French media is reporting that the Bouygues Group’s construction subsidiary has been hit by a massive ransomware attack. The entire computer network has been affected, and all of the company’s servers shut down. A ransom of 10 million Euros has been requested, and at least 200GB of data already stolen.
The @Bouygues_C computer network has been the victim of an act of cybercrime. We are doing everything we can to get back to normal as soon as possible. We are in close contact with our customers and partners as well as the relevant authorities. https://t.co/eHW3qoJMlD
— Bouygues Construction (@Bouygues_C) January 31, 2020
The threat actors behind the Maze ransomware attacks are responsible for this attack and they are known to steal the victim\’s data before encrypting it. If the data is also stolen, the threat actors can use this to threaten Bouygues Construction to publicly release their data unless a ransom is paid. The company has responded professionally by acknowledging the attack and this is vital step in responding to such cyber attacks.
The ransomware Maze has hit a range of firms in the past including the US City of Pensacola, Allied Universe (security company) and Southwire (cabling giant). The ransomware uses RSA-2048 and ChaCha20 encryption and normally requires the victim to contact the threat actor by email for the decryption key.
The following mitigation techniques can be used to prevent such an attack:
⦁ User Education Security effectiveness rating: Good
⦁ Backup your critical data Security effectiveness rating: Excellent
⦁ Restrict Internet access Security effectiveness rating: very Good
⦁ Continuous security monitoring Security effectiveness rating: Excellent
⦁ Keep your system patched and configured in secure manner Security effectiveness rating: Excellent
⦁ Restrict administrative access Security effectiveness rating: Excellent
We’ve recently seen multiple Maze ransomware attacks and data leaks, particularly in the US which prompted the FBI to put out warnings late last year. The attacks on Bouygues are thought to have spread from their US operations and widely disrupted their global IT operations.
Ransomware is an insidious threat spreading virulently at machine speed across the victim’s internal networks, and there are no perfect defences. With these type of high velocity attacks time is the defending security team’s most precious resource. Early detection and response can make the difference between a contained, minimised incident or the situation of facing massive business disruption, a reported 10M euro ransom and all the reputational damage risks that Bouygues now face.
We’re increasingly seeing cybercriminals gangs adapt their attics to become more targeted and focused on economic efficiency for their efforts, even to the point that attackers seek to publicise their attacks to increase pressure on the victims. So, seeing media attention, such large ransom demands, and threats of data leaks isn’t surprising.
It\’s important to not leap to conclusions prematurely when anyone is hit with a cyberattack. With Bouygues being hit by ransomware, let\’s keep in mind that even the strongest of people can still be sucker-punched. Cyber attacks are the new norm and no defence is perfect. The post mortem in this attack will be very important to Bouygues, and to the world of critical infrastructure at large. As more and more traditional power, manufacturing and construction networks are connected, the models for security from the world of PCs and servers have another dimension and a massive increase in footprint.
None of us know exactly what occurred inside Bouygues as they weather this storm, but we all wish them the best in recovery and will wait to hear the after-action report. At the end of the day, this new attack is a call to enterprises, government agencies and companies of all sizes to prepare in peacetime for when the unthinkable happens. Organisations need strong prevention and detection tools to ensure that any damage that occurs can be minimised. Recovery is paramount and continual improvement and learning after the discovery is critical. We live in a world with expanding network footprints that have billions of connected devices and attentiveness, diligence and patience are required to minimise risk and turn the tables on adversaries.