Cyber Incident Victim: Sage Software

On October 3, 2020, the Clop ransomware gang breached the internal network of Software AG, a major German technology firm. The attackers encrypted company files and demanded over $20 million in exchange for a decryption key, marking one of the largest known ransom demands in ransomware history. Software AG disclosed the incident on October 5, confirming disruptions to its internal network from a malware attack but asserting that customer-facing cloud services remained operational. The company initially stated it found no evidence of customer data compromise. Two days later, Software AG revised its position in a follow-up press release, acknowledging evidence of data theft. The company maintained a public notice about the attack on its website homepage throughout the week but did not respond to subsequent media inquiries for additional details.

After ransom negotiations collapsed, the Clop gang escalated their attack by publishing stolen data on their dark web leak site on October 9. Leaked materials included screenshots of employee passports, identification documents, internal emails, financial records, and directory structures from Software AG’s network. Security researcher MalwareHunterTeam identified a copy of the ransomware binary used in the attack earlier that week. The breach impacted Software AG’s internal operations, though the company reiterated that customer services were unaffected. With over 10,000 enterprise clients—including major corporations like Airbus, DHL, and Vodafone—the incident exposed sensitive employee information and corporate data but did not directly compromise customer systems according to official statements. Software AG’s product portfolio, encompassing database systems, enterprise service bus frameworks, and business process management tools, remained operational for external users throughout the incident.