Cyber Incident Victim: Porsche
Date:
Feb 2023
Location:
South Africa
Summary
Porsche South Africa experienced a ransomware attack disrupting operations and compromising systems, including some backups, using the Faust variant derived from the Phobos family. The malware encrypted files, appended unique identifiers and attacker contact details, and demanded Bitcoin payment for decryption tools, with the ransom amount contingent on response time. While dealerships typically handle sensitive customer information for financing and services, Phobos-affiliated operators like those behind Faust are not known for data exfiltration in double-extortion schemes, though potential exposure of personal data remains a concern given the nature of automotive retail operations. The company declined to confirm specifics regarding ransom demands, payment, or data compromise but indicated adherence to incident response protocols.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around February 1, 2023, Porsche South Africa’s Johannesburg headquarters experienced a disruptive ransomware attack that encrypted corporate files and disabled multiple systems, including some backups. The attackers deployed a ransomware variant identified as Faust, derived from the Phobos family, which typically exploits compromised Remote Desktop Protocol connections, though initial reports suggested Faust could also spread via malicious downloads, spam email attachments, pirated software activation tools, or fake updates. Faust encrypted files, appending a unique victim ID, attacker email address, and .faust extension to filenames, then generated a pop-up ransom note demanding payment in Bitcoin for decryption tools. The note warned victims against renaming encrypted files or attempting third-party decryption, citing risks of permanent data loss, and offered to decrypt five files free of charge as proof of capability. Security researchers confirmed no publicly available decryption tools existed for Faust at the time, emphasizing that payment did not guarantee recovery. Porsche South Africa declined to confirm or deny the attack when contacted, stating only that “all protocols would be observed” regarding potential data exposure reporting obligations. The ransom amount and whether payment occurred remained undisclosed.
The attack’s operational impact included system downtime, though the full scope of affected infrastructure was not detailed publicly. While Faust’s encryption disrupted business functions, historical analysis of Phobos-affiliated attacks by Paraflare’s Digital Forensics team suggested operators typically avoided data exfiltration for double-extortion tactics, unlike more aggressive ransomware groups. This reduced the likelihood—though did not eliminate the risk—that customer data such as personal identifiable information linked to vehicle financing or service plans was stolen. Porsche Japan’s 2018 breach, which exposed customer names, addresses, contact details, salaries, and vehicle ownership data, provided precedent for automotive dealer vulnerabilities, but no evidence linked the two incidents. Paraflare noted Phobos operators generally demanded lower ransoms and operated with less coordination than prominent ransomware families, potentially influencing incident response strategies. Porsche South Africa did not disclose restoration timelines or whether unaffected backups enabled full recovery.