Yamaha Motor Philippines, Inc. (YMPH), a motorcycle manufacturing and sales subsidiary of Yamaha Motor, was targeted in a ransomware attack in October. The attack led to unauthorized access to one of the company's servers and resulted in a partial leak of employees' personal information. Yamaha Motor has been conducting an investigation into the incident with assistance from external cybersecurity experts since the breach was detected on October 25.
"One of the servers managed by [..] motorcycle manufacturing and sales subsidiary in the Philippines, Yamaha Motor Philippines, Inc. (YMPH), was accessed without authorization by a third party and hit by a ransomware attack, and a partial leakage of employees' personal information stored by the company was confirmed," Yamaha stated.
In response to the attack, YMPH and the IT Center at Yamaha Motor headquarters set up a team to implement countermeasures and prevent further damage. The team is also working to determine the full extent of the impact and initiate recovery efforts with guidance from an external internet security company. Yamaha confirmed that the attack was limited to a single server at Yamaha Motor Philippines and did not affect the headquarters or any other subsidiaries within the Yamaha Motor group.
Yamaha Motor has reported the incident to the relevant Philippine authorities and is currently assessing the full extent of the attack's impact. The company has not yet attributed the attack to any specific group. However, the ransomware group known as INC Ransom has claimed responsibility for the attack and alleges to have leaked data stolen from Yamaha Motor Philippines' network.
INC Ransom, which emerged in August 2023, has targeted organizations across various sectors, including healthcare, education, and government, in double extortion attacks. The group gains access to their targets' networks through spearphishing emails and has also been known to exploit Citrix NetScaler CVE-2023-3519, according to SentinelOne. Once they gain access, they move laterally through the network, harvesting and downloading sensitive files for ransom leverage before deploying ransomware payloads to encrypt compromised systems.
Victims are given a 72-hour ultimatum to engage with the threat actors for negotiations, under threat of the ransomware gang publicly disclosing all stolen data on their leak blog. Those who comply with the ransom demand are assured help in decrypting their files and are also provided details on the initial attack method, guidance on securing their networks, evidence of data destruction, and a "guarantee" that they won't be attacked again by INC Ransom operators.