Toyota Financial Services (TFS), a subsidiary of the automotive giant, confirmed a ransomware attack on its European & African operations. The company acknowledged unauthorized activity on certain systems across limited locations but did not confirm data theft, though the attackers claim to have accessed sensitive information.
In response, TFS initiated investigations, taking affected systems offline to contain the incident’s scope and prevent further escalation. As of now, the breach seems contained within Toyota Financial Services Europe & Africa.
The threat actors, identified as Medusa Ransomware, added TFS to their data leak site, asserting access to financial documents, purchase invoices, hashed account passwords, user IDs and passwords, agreements, passport scans, organization charts, financial reports, staff email addresses, among other sensitive materials. A sample of the data and file structure was showcased on the site, predominantly in German, hinting at a possible origin from a Central European entity.
Medusa Ransomware demands an $8 million ransom with a ten-day window, offering an extension for $10,000 per day. TFS has not confirmed its stance on the ransom payment. Security analysts have speculated on potential entry points, with one suggesting unpatched Citrix Gateway endpoints in TFS’s German offices, raising the possibility of exploiting the CitrixBleed flaw as the entry point for the attack.
