Car dealer group Pendragon refuses to pay $60 million to ransomware extortionists

And it has obtained an injunction against the LockBit gang.

Graham Cluley
Graham Cluley
@[email protected]

Car dealer group Pendragon refuses to pay $60 million to ransomware extortionists

Pendragon – the car dealership group which owns Evans Halshaw, CarStore, and Stratstone – has confirmed that its IT servers have been hacked by cybercriminals who claim to have stolen five per cent of its data.

According to The Times, the LockBit 3.0 extortion gang has demanded a cryptocurrency ransom equivalent to $60 million be paid by Pendragon, which operates around 160 showrooms across the UK.

A visit to Lockbit’s leak site on the dark web reveals that the extortionists are threatening to release files stolen from Pendragon on Saturday 29 October.


Pendragon, however, says it isn’t going to pay.

Pendragon said it had not engaged in any discussion about paying the gang, which wants the ransom paid into a bitcoin wallet. “We refuse to be held hostage by this group and we will not be paying a ransom demand,” Kim Costello, the chief marketing officer, said.

Pendragon’s website has been keeping the outside world regularly updated on how it is responding to the ransomware attack.

The company has reported the attack to the Information Commissioner’s Office (ICO) and the police, and informed the National Cyber Security Centre (NCSC).

Pendragon says the attack has not affected its ability to serve customers, and that it has since secured its systems.

Sign up to our free newsletter.
Security news, advice, and tips.

Interestingly, Pendragon also says it has “successfully obtained an interim injunction from the High Court against the threat actor.”

Pendragon update

I suspect that a High Court injunction will not prevent “persons unknown” – likely to be based outside the UK – from leaking the data, but I suspect that isn’t the primary reason why they have done it.

Taking an injunction against the blackmailers does, however, help Pendragon show their clients that they are doing everything in their power to prevent the information from being leaked – and perhaps help defend the company from future legal action.

Furthermore, if those responsible are ever identified, the existence of the injunction may help to seek recompense one day, perhaps through seizing their assets.

The news of Pendragon’s cyber attack comes at an inconvenient time for the car dealership group. It has recently received a takeover offer of £400 million from Swedish motor company Hedin Group.

I’m impressed that Pendragon is refusing to pay the ransom. Cyber extortionists only continue to blackmail hacked companies because sometimes they do succeed in swindling their victims out of millions of dollars worth of cryptocurrency.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.