The second largest enterprise in Germany, and one of the biggest software firms in the world, Software AG, is facing a ransomware demand from the Clop ransomware group for over $20m (£15.3m).

With over 10,000 enterprises as customers located in 70 different countries around the world, the tech firm counts many household names as part of its client-base including Fujitsu, Vodafone, Telefonica, Airbus and DHL, among others. Its extensive software line offers a wide range of business infrastructure products such as business process management systems (BPMS), software architecture (SOA), enterprise service bus (ESB) frameworks, as well as database systems.

Disclosure of a ransomware attack

When Software AG revealed initial details of the incident it stated it was experiencing disruptions within its network on account of a malware attack. The tech firm added that the services it provided to customers, such as its cloud-based products, were unaffected by the attack. It also stated that there was no sign that any data retained on customers had been accessed in the assault. However, this statement was retracted later, with the firm serving up an admission that new evidence had surfaced indicating data theft had occurred. While its public statement remained posted on the company website, Software AG was not available for comments regarding the attack.

Ransomware note revealed

A copy of the Clop gang’s ransomware employed against the German software company was discovered by cybersecurity researchers at MalwareHunterteam. The uncovered details revealed a ransom note demanding more than $20m, making it among the highest sums demanded by ransomware operators to date.

The ID delivered as part of the ransom note also enabled security researchers to inspect online communications between Software AG and the Clop ransomware gang. The viewed chats were held on a built-for-purpose web portal established by the gang.

Following a breakdown in negotiations between the ransomware gang and Software AG, Clop exposed the company’s data is a series of screenshots posted on a hacker website (also known as a leak site) online on the dark web. The published screenshots showed a wide range of confidential material, including financial documentation, scans of employee IDs and passports, staff emails and dedicated directories ripped from the German tech firm’s internal network.

Enterprises across the globe are fast realising that ransomware operators no longer make empty threats. Frustrated by companies refusing to concede to demands, ransomware gangs like Clop and Maze show no qualms about posting and exposing company data often containing the personal information of employees, suppliers and clients.

While many companies still remain stalwart and refuse to give in to ransom demands, others pay up to avoid disruption to services, exposure of sensitive data and fines from regulatory authorities for taking insufficient methods to defend private information. Despite this, cybersecurity experts and international law enforcement agencies advise against this action, stating it encourages cybercrime provides no proof that stolen data is secure. Even if successfully decrypted, ransomware operators have already viewed files taken, which means a data leak has still taken place.