Breaking News: Yamaha Motor’s Philippines Subsidiary Falls Victim to Devastating Ransomware Attack

Ransomware Attack Hits Yamaha Motor’s Philippines Subsidiary

Last month, Yamaha Motor’s motorcycle manufacturing subsidiary in the Philippines fell victim to a ransomware attack, resulting in the unauthorized access and theft of personal information belonging to some of its employees.

Since the breach was first detected on October 25, Yamaha Motor has been conducting an investigation with the assistance of external security experts to determine the extent of the incident.

According to Yamaha, a server managed by Yamaha Motor Philippines, Inc. (YMPH), the motorcycle manufacturing and sales subsidiary, was accessed without authorization by a third party and was subsequently targeted by a ransomware attack. As a result, some employees’ personal information stored by the company was partially leaked.

In response to the incident, YMPH and the IT Center at Yamaha Motor’s headquarters have formed a countermeasures team to prevent further damage and are working with an external internet security company to investigate the impact of the attack and facilitate recovery.

Yamaha clarified that the breach was limited to a single server at Yamaha Motor Philippines and did not affect the company’s headquarters or any other subsidiaries within the Yamaha Motor group.

The company has reported the incident to relevant Philippine authorities and is currently assessing the full extent of the attack’s impact.

We attempted to contact a spokesperson from Yamaha Motor for comment, but they were not immediately available for response.

INC Ransom Gang Claims Responsibility for the Breach

The identity of the attackers responsible for the ransomware attack has not been determined yet. However, the INC RANSOM gang has claimed responsibility for the attack and has leaked data allegedly stolen from Yamaha Motor Philippines’ network on their dark web leak site.

On November 15, the threat actors added the company’s information to their website and published multiple file archives containing approximately 37GB of data, including employee ID information, backup files, and corporate and sales data.

The INC RANSOM gang emerged in August 2023 and has been targeting organizations across various sectors, such as healthcare, education, and government, through double extortion attacks.

Although the gang has only disclosed 30 victims on their leak website, it is believed that the actual number of breached organizations is higher, as only those who refuse to pay the ransom face public exposure and subsequent data leaks.

The threat actors gain access to their targets’ networks primarily through spear-phishing emails. However, they have also been observed exploiting the Citrix NetScaler CVE-2023-3519 vulnerability, as reported by SentinelOne.

Once inside the network, the attackers move laterally, exfiltrating sensitive files to use as leverage for the ransom, and then deploying ransomware to encrypt compromised systems.

Furthermore, INC-README.TXT and INC-README.HTML files are automatically placed in each folder containing the encrypted files.

The victims are given a 72-hour ultimatum to negotiate with the threat actors, under the threat of the gang publicly disclosing all stolen data on their leak blog.

If the ransom demand is met, the victims receive assistance with decrypting their files. The attackers also promise to provide information about the initial attack method, guidance on network security, evidence of data destruction, and a “guarantee” that they will not be targeted again by INC RANSOM operators.