A ransomware organization claims it stole a large amount of financial, employee and sales data from publicly traded dealership group AutoCanada.
The Sept. 17 notice and ransom demand on the dark web follows an IT breach AutoCanada first reported on Aug. 11.
Cybercrime group Hunters International gave a Sept. 20 deadline to pay the ransom, according to cybersecurity company HackManac, one of several dark-web monitoring organizations that flagged the threat.
AutoCanada owns 65 new-vehicle franchises in Canada and 18 in the United States. The group did not confirm the ransom request.
“We are working with law enforcement authorities to address the incident,” said Peter Hong, AutoCanada’s chief strategy officer and general counsel, in a Sept. 23 email to Automotive News Canada. “We are not able to provide any further comments at this time, other than what we previously publicly disclosed.”
The company did not immediately respond to a request for further comment Sept. 25.
Hunters International focuses on cyberattacks to steal or lock corporate data, then demands victims pay ransoms to regain access to the information or keep it from being leaked, said HackManac CEO Sofia Scozzari in an email to Automotive News Canada. Hunters International has targeted more than 150 companies in 32 countries in 2024, she said.
To extract ransoms, Scozzari said, Hunters International publicizes victims on the dark web, where tracing the hackers is nearly impossible.
It takes a forensic audit to verify hackers' claims, said Justin Shanken, CEO of Atlanta cybersecurity company Black Breach, but there is typically "some level of truth."
'A THOROUGH INVESTIGATION'
AutoCanada said in August that after discovering the breach, it took immediate action to safeguard its network and data, engaging cybersecurity experts to “assist us with containment and remediation efforts, as well as to conduct a thorough investigation to understand the scope and impact of the incident.”
Whether customer, supplier and employee data were compromised was not known, the company said at the time.
The breach was unrelated to the two cyberattacks in June on dealership management system company CDK Global, said AutoCanada Executive Chairman Paul Antony on Aug. 14.
The CDK outage impacted thousands of franchised retailers in North America, including some belonging to AutoCanada.
Ransoms for successful cyberattacks can run into the millions of dollars but are heavily dependent on the circumstances and presumed value of the data, said Erik Nachbahr, president of Helion Technologies, a U.S. cybersecurity and IT company that focuses on auto dealerships.
CDK reportedly paid a ransom of US $25 million (Cdn $36 million) to hacking group BlackSuit to restore its system.
Attackers typically make ransoms “attractive enough” that companies opt to pay them to get their systems back online as quickly as possible, Nachbahr said.
Groups such as Hunters International hold up their end of the deal, he added, proving to future victims that paying the ransom means resolution.
“There’s no incentive for [attackers] to not restore the system. They want to get the money and they want people to have faith that they’re going to restore the system.”
RISE IN RANSOMWARE
The approach, known as ransomware-as-a-service, is on the rise, said Black Breach's Shanken.
“Most of these attackers and attack groups, like the Hunters attack group, they are working as a professional business, as a fighting force that’s hitting industries.”
Auto retail has become a target of choice for cybercriminals, Shanken said, partly because it’s perceived as a relatively easy target with businesses that are slow to invest in technology.
“They’re looking for very soft … targets that they’re hitting over and over again. When they find an industry that pays out, like dealerships, they abuse that industry.”
The CDK Global cyberattack drew international headlines and painted a bigger target on the industry’s back, Shanken said.
“Bad guys follow the news,” so as they watched the fallout, they saw further opportunities, he said.
While the fallout from cyberattacks can be highly damaging, most aren’t perpetrated by overly sophisticated means. Nachbahr of Helion Technologies said 95 per cent of breaches originate from phishing emails, with hackers using that initial foot in the door to work toward gaining administrative access to a company’s system.
“That’s when you hold the keys to the kingdom.”