=\"https:\/\/www.computerweekly.com\/news\/252528283\/Customer-frustrations-mount-as-Rackspace-investigation-proceeds\">customers left out in the cold<\/a> after the IT services supplier was forced to shut down its Hosted Exchange business.<\/p>\n<p><a href=\"https:\/\/www.techtarget.com\/searchsecurity\/news\/252528944\/Rackspace-Ransomware-actor-accessed-27-customers-data\">Rackspace later revealed<\/a> the gang accessed the Personal Storage Tables (PSTs) of 27 of its customers, out of a total of 30,000, but said there was no evidence that the data was viewed, obtained, misused or disseminated in any way.<\/p>\n<p>The gang was confirmed to have hit Rackspace by <a href=\"https:\/\/www.techtarget.com\/searchsecurity\/news\/252528884\/Rackspace-Ransomware-attack-caused-by-zero-day-exploit\">chaining a pair of vulnerabilities<\/a> tracked as <a href=\"https:\/\/www.computerweekly.com\/news\/252529519\/SSRF-attacks-hit-100000-businesses-globally-since-November\">ProxyNotShell\/OWASSRF<\/a> in a server-side request forgery that allowed it to achieve remote code execution (RCE) through Outlook Web Access (OWA).<\/p>\n<p>Prior to its enthusiastic take-up of OWASSRF, the group favoured compromised virtual private network (VPN) accounts, as well as domain and local accounts, and exposed remote desktop protocol (RDP) servers, to gain initial access. It also exploited disclosed vulnerabilities <a href=\"https:\/\/www.computerweekly.com\/news\/252528897\/Warning-over-ransomware-attacks-spreading-via-Fortinet-kit\">in Fortinet\u2019s FortiOS operating system<\/a>.<\/p>\n<p>Play draws its name from the .play extension it appends to encrypted files, and has been observed exhibiting broadly similar behaviour to the <a href=\"https:\/\/www.techtarget.com\/searchsecurity\/news\/252510974\/Hive-ransomware-claims-hundreds-of-victims-in-six-month-span\">Hive and Nokoyawa operations<\/a>, according to intelligence <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/i\/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html\">gleaned by researchers at Trend Micro<\/a>, who suggested they may be run by the same people. There exists also the possibility of a link to the Quantum ransomware, itself thought to be a splinter group of <a href=\"https:\/\/www.computerweekly.com\/news\/252520524\/Did-the-Conti-ransomware-crew-orchestrate-its-own-demise\">Conti<\/a>.<\/p>\n<p>Whether or not Arnold Clark fell victim to the same attack chain is unconfirmed.<\/p>\n<\/section>\n<section id=\"DigDeeperSplash\">\n<h4>\n\t\t\t<i data-icon=\"m\"><\/i>Read more on Hackers and cybercrime prevention<\/h4>\n<ul>\n<li><a id=\"DigDeeperItem-1\" href=\"https:\/\/www.computerweekly.com\/news\/252529519\/SSRF-attacks-hit-100000-businesses-globally-since-November\"><br \/>\n\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/visuals\/ComputerWeekly\/Hero Images\/cyber-security-attack-virus-malware-Skorzewiak-adobe_searchsitetablet_520X173.jpg\" srcset=\"https:\/\/cdn.ttgtmedia.com\/visuals\/ComputerWeekly\/Hero%20Images\/cyber-security-attack-virus-malware-Skorzewiak-adobe_searchsitetablet_520X173.jpg 960w,https:\/\/cdn.ttgtmedia.com\/visuals\/ComputerWeekly\/Hero%20Images\/cyber-security-attack-virus-malware-Skorzewiak-adobe.jpg 1280w\" alt ><\/p>\n<h5>SSRF attacks hit 100,000 businesses globally since November<\/h5>\n<div>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/computerweekly\/Alex-Scroxton-CW-Contributor-2022.jpg\" alt=\"AlexScroxton\">\n\t\t\t\t\t\t\t\t\t<\/p>\n<p><span>By: <span>Alex\u00a0Scroxton<\/span><\/span>\n\t\t\t\t\t\t\t<\/p>\n<\/div>\n<p>\t\t\t\t<\/a><\/li>\n<li><a id=\"DigDeeperItem-2\" href=\"https:\/\/www.computerweekly.com\/news\/252529373\/KFC-Pizza-Hut-parent-shuts-UK-restaurants-after-cyber-attack\"><br \/>\n\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/visuals\/ComputerWeekly\/Hero