Bloomberg reported late Friday that US wine and spirits giant Brown-Forman has become the latest big-name brand to suffer a serious ransomware-related data breach, according to the cyber-criminals.
Bloomberg reported late Friday that US wine and spirits giant Brown-Forman has become the latest big-name brand to suffer a serious ransomware-related data breach, according to the cyber-criminals.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
It sounds like Brown-Forman have managed to avoid the full brunt of this attack and the integrity of their data remains intact. Unfortunately the confidentiality does not. Sophisticated cybercriminal organizations like REvil understand the basic elements of information security and have developed a double-whammy attack style which leaves their victims vulnerable on both fronts. They will always seek to encrypt and exfiltrate data to give themselves more vectors of leverage to extort money for its decryption and/or safe return. Some companies have paid large sums for the latter in the past, trusting their blackmailers when they say that they haven’t shared or sold the data prior to its safe return. But they are organized criminals so can you really expect them to be telling the truth when they stand to make millions in ransoms and even more for selling the data to other criminal organizations.
Brown-Forman is stuck between a rock and a hard place right now but they’re doing the only sensible thing they can by contacting the authorities and trying to mitigate their attack. At least by now, they’ll have a good idea about what data has been compromised and can work on a decent incident response plan.
Kudos to them for not paying any ransoms yet.
Even if Brown-Forman were to pay the ransom, there is no guarantee that hackers wouldn\’t leak, sell, or use the data. I do not expect Brown-Forman to pay any ransom, because none of its data was encrypted by the ransomware. The company hasn\’t specified what the 1TB of stolen data actually contains, but it appears to mostly be internal data rather than customer data.
Sodinokibi is among the top five ransomware families that we’ve observed across our customer set this year at Red Canary. The threat operates under the ransomware-as-a-service model, relying on other adversaries to gain initial access. In this way, Sodinokibi’s initial access methods can vary from one campaign to the next, and no single preventive strategy will mitigate the threat posed by this malware entirely. Sodinokibi is a great example of why organizations should strive to provide defense-in-depth because it leverages such a dynamic array of techniques. As such, organizations will want to implement strong email security controls, stay up-to-date with web application patches, and restrict administrative access, to name a few controls.
The best mitigating control for ransomware is a robust disaster recovery and business continuity strategy that includes backups. One recommended practice is the 3-2-1 method: make at least three copies of data, on at least two different device types, with at least one backup stored offsite.
Unfortunately, this particular incident offers us a very real look at how data theft completely changes the risk calculus of organizations that are responding to a ransomware infection. By all accounts, Brown-Forman was able to prevent the ransomware from actually encrypting their files. Under the conditions of a normal ransomware attack, preventing encryption would be the end of the story. However, when extortion is involved, a victim can have a functioning business continuity plan, but still take a hit if the adversaries decide to leak their data.