View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
October 25, 2022

LockBit 3.0 demands $60m from UK car dealership Pendragon

LockBit 3.0 has posted leading UK car dealership Pendragon onto its victim blog. The company is refusing to engage in ransom discussions.

By Claudia Glover

Ransomware-as-a-Service gang LockBit 3.0 has posted UK-based car dealership Pendragon onto its dark web blog. The gang has demanded $60m for the return of two terabytes of data, it claims. Pendragon is refusing to cooperate, announcing the leak themselves on Friday. The cybercrime group may be rebranding to 4.0 as its builder was leaked in September triggering odd behaviour, say analysts.

Pendragon posted on LockBit 3.0 blog

The gang claims to have lifted more than two million files “of all categories”. LockBit 3.0 is refraining from announcing the reason for publishing the data of the victim, but clarifies that “all available data” will be published, promising an update on the ransom on 28 October.

Pendragon, however, publicised the cyberattack on Friday. The company’s chief marketing officer Kim Costello told The Times in an interview that it was under a “live cyberattack and is being held to ransom by a gang connected to a sophisticated group known as LockBit 3.0.” 

The same day, Pendragon contacted its major clients, including Porsche and Mercedes, as well as its 4,000 members of staff. 

Pendragon has more than 200 dealerships in the UK, including retailers CarStore, Evans Halshaw and Stratone. 

The attack began one month ago. The gang has been in daily communication since. Pendragon has refused to engage with LockBit 3.0’s demands, despite having been shown proof that the data is genuine. “We refuse to be held hostage by this group and we will not be paying a ransom demand,” says Costello. 

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

The company is currently undergoing an investigation into the attack. It has so far found that its servers were hacked but that the attackers had stolen only 5% of its database. Security experts have since protected the rest of its systems. 

According to security updates on the company’s website, Pendragon is continuing to service its customers and communities “as normal”. 

LockBit 3.0 continues its crime spree

LockBit 3.0 has been on a crime rampage over the past few months. Last week the gang hit UK-based insurer Kingfisher, claiming to have lifted 1.4 terabytes of data from the company, which has until 28 November to negotiate with the gang’s demands.

In October, LockBit was revealed as the cybercrime group that  perpetrated the attack on the NHS

Over the summer, reducing staff to using pen and paper during the attack. According to security company NCC group, the gang was responsible for 40% of all ransomware attacks in August, making it the most prolific ransomware that month.

However, the gang is not without its own issues. LockBit itself was hacked in August as well. A DDoS attack was launched on LockBit’s dark web server, which hosts leaks from companies the gang has ransomed. In September, the LockBit 3.0 builder was leaked.

From this point, the behaviour of the gang has become increasingly erratic. “LockBit has been noticeably different since their builder was leaked a few weeks ago. They haven’t been posting at their normal pace as they were way behind weekly affiliate standards,” explains threat researcher Dominic Alvieri.  

At least ten ‘new’ ransomware variants of LockBit have been spotted in the wild since the leak, explains Allan Liska, security lead at Recorded Future. 

This activity is leading to rumours of the gang rebranding as LockBit 4.0. “Nothing has been confirmed as of yet but the feeling is that a tweak in the ransomware code or a new leak site is in the works,” continues Alvieri.

LockBit 4.0 is rumoured to be online by November. 

Read more: LockBit 3.0 used in ransomware attack on Advanced that knocked out NHS 111 services

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.