Yamaha

Yamaha Motor's Philippines motorcycle manufacturing subsidiary was hit by a ransomware attack last month, resulting in the theft and leak of some employees' personal information.

The motorcycle manufacturer has been investigating the incident with the help of external security experts hired after the breach was first detected on October 25.

"One of the servers managed by [..] motorcycle manufacturing and sales subsidiary in the Philippines, Yamaha Motor Philippines, Inc. (YMPH), was accessed without authorization by a third party and hit by a ransomware attack, and a partial leakage of employees' personal information stored by the company was confirmed," Yamaha said.

"YMPH and the IT Center at Yamaha Motor headquarters established a countermeasures team and have been working to prevent further damage while investigating the scope of the impact, etc., and working on a recovery together with input from an external internet security company."

Yamaha said the threat actors breached a single server at Yamaha Motor Philippines and that their attack didn't impact the headquarters or any other subsidiaries within the Yamaha Motor group.

The company also reported the incident to relevant Philippine authorities and is currently working on assessing the full extent of the attack's impact.

A Yamaha Motor spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today.

Breach claimed by INC Ransom gang

While the company has yet to attribute the attack to a specific operation, the INC Ransom gang has claimed the attack and leaked what they claim is data stolen from Yamaha Motor Philippines' network.

The threat actors added the company to its dark web leak site on Wednesday, November 15, and has since published multiple file archives with roughly 37GB of allegedly stolen data containing employee ID info, backup files, and corporate and sales information, among others.

Yamaha Motor Phillipines leak page on INC RANSOM site
Yamaha Motor Philippines leak page on INC RANSOM site (BleepingComputer)

INC Ransom surfaced in August 2023 and has targeted organizations spanning various sectors such as healthcare, education, and government in double extortion attacks.

Since then, INC Ransom has added 30 victims to its leak website. However, the number of breached organizations is likely bigger, as only those declining to pay the ransom face public disclosure and subsequent data leaks.

The threat actors gain access to their targets' networks via spearphishing emails, but they've also been observed using Citrix NetScaler CVE-2023-3519 exploits, according to SentinelOne.

After gaining access, they move laterally through the network, first harvesting and downloading sensitive files for ransom leverage and then deploying ransomware payloads to encrypt compromised systems.

Additionally, INC-README.TXT and INC-README.HTML files are automatically dropped within each folder with encrypted files.

INC RANSOM note
INC RANSOM note (Zscaler ThreatLabz)

Victims are issued a 72-hour ultimatum to engage with the threat actors for negotiations, under threat of the ransomware gang publicly disclosing all pilfered data on their leak blog.

Those complying with the ransom demand also receive assurances that they'll be helped decrypt their files.

Additionally, the attackers pledge to provide details regarding the initial attack method, guidance on securing their networks, evidence of data destruction, and a "guarantee" that they won't be attacked again by INC Ransom operators.

Related Articles:

INC Ransom threatens to leak 3TB of NHS Scotland stolen data

Tech giant Nidec confirms data breach following ransomware attack

Casio confirms customer data stolen in a ransomware attack

Underground ransomware claims attack on Casio, leaks stolen data

Xerox says subsidiary XBS U.S. breached after ransomware gang leaks data