Clop ransomware hits Software AG, demands $20 million+ ransom

German tech giant Software AG suffers ransomware attack


Software AG, a German tech giant had its helpdesk and internal communication systems disrupted after the Clop ransomware attack.

Over the weekend, Germany’s second-largest tech firm Software AG suffered a ransomware attack. The company had to shut down many of its internal systems. Allegedly, the attackers took company data and demanded over $20 million (€17 million) in ransom.

According to the company, its cloud offerings weren’t affected; however, its internal communications and helpdesk went offline and haven’t recovered fully as yet.

See: Clop ransomware group leak pharmaceutical giant’s data on dark web

Software AG is one of the world’s leading software firms with over 10,000 enterprise customers in 70 countries, including Fujitsu, Vodafone, Airbus, and Telefonica. The company’s product portfolio includes business infrastructure software such as enterprise service bus (ESB) frameworks, database systems, business process management systems (BPMS), and software architecture (SOA). can confirm that the Clop ransomware group is responsible for breaching Software AG’s internal network which happened on October 3rd. The attackers are claiming to steal the company’s data and demanding ransom in exchange for the decryption key.


In a press release on October 5th, Software AG wrote that:

The IT infrastructure of Software AG is affected by a malware attack since the evening of 3 October 2020. While services to its customers, including its cloud-based services, remain unaffected, as a result, Software AG has shut down the internal systems in a controlled manner in accordance with the company’s internal security regulations. The company is in the process of restoring its systems and data in order to resume orderly operation. However, helpdesk services and internal communication at Software AG are currently still being affected.

 As of now, the attackers have leaked several screenshots taken from the stolen Software AG’s data. These screenshots show the company’s financial documents, employee ID scans and passport, employee emails, and internal network directories.

German tech giant Software AG suffers ransomware attack
One of the folders and passport files leaked by the Clop ransomware group on its official website.


In October 8th press release, the company acknowledged that its data was downloaded by attackers.

Today, Software AG has obtained first evidence that data was downloaded from Software AG’s servers and employee notebooks. There are still no indications for services to the customers, including the cloud-based services, being disrupted. The company is refining its operations and internal processes continuously. Software AG is further investigating the incident and is doing everything in its power to contain the data leak and to resolve the ongoing disruption of its internal systems, in particular to restart its internal systems as soon as possible which had been shut down for security reasons.

As per the analysis of MalwareHunterTeam, the Clop gang took approx. one terabyte of data from the tech firm. They also posted an alleged ransom note that they claim was sent to Software AG from the Clop ransomware group.

German tech giant Software AG suffers ransomware attack
Clp ransomware gang’s ransom note for Software AG – Image credit: MalwareHunterTeam on Twitter

The clop gang has been targeting enterprises since 2019. Its key targets are companies in the US, Europe (especially Germany), India, Russia, Mexico, and Turkey. The list of Clop ransomware’s victims who did not pay the ransom and got their data leaked includes:

ProMinent GmbH
Recreativos Franco
MVTec Software GmbH
NFT Distribution Holdings Ltd
Prettl Produktions Holding GmbH
IHI Charging Systems International
Technische Werke Ludwigshafen AG (TWL)


Did you enjoy reading this article? Do like our page on Facebook and follow us on Twitter.

1 comment
  1. One Remark: The List of victims is of course much longer, since only companies who do not pay are on the CL0P leak portal.

Comments are closed.

Related Posts