Software AG Clop ransomware attack
The Clop ransomware gang breached German enterprise-software giant Software AG, demanded a $23 million ransom, forced internal systems offline, and leaked over a terabyte of stolen company and employee data after negotiations failed.
- Victim
- Software AG
In early October 2020, the Clop (Cl0p) ransomware gang breached Software AG, the Darmstadt-based enterprise-software giant and one of Germany's largest software companies, in a double-extortion attack that paired data theft with one of the largest ransom demands publicly reported at the time: about $23 million.
What happened
The attackers compromised Software AG's internal network on 3 October 2020, deploying Clop ransomware to encrypt systems while having already exfiltrated large volumes of data. Software AG β which has more than 5,000 employees and operations in over 70 countries β was forced to shut down internal systems to contain the spread.
On 5 October, the company publicly disclosed the "malware attack," emphasising that its customer-facing cloud services were unaffected and that the disruption was limited to its internal corporate network.
The ransom and the leak
The ransom note demanded roughly $23 million β about 2,083 bitcoin at the time β in exchange for a decryption key and a promise not to publish stolen data. Software AG did not pay. When negotiations failed, Clop carried out its extortion threat, publishing screenshots of sensitive material on its dark-web leak site.
The stolen trove was substantial: tens of gigabytes representing more than a million files, including employee passport copies, internal emails, and financial documents such as invoices. Some reporting put the total exposed data at over a terabyte.
Attribution
Clop is operated by a financially motivated cybercrime group associated with the broader TA505 threat cluster, known for high-value enterprise targeting and for pioneering double extortion β stealing data before encryption to pressure victims who might otherwise restore from backups.
Why it matters
The Software AG attack was a high-profile early example of double-extortion ransomware against a major European technology vendor, demonstrating that even a sophisticated software company could have its internal network crippled. The choice not to pay, followed by Clop's public data dump, illustrated the central dilemma of modern ransomware: refusing the ransom protects against funding criminals but does not prevent the reputational and privacy damage of a public leak. It became a reference point in European discussions on ransomware resilience, backup strategy, and breach disclosure β and foreshadowed Clop's later mass-exploitation campaigns against managed file-transfer tools like MOVEit and Accellion.
Timeline
The Clop ransomware gang compromises Software AG's internal network and begins encrypting systems.
Software AG discloses a malware attack, noting customer cloud services remain unaffected while internal systems are disrupted.
A ransom note demands roughly $23 million (about 2,083 BTC) for a decryption key.
Negotiations fail; Clop publishes screenshots of stolen passports, invoices, and internal documents on its dark-web leak site.
More than a terabyte of data β over a million files including employee and financial records β is exposed.
Sources
- bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/software-ag-it-giant-hit-with-23-million-ransom-by-clop-ransomware/
- securityweek.comhttps://www.securityweek.com/enterprise-solutions-provider-software-ag-hit-clop-ransomware/
- threatpost.comhttps://threatpost.com/software-ag-data-clop-ransomware/160042/
- cpomagazine.comhttps://www.cpomagazine.com/cyber-security/clop-ransomware-attack-hits-german-software-giant-software-ag-confidential-documents-stolen-23-million-ransom-demanded/