LockBit Ransomware Strikes Eicher Motors: A Detailed Analysis

Incident Date:

July 5, 2024

World map

Overview

Title

LockBit Ransomware Strikes Eicher Motors: A Detailed Analysis

Victim

Eicher Motors Limited (EML)

Attacker

Lockbit3

Location

Chennai, India

, India

First Reported

July 5, 2024

Analysis of the LockBit Ransomware Attack on Eicher Motors Limited

Company Profile: Eicher Motors Limited

Eicher Motors Limited (EML), headquartered in New Delhi, India, is a significant player in the global automotive industry, particularly known for its Royal Enfield brand motorcycles. Founded in 1948 and incorporated in 1982, EML stands out in the Indian market with a market cap of ₹944.24 billion and a workforce exceeding 5,000 employees. The company operates in over 60 countries, producing not only motorcycles but also commercial vehicles through its joint venture with Volvo, VE Commercial Vehicles Limited (VECV). EML's commitment to innovation, quality, and sustainability has solidified its reputation in both domestic and international markets.

Details of the Ransomware Attack

The ransomware group LockBit has targeted Eicher Motors Limited, compromising sensitive data including personally identifiable information (PII) and confidentiality agreements. The attack was publicized through LockBit's dark web leak site, setting a ransom deadline of July 23, 2024. This incident highlights significant vulnerabilities within EML's cybersecurity measures, potentially involving compromised Remote Desktop Protocol (RDP) services or unsecured network shares, which are common entry points exploited by this ransomware group.

Profile of the Ransomware Group: LockBit

LockBit, active since September 2019, has emerged as one of the most prolific ransomware-as-a-service (RaaS) groups. Known for its modular ransomware that encrypts payloads to evade detection, LockBit uses RSA-2048 and AES-256 encryption algorithms. The group is notorious for its "double extortion" tactic, threatening to release stolen data if ransoms are not paid. LockBit primarily demands payment in Bitcoin, with amounts varying based on the perceived value of the encrypted data and the financial capacity of the victim.

Potential Entry Points and System Vulnerabilities

The specific vector used by LockBit to infiltrate EML's systems has not been disclosed. However, LockBit's known methodologies include exploiting vulnerabilities in RDP services and unsecured network shares. Additionally, the group's capability to perform lateral movements across a network suggests that EML's network segmentation and endpoint security measures were insufficient to contain the spread of the ransomware. The absence of robust Endpoint Detection and Response (EDR) and Network Detection and Response (NDR) systems may have also contributed to the severity of the breach.

Sources

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.