Toyota finance business confirms ransomware attack, data breach

The company only mentioned unauthorized activity on its endpoints and didn't discuss if any data was stolen. The attackers, on the other hand, claim to have stolen plenty of sensitive information from the firm.

Medusa ransomware

The company took certain systems offline to investigate the attack and reduce the risk of the incident escalating further, the spokesperson continued. “As of now, this incident is limited to Toyota Financial Services Europe & Africa.”

The threat actors behind this incident are known as Medusa Ransomware. The group added Toyota Financial Services (TFS) to its data leak site, claiming to have stolen financial documents, spreadsheets, purchase invoices, hashed account passwords, cleartext user IDs and passwords, agreements, passport scans, internal organization charts, financial performance reports, staff email addresses, and more. A sample of the data was added to the site, as well as a .TXT file with the file tree structure. 

Apparently, many documents are written in German, suggesting that the attackers stole the files from an entity in the central European country. The ransom demand is $8 million, and TFS has 10 days to make up its mind. There is also a possibility to extend the deadline, for $10,000 a day. So far, we don't know if TFS is even considering making the payment. 

Some researchers also speculated how Medusa managed to break into Toyota’s network. In his writeup, security analyst Kevin Beaumont said TFS had unpatched Citrix Gateway endpoints in its German offices, sparking the debate that Medusa abused the CitrixBleed flaw to get in.

More from TechRadar Pro

• Google Chrome releases security fix for this major flaw, so update now
• Here's a list of the best firewalls today
• These are the best endpoint security tools right now