Oleksandr - stock.adobe.com

Arnold Clark cyber attack claimed by Play ransomware gang

A cyber attack that struck car dealer Arnold Clark prior to Christmas has been claimed as the work of the Play ransomware cartel

Glasgow-based Arnold Clark – one of the UK’s largest car dealer networks, which made a billionaire out of its founder – is facing a multimillion-pound ransom demand from the Play double extortion ransomware cartel following a cyber attack on its systems.

The attack on the organisation took place in the run-up to Christmas and saw staff resorting to pen and paper to record customer transactions after being locked out of their systems. It was also unable to complete handovers of new vehicles as a result.

In the wake of the attack, Arnold Clark disconnected its systems voluntarily after an external security consultant warned it of suspicious traffic on its network. It then conducted an extensive review of its IT estate in collaboration with its cyber partners. It said its priority had been to protect customer data, its own systems and its third-party partners, and that this had been achieved.

However, according to the Mail on Sunday, which was first to report the latest developments, an individual claiming association with Play posted a 15GB tranche of customer data stolen in the incident to the dark web. The data is understood to include addresses, passport data and national insurance numbers. Predictably, they are threatening to release a much larger amount of data if not paid off.

In a statement provided to Automotive Management magazine, Arnold Clark said its investigations were ongoing, and it was now trying to establish what data had been compromised as a priority, at which point it will contact affected customers. It has also been working with law enforcement, and the incident has been notified to the Information Commissioner’s Office (ICO) in accordance with its legal obligations. The organisation did not respond to a request for comment from Computer Weekly.

After springing to prominence in mid-2022 with a string of cyber attacks on organisations in Latin America, the Play ransomware cartel has become one of the more active and dangerous groups currently operating.

Most famously, it was behind the 2 December 2022 attack on Rackspace, which saw customers left out in the cold after the IT services supplier was forced to shut down its Hosted Exchange business.

Rackspace later revealed the gang accessed the Personal Storage Tables (PSTs) of 27 of its customers, out of a total of 30,000, but said there was no evidence that the data was viewed, obtained, misused or disseminated in any way.

The gang was confirmed to have hit Rackspace by chaining a pair of vulnerabilities tracked as ProxyNotShell/OWASSRF in a server-side request forgery that allowed it to achieve remote code execution (RCE) through Outlook Web Access (OWA).

Prior to its enthusiastic take-up of OWASSRF, the group favoured compromised virtual private network (VPN) accounts, as well as domain and local accounts, and exposed remote desktop protocol (RDP) servers, to gain initial access. It also exploited disclosed vulnerabilities in Fortinet’s FortiOS operating system.

Play draws its name from the .play extension it appends to encrypted files, and has been observed exhibiting broadly similar behaviour to the Hive and Nokoyawa operations, according to intelligence gleaned by researchers at Trend Micro, who suggested they may be run by the same people. There exists also the possibility of a link to the Quantum ransomware, itself thought to be a splinter group of Conti.

Whether or not Arnold Clark fell victim to the same attack chain is unconfirmed.

Read more about ransomware attacks in the UK

Read more on Hackers and cybercrime prevention