Home / Threat Intelligence bulletins / Ferrari targeted in cyber-attack

Target Industry

Automobile manufacturing industry.


Ferrari announced that it has suffered a data breach as a result of compromised servers being operated under the control of cyber threat actors. The notorious Italian car manufacturer disclosed to its customers that there was a possibility that data such as customer names, home addresses, email addresses and telephone numbers were exfiltrated as a result of the attack. However, it was stressed that there is currently no existing evidence that the compromised data is being used for malicious purposes. The company also emphasised the fact that no details pertaining to sensitive payment details or bank account information have been stolen.

Although the attribution of a ransomware attack has not been explicitly mentioned as of the time of writing, Ferrari confirmed in its incident statement that they were contacted by a representative of the threat actor demanding a ransom. However, the ransom sum will not be disclosed until preliminary investigations have been completed.

The luxury car maker concluded their press release by stating that they have collaborated with third-party cyber security experts to reinforce the security posture of their systems and cyber resilience strategies.


Successful exploitation by ransomware variants will result in the encryption and exfiltration of significant quantities of data held on the compromised device or system, prior to a ransom of a predetermined amount being demanded. Encrypted data may include private customer data, corporate finance data, and system credentials that, if released, could provide threat actors with further targeting opportunities.

Although there is currently no existing evidence that the compromised data is being used for malicious purposes with regards to the incident, it should be noted that there remains a possibility that such customer data could be held by external entities such as dealers or marketers.

Vulnerability Detection

A comprehensive endpoint detection and response (EDR) solution, such as Microsoft Defender, can provide additional protection against ransomware threats. EDRs can alert system users of potential breaches and prevent further progress, prior to the malware being able to implement significant damage.

Affected Products

The specific server types compromised as a result of the cyber-attack have not been disclosed as of the time of writing.

Containment, Mitigations & Remediations

As stated above, the primary method of reducing the threat of ransomware attacks is to apply the added protection of an EDR solution. An effective EDR will increase detection of malicious attempts of ransomware compromise and halt such attempts if detected.

It is also recommended that employees receive training on how to detect markers of phishing emails. Due to the abundant implementation of phishing attacks by threat actors as their initial access vector, this training will serve to reduce the possibility of compromise by various strains of offensive malware.

Organisations are also recommended to perform routine back-ups of sensitive data that is required to implement business operations and maintain a copy offline. Therefore, if a breach occurs and the business can no longer function, a back-up is ready to resort to, and the business can continue to operate with minimal disruption. However, this does not nullify the fact that customer and employee data may have also been lost, and potentially released at will by the threat actor if demands are not met.

Indicators of Compromise

No specific Indicators of Compromise (IoCs) associated with the attack are available at this time.

Threat Landscape

With Ferrari being associated with one of the most expensive car ranges on the market, a contact list of wealthy customers would be a lucrative target for cybercriminals and could provide them with the opportunity to modify targeted emails for future attack efforts.

It should be noted that with respect to the current cyber threat landscape, many threat actors are advancing beyond the classic ransomware and data exfiltration model into a purely extortion-based method. Due to remediations for malware variants becoming more prevalent, some cybercriminals have pivoted to merely threatening to expose target customers and suppliers.

Threat Group

No attribution to specific threat actors or groups has been identified at the time of writing. However, in October 2022 a threat actor using the RansomEXX malware claimed that they had stolen and leaked 7GB of data from Ferrari, a report which Ferrari denied at the time.

Mitre Methodologies

TA0010 – Exfiltration

Further Information

Ferrari Cyber Incident Disclosure
Cybersecurity Insiders Report
The Register Article
Security Week Article


Intelligence Terminology Yardstick