UK car dealer Pendragon hit with a record ransom demand

Pendragon was allegedly breached by LockBit ransomware, with cybercriminals demanding the company pay a $60M ransom.

Pendragon, UK’s second-largest car dealer with 160 showrooms across the country, announced the company was subject to an IT security incident. Brands such as CarStore, Evans Halshaw, and Stratstone operate under Pendragon’s umbrella.

“We have identified suspicious activity on part of our IT systems and have confirmed we experienced an IT security incident. This has not affected our ability to operate, and we continue to service our customers and communities as normal,” Pendragon said in a statement on Friday.

According to security researcher Dominic Alvieri, LockBit ransomware was behind the attack. However, Pendragon‘s name was not posted on LockBit‘s leak site at the time of publishing.

The prolific gang is said to have issued a whopping $60M (£54M) ransom demand to Pendragon. If confirmed, that ransom demand would be among the largest ever reported.

The record holder for the largest ransom demand is the now-defunct REvil ransomware gang. Last year, its affiliates demanded $70M from a US software provider Kaseya. However, the ordeal ended with one of the attackers, Yaroslav Vasinsky, being charged by the US Department of Justice.

The massive ransom demand for the return of Pendragon’s data may be linked to the company receiving a $444M (£400M) takeover offer from its largest shareholder a month ago. On September 27, Pendragon announced the takeover proposal to its employees and shareholders.

The infamous cartel

LockBit ransomware cartel leads the digital extortion underworld. A ransomware report by threat intelligence firm Digital Shadows shows that in the third quarter of 2022, LockBit was the most active group by an overwhelming margin.

LockBit and its affiliates accounted for over a third of all ransomware attacks involving organizations being posted to ransomware leak sites. Researchers attributed over 200 victims to LockBit.

While LockBit is far from the only successful ransomware group, it has outlasted many competitors. Prominent groups like REvil, Darkside, and Cl0p came and went, either regrouping or disbanding.

More recently, the Conti ransomware gang seems to have closed up shop once at the top of the ransomware game. Meanwhile, LockBit has been active since 2019, releasing the second and third generations of malware.

Pundits think the gang’s success stems from the group’s ability to combine a business-oriented approach with specialized tech.