More than a week after the cyber attack on VDL Groep, cars are already rolling off the production line at VDL Nedcar in Born.

But the group, supplier of ASML, Philips and DAF, still includes 104 companies worldwide that are still suffering from the brutal digital attack.

Eight questions and answers about ransomware.

This article is from the AD.

Every day a selection of the best articles from newspapers and magazines appears on NU.nl.

You can read more about that here.

A week ago, VDL was shut down.

What is happening at the company now?

VDL does not say what is going on, but sources around the group report that the central IT system has been taken hostage.

Criminals block networks and release them only after the ransom is paid.

After such a cyber attack, the company will form a crisis team led by an external party that will take over the coordination function, explains Dave Maasland of Eset internet security.

"What happened? How can the damage be repaired? And conversations are held with the criminals. This is usually done by the external party."

In addition to the management, the crisis team includes people from the communication, IT, operational management and legal affairs departments.

"For example, customers should be notified if customer data may have been stolen."

What is the company doing to get the affected IT systems up and running again?

The car factory in Born is running cautiously again.

The company hopes for a comparable solution as soon as possible for other business units that are unable to operate due to linking production systems to the Internet.

The big question is whether the criminals have also managed to get hold of backups.

"In the past two years, we have seen more and more that criminals also encrypt backups," says Job Kuijpers, founder of cybersecurity organization Eye and former employee of the AIVD.

According to him, the attackers are getting smarter and the criminal groups bigger and more professional.

"But even if there are backups, it can take weeks before everything is back to normal."

Because restoring a backup does not always go well and sometimes data is still missing.

Does VDL pay ransom?

VDL itself does not reveal anything about it.

However, according to expert Maasland, it seems that VDL is trying to restore the systems on its own, instead of a ransom being or being paid to regain access to data encrypted by criminals.

"Companies of the size of VDL can be confronted with insanely high ransom demands, ranging from 0.5 to 2 percent of the turnover. That's many millions of euros. At the same time, it is also very complex to rebuild the IT systems for 105 companies. to build."



The longer a victim of a cyber attack is in the air again, the more plausible, according to Maasland, is the scenario that no ransom is paid.

"Criminals want their money very quickly, generally within 48 hours. They want to channel the money, cover their tracks and disappear."

However, he does not rule out the ransom scenario.

"If you pay, you are not immediately online again. The question is which data you will get back and whether everything still works. It also takes a while before you have everything running again with half the data that you get back."

What is the financial loss for the group?

That is difficult to determine, but the loss of turnover can easily be calculated at many millions of euros.

VDL is counting on a turnover of around 5 billion euros this year, which is almost 100 million euros per week.

The consequences of the cyber attack have been felt for a week now, but the impact on the 105 individual companies of the group differs.

It is clear that the VDL Nedcar car factory - good for an annual turnover of more than 2 billion euros - has been shut down for a week.

In other business units, such as the bus factories, work has at least partly continued.

Can insurance cover the damage?

About ten insurers in the Netherlands offer insurance with 'cyber cover', according to the Dutch Association of Insurers.

It is not known how many companies have such insurance.

But according to the association, the premium turnover of cyber insurance in the Netherlands in 2020 amounted to a 'very modest' 25 million euros.

The insurer usually reimburses the financial damage suffered and repair of damage such as replacement of computers, systems and recovery of data.

Whether ransom is also covered depends on the conditions.

Insurer Hiscox, for example, states that ransom will be reimbursed if it is paid to limit the damage to the company.

VDL has 105 companies.

Did that make it extra attractive as prey?

In recent years, VDL has taken over one company after another, after which systems are linked together.

And that can be a risk.

"It increases the chance that there are computers that are not yet managed somewhere that are vulnerable," says Job Kuijpers.

"But at the same time, the segmentation creates natural separation, because not everything is made up of the same systems."

Do the criminals now also have private data of the 15,000 employees?

That opportunity is indeed there, experts say.

Often criminals have already penetrated the network before the hostage of systems, in which data has been digitally encrypted, is discovered.

Personal data, such as copies of identity documents, can be traded on the dark web, in other words the depths of the internet where criminals reside.

That data can be used, for example, for identity fraud.

Its disclosure can also serve as leverage for ransom payment.

If personal data has been leaked, the company will have to report this on the basis of the privacy legislation AGV.

Criminal hackers are striking more and more.

However, learning from digital attacks can be a weapon.

What role can VDL play in this?

Out of shame or fear of reputational damage, companies affected by such attacks hold back. "For fear of damage to reputation, that you have to show that you have not got things in order. We all have to accept that we are learning, that we all still have a long way to go when it comes to cybersecurity," says expert Maasland . Like expert Kuijpers, he makes an urgent appeal to VDL. "Be transparent", advises Kuijpers. "If VDL is now in a ransom situation, you don't play that game through the media. But the company must be aware of the exemplary role in the region."

In addition to VDL, the region around Eindhoven contains players such as ASML, Philips, DAF, Signify (formerly Philips Licht) and chip maker NXP.

"For SMEs, say the suppliers of VDL and other companies, ransomware is the biggest problem. You can now offer them insight."

Expert Dave Maasland: "I hope that VDL dares to say: mistakes have been made. That VDL as a commercial company is breaking the silence. No company should be ashamed. As a defender against cybercrime you have to do everything right, while as an attacker you can need a single mistake."

Keywords: companies, vdl, dave maasland, supplier, cyber attack, criminals, party, production line, answers, job kuijpers, company, more, attack, ransomware, everything