Software AG hard-hit by ransomware attack, cybercriminals demand over $20 million


German-based Software AG and was hit with a ransomware attack by cybercriminals last week. The company is still struggling with the incidents.

Software AG is the second-largest company in Germany. It has more than 10,000 active customers, and 5,000 employees in 70 countries.

A majority (70%) of Fortune 1000 companies in the world including Airbus, Telefonica, Lufthansa, DHL, Fujitsu, Credit Suisse, and Continental use Software AG’s products such as database systems, enterprise service bus (ESB) frameworks, and software architecture (SOA).

Signup for the USA Herald exclusive Newsletter

The German company disclosed the malware attack on its IT infrastructure on Monday. It is investigating the incident and doing everything in its power to resolve the disruption to its operations. 

Software AG shut down its internal system in a controlled manner after learning about the ransomware attack. The company said its help desk and internal communication were affected and it was “not aware of any customer information being accessed by the malware attack.”

On Thursday, the company provided an update indicating that it obtained evidence that the cybercriminals downloaded data. It also stated that the malware is not yet fully contained and still affecting its systems.

“There are still no indications for services to the customers, including the cloud-based services, being disrupted. The company is refining its operations and internal processes continuously,” according to Software AG.

CLOP ransomware takes control with file encryption

A cybercriminal gang known as  “Clop” confirmed that it was responsible for deploying the ransomware on Software AG’ IT infrastructure.  The gang is demanding a huge ransom of over $20 million. The malware invaded the company’s internal network on Saturday and encrypted the files.

This type of ransomware is a dangerous malware. When the cybercriminals take your files, no security software or system restore can return them. Unless the ransom is paid, they are gone forever.

The hackers have demanded $20+ million ransom to provide Software AG with the decryption key. This is one of the largest known ransom demands in a ransomware attack.

After encryption, the CLOP ransomware appends the “. Clop” extension in each file, and then it generates a text file “ClopReadMe. txt” which contains a ransom note into each folder. CLOP ransomware uses the RSA (Rivest-Shamir-Adleman) encryption algorithm and any generated keys are stored on a remote server controlled by Clop operators.

CyberSecurity group MalwareHunterTeam located a copy of the ransomware binary used against Software AG earlier this week. The ID in this ransom note allows the MalwareHunterTeam and other security researchers to view the online chats between the Clop gang and Software AG on a web portal managed by the ransomware group. 

Negotiations with the cybercriminals have been tense

On October 9, negotiations reached a standstill. The Clop gang retaliated by publishing screenshots of the company’s data on a dark web leak site that the hackers operate.

The screenshots show private data including financial documents, employee passport, and ID scans, employee emails, and directories from the firm’s internal network.

So far it has not been determined if the ransom has been paid.

It has been an unfortunately busy year for ransomware attacks. This week US-based Tyler Technologies was attacked and two weeks ago the Universal Health Services also was hit by cybercriminals armed with malicious ransomware.

Clop ransomware was also used in the Netherlands Maastricht University attack in December 2019. In February 2020, Maastricht confirmed that it was attacked by cybercriminals known as the TA505 Hackers and they paid 30 bitcoin in ransom.


Have a story you want USA Herald to cover? Submit a tip here and if we think it’s newsworthy, we’ll follow up on it.

Want to contribute a story? We also accept article submissions — check out our writer’s guidelines here.