Car dealer group Pendragon refuses to pay $60 million to ransomware extortionists

And it has obtained an injunction against the LockBit gang.

Graham Cluley
@gcluley

Car dealer group Pendragon refuses to pay $60 million to ransomware extortionists

Pendragon – the car dealership group which owns Evans Halshaw, CarStore, and Stratstone – has confirmed that its IT servers have been hacked by cybercriminals who claim to have stolen five per cent of its data.

According to The Times, the LockBit 3.0 extortion gang has demanded a cryptocurrency ransom equivalent to $60 million be paid by Pendragon, which operates around 160 showrooms across the UK.

A visit to Lockbit’s leak site on the dark web reveals that the extortionists are threatening to release files stolen from Pendragon on Saturday 29 October.

Lockbit

Pendragon, however, says it isn’t going to pay.

Pendragon said it had not engaged in any discussion about paying the gang, which wants the ransom paid into a bitcoin wallet. “We refuse to be held hostage by this group and we will not be paying a ransom demand,” Kim Costello, the chief marketing officer, said.

Pendragon’s website has been keeping the outside world regularly updated on how it is responding to the ransomware attack.

The company has reported the attack to the Information Commissioner’s Office (ICO) and the police, and informed the National Cyber Security Centre (NCSC).

Pendragon says the attack has not affected its ability to serve customers, and that it has since secured its systems.

EmailSign up to our newsletter
Security news, advice, and tips.

Interestingly, Pendragon also says it has “successfully obtained an interim injunction from the High Court against the threat actor.”

Pendragon update

I suspect that a High Court injunction will not prevent “persons unknown” – likely to be based outside the UK – from leaking the data, but I suspect that isn’t the primary reason why they have done it.

Taking an injunction against the blackmailers does, however, help Pendragon show their clients that they are doing everything in their power to prevent the information from being leaked – and perhaps help defend the company from future legal action.

Furthermore, if those responsible are ever identified, the existence of the injunction may help to seek recompense one day, perhaps through seizing their assets.

The news of Pendragon’s cyber attack comes at an inconvenient time for the car dealership group. It has recently received a takeover offer of £400 million from Swedish motor company Hedin Group.

I’m impressed that Pendragon is refusing to pay the ransom. Cyber extortionists only continue to blackmail hacked companies because sometimes they do succeed in swindling their victims out of millions of dollars worth of cryptocurrency.

Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, on Mastodon at @[email protected]stodon.green, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.