Images\/pizza-slice-fotolia_searchsitetablet_520X173.jpg\" srcset=\"https:\/\/cdn.ttgtmedia.com\/visuals\/ComputerWeekly\/Hero%20Images\/pizza-slice-fotolia_searchsitetablet_520X173.jpg 960w,https:\/\/cdn.ttgtmedia.com\/visuals\/ComputerWeekly\/Hero%20Images\/pizza-slice-fotolia.jpg 1280w\" alt ><\/p>\n<h5>KFC, Pizza Hut parent shuts UK restaurants after cyber attack<\/h5>\n<div>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/computerweekly\/Alex-Scroxton-CW-Contributor-2022.jpg\" alt=\"AlexScroxton\">\n\t\t\t\t\t\t\t\t\t<\/p>\n<p><span>By: <span>Alex\u00a0Scroxton<\/span><\/span>\n\t\t\t\t\t\t\t<\/p>\n<\/div>\n<p>\t\t\t\t<\/a><\/li>\n<li><a id=\"DigDeeperItem-3\" href=\"https:\/\/www.techtarget.com\/searchsecurity\/podcast\/Risk-Repeat-Analyzing-the-Rackspace-ransomware-attack\"><br \/>\n\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/ransom_g817486228_searchsitetablet_520X173.jpg\" srcset=\"https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/ransom_g817486228_searchsitetablet_520X173.jpg 960w,https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/ransom_g817486228.jpg 1280w\" alt ><\/p>\n<h5>Risk &#038; Repeat: Analyzing the Rackspace ransomware attack<\/h5>\n<div>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/onlineImages\/culafi_alexander.jpg\" alt=\"AlexanderCulafi\">\n\t\t\t\t\t\t\t\t\t<\/p>\n<p><span>By: <span>Alexander\u00a0Culafi<\/span><\/span>\n\t\t\t\t\t\t\t<\/p>\n<\/div>\n<p>\t\t\t\t<\/a><\/li>\n<li><a id=\"DigDeeperItem-4\" href=\"https:\/\/www.techtarget.com\/searchsecurity\/news\/252528956\/10-of-the-biggest-ransomware-attacks-of-2022\"><br \/>\n\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/ransom_g1315825760_searchsitetablet_520X173.jpg\" srcset=\"https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/ransom_g1315825760_searchsitetablet_520X173.jpg 960w,https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/ransom_g1315825760.jpg 1280w\" alt ><\/p>\n<h5>10 of the biggest ransomware attacks of 2022<\/h5>\n<div>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/waldman_arielle.jpg\" alt=\"ArielleWaldman\">\n\t\t\t\t\t\t\t\t\t<\/p>\n<p><span>By: <span>Arielle\u00a0Waldman<\/span><\/span>\n\t\t\t\t\t\t\t<\/p>\n<\/div>\n<p>\t\t\t\t<\/a><\/li>\n<\/ul>\n<\/section>\n<\/div>\n<p><a href=\"https:\/\/www.computerweekly.com\/news\/252529566\/Arnold-Clark-cyber-attack-claimed-by-Play-ransomware-gang\" class=\"button purchase\" rel=\"nofollow noopener\" target=\"_blank\">Read More<\/a><br \/>\n Tomi Schewe<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Oleksandr &#8211; stock.adobe.com A cyber attack that struck car dealer Arnold Clark prior to Christmas has been claimed as the work of the Play ransomware cartel By Alex Scroxton, Security Editor Published: 25 Jan 2023 14:30 Glasgow-based Arnold Clark \u2013 one of the UK\u2019s largest car dealer networks, which made a billionaire out of its<\/p>\n","protected":false},"author":1,"featured_media":601376,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1288,2647,46],"tags":[],"class_list":{"0":"post-601375","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-arnold","8":"category-clark","9":"category-technology"},"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/601375","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/comments?post=601375"}],"version-history":[{"count":0,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/601375\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media\/601376"}],"wp:attachment":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media?parent=601375"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/categories?post=601375"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/tags?post=601375"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}