GIGABYTE fell victim to ransomware twice. What can we learn from it?
Taiwanese computer hardware manufacturer GIGABYTE fell victim to ransomware twice in three months. The cost of recovery after a ransomware attack can be 10 to 15 times more than the ransom. What can companies do to better protect themselves?
Ransomware continues to be one of the most devastating threats to organizations, Digital Shadows claims. The LockBit 2.0 ransomware group alone had a whopping 203 victims listed on its data-leak site in just three months.
According to the recent Gartner report, the cost of recovery and the resulting downtime in the aftermath of a ransomware attack, as well as the reputational damage, can be 10 to 15 times more expensive than the ransom.
The stakes are high and therefore, companies want to avoid ransomware at all costs. But are they putting enough effort? GIGABYTE was allegedly hit by ransomware twice in the last three months, and it makes you wonder - have they done enough to secure their environment?
Second time in three months
In August, GIGABYTE was hit by the ransomEXX ransomware gang. It claimed to have stolen 112 GB of data and threatened to release it if the company didn’t pay the ransom.
CyberNews Research Team discovered that a 7 GB archive of confidential data that purportedly belongs to GIGABYTE had been leaked on a hacker forum following a recent attack by the ransomEXX ransomware gang.
The archive was initially posted on ransomEXX’s public website, presumably after GIGABYTE refused to pay the ransom demanded by the attackers on August 12. The stolen data contained GIGABYTE internal company information as well as Intel and AMD proprietary data, including the source code for the Intel Manageability Commander and numerous confidential documents related to AMD.
Just three months later, in October, AvosLocker ransomware gang has announced GIGABYTE on their victim list.
“If they refuse to negotiate, we will leak all the data we’ve got,” the infiltrator claimed.
AvosLocker is a relatively new ransomware gang, first observed in late June 2021, when it started looking for new affiliates on various forums. Its operations are based on the ransomware-as-a-service (RaaS) model, and it allegedly accepts only Monero (#XMR) payments.
"The cyberattack on Gigabyte in August, was a continuation of a disturbing trend of ransomware being used as blackmail,” Ric Longenecker, CISO at Open Systems, told Cybernews. “The company potentially being targeted for the second time in three months is alarming and serves as a warning to all companies to beef up their preventative measures and incident response plans. “
According to him, turning to solutions like managed detection and response (MDR) can effectively prevent and combat the risk of a cyberattack.
“MDR protects businesses by combining operational experience and human expertise, advanced threat detection, and AI-driven technology so attacks can be identified and responded to as early as possible. It also provides more mature security programs, access to elite security experts when you need them, and more value to the business,” he said.
Mike Wilkes, Chief Information Security Officer (CISO) at SecurityScorecard, believes the recent incident is much smaller than the attack against GIGABYTE in August.. However, the fact that GIGABYTE was allegedly compromised two separate times in the last few months provides a couple of lessons to consider.
“Firstly, company executives sometimes apply pressure to transition too soon from the eradication phase of incident response to the recovery phase. The conventional words of wisdom here are ‘absence of proof is not proof of absence.’ Meaning that an organization that did not detect and quarantine the AvosLocker ransomware reportedly used in this recent attack will be hard-pressed to conclude with any confidence that they are free of it after an incident or breach. AvosLocker is run manually by a member of the ransomware gang and not automatically according to threat intelligence research on the multi-threaded C++ tool used by the gang. This indicates there is not a stealth approach being applied. If ransomware gangs are able to maintain persistent remote access to your network, then repeated compromise is almost assured,” he explained.
Second, the purportedly exfiltrated data in a zip file of about 15 megabytes looks to be a mixture of files from several years ago as well as more recent files from May. The kinds of files included in the dark web "proof of compromise" could easily have been found on an HR laptop given that there was a folder called "passports" and over 1,000 candidate resumes, Wilkes believes.
Each of these events, if true, points to a failure to maintain an effective endpoint detection and response (EDR) solution by the company. “At least two types of malware were able to run without detection: remote access software providing the digital criminals the ability to launch the ransomware tools and the ransomware software itself.”
SecurityScorecard's internet scanning engines reveal several potential attack vectors, any of which could lead to someone's workstation or laptop being hit by ransomware. And, according to Wilkes, discovering what your internet-facing vulnerabilities are is one proactive step every company should take in order to reduce the likelihood of a security breach.
“Don't run insecure and outdated versions of web server software, don't expose legacy email protocols like POP3 that transmit usernames and passwords in cleartext and don't run your own MS Exchange servers after the set of vulnerabilities that were exploited this spring such as ProxyLogon by the Chinese and the Russians,” he said.
Key challenges and mitigation
Gartner has listed the three main challenges around ransomware:
According to the researchers, recent ransomware campaigns, such as REvil and Ryuk, have become human-operated ransomware rather than spreading automatically. Such attacks often take advantage of well-known security weaknesses to gain access.
“For example, a number of recent ransomware incidents are thought to have started with poorly configured or vulnerable remote desktop protocol (RDP) configurations. Previously compromised credentials are also used to gain access to accounts,” the report reads.
Protecting organizations against these attacks goes beyond endpoint protection and encompasses many different security tools and controls. “Inevitably, ransomware may get past your defenses and the protections put in place. Then it becomes a matter of how quickly you are able to detect the incident,” Gartner claims.
Researchers recommend security and risk management leaders responsible for endpoint and network security focus on all three stages of a ransomware attack:
1. Get ready for ransomware attacks by constructing a pre-incident preparation strategy that includes backup, asset management, and the restriction of user privileges. Determine whether the organization is ultimately prepared to pay a ransom or not.
2. Implement detection measures by deploying behavioral-anomaly-based detection technologies to identify ransomware attacks.
3. Build post-incident response procedures by training staff and scheduling regular drills.
More from CyberNews:
Subscribe to our newsletter