A Volkswagen Dealership Has Been Hit by “Conti” Ransomware

Last updated June 23, 2021
Written by:
Bill Toulas
Bill Toulas
Infosec Writer

According to multiple sources, including French media and Cyble, a German dealership belonging to the Volkswagen Group has fallen victim to the “Conti” ransomware group. The actors stole data in the process and are now publishing them on their dedicated leaks portal. The data includes thousands of invoices that come from workshop service and the sales of spare parts.

In total, there are 8,325 invoices in PDF form, exposing details that could be used in scamming or phishing attacks against the clients. Also, these invoices could help BEC actors targeting VW.

invoice sample

Source: Cyble

Volkswagen is a German car manufacturer which also happens to be among the most successful in the world based in sales numbers. They sell over 10 million cars every year, and they were the highest-selling marque in the world between 2016 and 2017, surpassing other giants in the field like Toyota, Ford, General Motors, and Hyundai.

This event places the breached entity in GDPR trouble, as the leaked invoices contain client names, postal addresses, the products they purchased, etc. Having to cover the payment of GDPR fines couldn’t come at a worse time, as all automakers are going through a rough period of dramatic sales drop, and this, of course, includes dealerships.

Conti is the Ryuk group’s successor, and they operate as a private “ransomware as a service” (RaaS). They only recently launched a leak site and flooded it with data from previously undisclosed ransomware infections.

According to the researcher Vitali Kremez, Conti has been mostly joined by experienced and capable hackers who were promised a generous cut from the ransomware payment. Thus, we see a spike in the Conti infections, and the compromise of the VW service points' systems is just an indicative example of what’s about to come.

According to Cyble, the part of the firm that has been targeted and compromised is a franchise in Salzkotten, Germany. Thus, the leak comes from authorized workshops in that area.

If you live in the area and you’ve taken your car for a service at a local VW service point, you’d better start taking precautions against scammers and phishing actors.

We have received the following statement from a representative of the VW Group in relation to the above story:

A dealership in Germany has reported a hacker attack on its data. There was no unauthorized attempt to access Volkswagen's own IT systems. The dealership concerned has already taken extensive measures to secure its systems. Volkswagen offered the dealership support with the investigation and analysis.

Also, the automaker has clarified that it is not them who will have to go through a GDPR investigation but the dealership. In Germany, VW dealerships function as independent units, and so VW is not affected in any way by this security event.

Read More:



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: