Italian sports car maker Ferrari confirmed Monday that it was hit with a ransomware extortion attempt by an unknown threat actor in which customer names, addresses, email addresses, and telephone numbers were exposed.
In a letter to customers — called the Ferrarista — the company was adamant that no payment details and/or bank account numbers or other sensitive payment information, nor details of Ferrari cars owned or ordered had been stolen. They also said the breach had no impact on the company’s operations.
Ferrari said in a statement that it will not pay the ransom: “As a policy, Ferrari will not be held to ransom, as paying such demands funds criminal activity and enables threat actors to perpetuate their attacks.”
The company said once it received the ransom demand, it immediately started an investigation in collaboration with a leading global third-party cybersecurity firm and have confirmed the data’s authenticity. They also informed the relevant authorities and an investigation is under way.
Ofer Ben-Noon, co-founder and CEO of Talon Cyber Security, explained that the security teams of carmakers have incredibly difficult jobs. Ben-Noon said the sheer complexity of the environments in the automotive sector creates massive attack surfaces.
“Think about it … these organizations have their traditional corporate employees, employees at dealerships and up-and-down the supply chain, contractors that have access to systems, and more users that they need to protect,” said Ben-Noon. “This is all on top of having to secure the actual cars. With so much data moving back and forth and so many users connecting from different locations and devices, there are bound to be blind spots for attackers to exploit.”
Do threat actors target companies with wealthy clients?
Ben-Noon said the attack proves that the threat actors go after people with money. He said while there’s not yet evidence of any payment information being compromised, Ferrari has many high-net-worth individuals as customers, making the information extremely valuable for bad actors.
“In regard to the ‘pay or don’t pay’ debate, it’s very simple from my perspective,” Ben-Noon said. “Any organization’s No. 1 objective in a situation like this is to protect customer data and ensure that it won’t be leaked to maintain trust and their reputation. In this case, Ferrari’s CEO notes that not paying the demand doesn’t change the data exposure.”
Chuck Everette, Field CISO at Virsec, added that it’s typical for ransomware gangs to go after high-net-worth individuals. Everette said the threat actors assume that a successful business or luxury brand is more likely to pay the ransom and sweep it underneath the rug in an effort to protect their reputation and brand name.
“That would make Ferreri a big target to today’s cyber criminals,” Everette said. “It seems Ferrari has stated that the policy is not to pay ransoms, which from a security standpoint can seem confrontational, but law enforcement agencies and industry experts, including myself, view this is the proper approach."
Everette noted that companies could be fined by if they pay an organization that has been sanctioned.
"Also there are trends in regions and countries as to who will pay ransom," Everette continued. "Less than 6% of Italian organizations typically pay ransoms compared to countries like India, in which 66% of the time they pay.”
Heath Renfrow, co-founder at Fenix24, said extortion tactics in ransomware increased dramatically from 2021 to 2022 and by late 2022, data theft was involved in nearly 90% of the ransomware cases they remediate in their practice. Renfrow explained that the lines are getting blurred between ransomware and extortion, since these actors use tactics both together and interchangeably.
"Since by some metrics, ransom payments have gone down, these extortion tactics ensure the threat actor is reward for their criminal activity," said Renfrow. "Unfortunately for the victim organization, these sensitive data exposures greatly increase the destruction of the breach through public brand damage, forensics data discovery costs, public notification requirements, and legal fees. The best course of action for organizations going forward is to assess their enterprises for ransomware vulnerabilities and backup resiliency, because these bad actors aren’t going away anytime soon."
David Mitchell, chief technical officer at HYAS, added that Ferrari was breached in October 2022 by the RansomEXX group, which is known to target hardware, software, automotive, and maritime companies.
“Based on the timing of this breach notification and the lack of any new data leaks discovered, it’s unknown if this is a very late notification of the previous attack or a new one,” said Mitchell.
