The DoppelPaymer gang is at it again. They attacked Foxconn, one of the world’s largest electronic chip lab facilities, in Mexico over the Thanksgiving weekend. Stolen files are now being published by the bad guys who will only stop doing so in exchange for a mere $34M.
This event demonstrates the increasingly brazen slope that outfits like this gang are happily approaching. No one is too big now.
It’s Time to Up Your Game
Companies and organizations of all sizes need to severely up their game if they hope to avoid a similar fate. This requires investments in security awareness training and culture, insistence upon multi-factor authentication, and a reimagined perimeter.
It is one thing to have inside visibility with a robust security stack and security analytics that can help identify a breach and mitigate it before the attackers steal data or encrypt systems, but if bad guys get into operational systems as this crew was able, and Zero-trust and/or better data backup policies have not yet been implemented, it will be very hard to ward off an attack.
These cybercriminals are very sophisticated and show no signs of slowing down or stopping on their own.
All organizations need a playbook that has been at the very least, table-top tested revisited, and updated at least quarterly. Examining tools, personnel, data flows, regulatory requirements for changes, and new accommodations is key – any plan older than 60 days is outdated.
Implications for the Hacked
In Foxconn’s case, they will likely have to pay the ransom, because restarting production is of paramount importance to a company generating $172bn in revenue while a paltry $34M pales in comparison to not being able to produce more widgets. Compromising over 1,000 servers and deleting all backups should be a wake-up call to all businesses everywhere.
These guys are good. And I’m not referring to Foxconn’s IT or Security teams.
And any thought about cyber insurance covering any of this is a pipe-dream as the case leaks of gross negligence, but Foxconn may likely have a solid claim against some of the IT and security vendors in charge of its network management.
In addition to Foxconn, the huge global recruitment and HR solutions firm, Randstad, was also felled by the double extortion playbook. The Netherlands-based firm was compromised by the newer version of Egregor ransomware, but in public, they claimed only a limited number of its servers were affected and operations were not disrupted. “To date, our investigation has revealed that the Egregor group obtained unauthorized and unlawful access to our global IT environment and to certain data, in particular, related to our operations in the US, Poland, Italy, and France,” the firm said in a statement.
Compared to Foxconn, Randstad appears to have demonstrated a high degree of competency with regard to preparedness, assuring that its data was safe, even under attack by sophisticated Ransomware artists. Relying on the trusted and ancient advice about the 3-2-1 approach to data backup, where 3 copies of data are stored in 2 different media types and on one cloud provider, assuring that recovery from any one of three locations can restore all to pre-strike conditions, it seems Randstad had a similar plan in place.
Other notable Egregor ransomware attacks during the past week include strikes on Kmart and Vancouver’s public transport network, TransLink.
Data Governance in the Spotlight
These double extortion attacks are shifting the spotlight to data governance, requiring companies to demonstrate they know what sensitive data they are storing, where it resides, and how it is protected, otherwise risking serious fines under regulations like the California Consumer Privacy Act (CCPA).
Since cyberattacks have generated a renewed focus on backup, a new sub-industry sector has emerged driving newer, more sophisticated backup solutions that map cyber recovery with sophisticated analytics, machine learning, and isolated air gaps.
Currently being tested by early adopters who have already gone through an attack, these elevated backup/cyber solutions are on their way to becoming the industry standard and may impact at least the speed with which the ransomware market is exploding.