When I wrote the introduction for our recent report Organizations at Risk: Ransomware Attackers Don’t Take Holidays, I described current factors and trends with the potential to disrupt the upcoming holiday season.
“Combine that with a fragile economy, struggling supply chain logistics, and the likelihood of a significant ransomware attack during the upcoming holidays and we have a house of cards scenario that could collapse if anything bumps the proverbial table.”
The Clop ransomware gang just tried to bump the table.
Swire Pacific Offshore (SPO) reported that it suffered a ransomware attack, and where the attackers were able to compromise sensitive employee information. The Cl0p ransomware gang claimed responsibility and shared screenshots of some of the data as verification. The world is struggling to address shipping and supply chain issues, so an attack on a shipping company could potentially have a tragic ripple effect.
We have been monitoring the Cl0p ransomware gang since 2020, so we are very familiar with how the group operates. It seems that SPO’s compromised data was exfiltrated primarily from email archives—which fits with their history of targeting vulnerable Microsoft Exchange Servers.
The Cl0p ransomware gang was the focus of a 30-month international investigation dubbed “Operation Cyclone” that resulted in 20 raids across Ukraine after the group targeted E-Land in a two-pronged combination point-of-sale malware and ransomware attack. The fact that the group survived that scrutiny and is still active indicates that the main members were not caught in those raids. They are most likely based in Russia—which has a history of tacitly supporting cybercriminals with state-condoned and state-ignored attacks.
Thankfully, it seems like the house of cards will survive this attack. The company stated that no confidential company data was compromised or exposed, and the attack failed to have any material impact on operations. Shipping and the supply chain should not be affected by this attack.
Of course, that doesn’t help the employees who had sensitive personal data stolen or exposed. We don’t know if SPO has been able to restore data from backups, or whether they are negotiating to reduce the ransom demand or perhaps have already paid the ransom to prevent any further leaking of employee data.
The question of whether to pay or not pay a ransom is difficult. It may seem expedient to simply pay the ransom and get back to business as usual, but it’s not that simple. It’s not a good idea to pay a ransom unless not doing so risks human life, public safety or is existential threat to the survival of the company. We shared results of research earlier this year that revealed that nearly half of organizations that pay a ransom are still unable to recover all of their data. We also discovered that 80 percent of companies that admitted paying a ransom were hit a second time—often by the same ransomware gang.
The cooperation between ally nations and between the public and private sector is encouraging, and will help bring cybercriminals to justice. With countries like Russia providing safe harbor, though, that is still a significant challenge. It also doesn’t directly help organizations that are victims of ransomware attacks, or do anything to protect you from being the next victim.
You can expect that ransomware gangs will be putting in overtime during the remaining holidays this year to try and topple that house of cards. You need to have the right tools in place to detect and stop ransomware before your data is encrypted, and make sure you have a specific plan in place to quickly and effectively respond to a ransomware attack over a weekend or holiday.