Jaguar Land Rover have contained their network and stopped production after what appears to be a ransomware incident.

One surprising thing with the Jaguar Land Rover incident - they've only isolated JAGUAR LAND ROVER AUTOMOTIVE PLC (AS205756), the UK network. The India, China etc networks are still online.

When I dealt with LAPSUS elsewhere they entered via a different country network/biz unit and then pivoted to target country/biz unit.

JLR UK have got one internet facing system back online - wslx.jlrext.com

Single factor auth only because that's how automotives roll. If you visit direct IP, it's still branded Ford - Ford sold the business in 2008.

Just checked in on JLR - factory production won't be resuming tomorrow (day 7).

Jaguar Land Rover car production is still shut down tomorrow, day 8. I’ve checked the network border, everything except one system in UK is also still offline.

JLR are keeping car production closed until least Monday. They also say “some data was impacted”, whatever that means.

https://www.liverpoolecho.co.uk/news/liverpool-news/jaguar-land-rover-issues-crisis-32447659

JLR have started switching border routers back on (don't ask me why SNMP, NTP and SSH are internet facing).