RR Donnelly Cyberattack
In other cybersecurity news, integrated communications giant RR Donnelly has confirmed that threat actors stole data in a December cyberattack.
BleepingComputer confirmed it to be a Conti ransomware attack. RR Donnelly disclosed the attack in a filing with the Securities and Exchange Commission (SEC).
“On Dec. 27, 2021, [the company] announced it had recently identified a systems intrusion in its technical environment,” it said. “The company promptly implemented a series of containment measures to address this situation, including activating its incident response protocols, shutting down its servers and systems, and commencing a forensic investigation. The company has engaged a cybersecurity expert to examine the incident and to oversee the implementation of appropriate remedial actions. The company has notified and is working with appropriate law enforcement authorities. As a precautionary measure, the company has isolated a portion of its technical environment in an effort to contain the intrusion.”
RR Donnelly said it was actively engaged in restoring the affected systems and returning to normal levels of operations.
“At this time, the company is not aware of any compromise of client data,” it said. “The company is in the early stages of its investigation and assessment of the security event, and cannot determine at this time the extent of the material adverse impact, if any, from such event on its business, results of operations or financial condition.”
Tim Erlin is Tripwire‘s vice president of strategy.
“Ransomware isn’t just about encrypting your data any longer,” he said. “It’s now about exfiltrating your data and holding it hostage. The strategy of taking a copy of data to ransom means that simply having backups from which you can restore isn’t really a sufficient ransomware strategy.”
In most incidents, the initial discovery and report rarely provide a complete picture, Erlin said. The fact is, it takes time for organizations to discover what really happened. Additional information is likely to come out after the initial report.
“As usual, the reporting and the regulatory filing focus on the ransomware and the data, but don’t really explain how the attacker was able to succeed,” he said. “Information about how the attack occurred, the initial vector and subsequent steps, can really help other organizations organize their defensive measures. Successful ransomware attacks aren’t inevitable. Implementing strong security controls can prevent these types of attacks, but more information makes for better defensive decisions.”
Erich Kron is security awareness advocate at KnowBe4.
“Ransomware continues to not only be disruptive to businesses, but is also very threatening to personal information of employees, customers and intellectual property,” he said. “The Conti group is well known for leveraging data theft in order to facilitate the payment of significant ransoms by victim organizations.”
Since ransomware primarily spread through phishing emails or remote access portals, organizations can lower their risk of infection by ensuring employees are trained to spot and report phishing emails to internal security teams, Kron said. They also should ensure strong security controls are applied to remote access portals. In addition, ensuring accounts used for remote access have multifactor authentication (MFA) can also help lower risk of intrusion.