Toyota Financial Services (TFS) was probably successfully attacked by the Medusa Group and is now threatening to publish the data on November 26.11.2023, 8. According to Medusa, Toyota can prevent this for $XNUMX million.
As early as November 14.11.2023, XNUMX, Toyota Financial Services Europe & Africa reported unauthorized access to its systems. The message read: “Toyota Financial Services Europe & Africa has recently discovered unauthorized activity on systems in a limited number of locations. We have taken certain systems offline to investigate these activities and reduce risk, and we have also begun working with law enforcement.”
Some systems are still not supposed to work again. In its report, Toyota Financial Services Europe & Africa said that it was working feverishly on the solution in order to get everything back into operation as quickly as possible.
Medusa Group demands $8 million ransom
While there is no indication that Toyota is also struggling with encrypted data, that is highly likely with the Medusa ransomware. On its leak page, the Medusa Group is demanding an $8 million ransom from Toyota Financial Services Europe & Africa. If the sum is not paid, the group wants to publish the stolen data on November 26.11.2023, XNUMX. According to experts, a first data dump should also contain personal data, as well as emails and hashed passwords. A complete file list is offered as a text file.
There is currently no further information as to whether TFS intends to respond to the request in any way. Toyota Financial Services, a subsidiary of Toyota Motor Corporation, is a global company with a presence in 90% of the markets where Toyota sells its cars and offers auto financing to its customers.
Medusa has been active since 2019
The experts at Trend Micro are familiar with the Medusa or MedusaLocker ransomware and its activities since 2019, which mostly targets Windows computers. An interesting behavior of this malware is booting into Safe Mode before executing and encrypting files. Depending on the variant, it also uses the BAT file and PowerShell. Usually, the infected computer will experience an error while booting as the latest variant also changes the extension of Bootmgr and appends the “inprocess” extension.
The behavior of the malware
- Deletes the shadow volume copy and backup
- Maintains persistence on the target computer
- Disables recovery mode
- Renames bootmgr so that the computer can no longer boot normally
- Terminates processes
- Pauses services
- Creates a mutex
- Starts in safe mode
The files are also encrypted and a ransom is demanded in Bitcoin.
More at Toyota.eu