The attack on Randstad follows a now-familiar pattern.
The attack on Randstad follows a now-familiar pattern. The attackers get in, exfiltrate valuable data, plant ransomware to encrypt their victim’s data, then demand a ransom while extorting them with the threat of releasing the stolen data. It is a win/win for the attacker, with the victim losing either by paying up, or suffering the public disclosure of their sensitive data
Organizations need to improve their entire cybersecurity stack, including everything from user training to advanced security analytics, to stay ahead. An up-to-date security stack and appropriate process will let them quickly identify a breach before it can escalate and, hopefully, prevent it from happening in the first place.
| December 08, 2020
Chloé Messdaghi, VP of Strategy, Point3 Security
The only way to avoid ransomware on backup systems is to have a plan in place, revisit it regularly, and back up very often.
As far as we know, Randstad never received a ransom note related to this attack, which is interesting. Since what makes ransomware so effective is if the attackers can slow down or shut down operations, they can then demand a ransom. In this case, though, from what we have learned, their operations weren’t slowed down, and companies typically pay ransom when they are. And kudos to Randstad for that – they did a good job at making sure that if they WERE ever compromised, that their data would be safe in other areas. We refer to the 3-2-1 approach: three copies of data stored across two mediums and one cloud storage provider, so you can recover from any of those three locations. The only way to avoid ransomware on backup systems is to have a plan in place, revisit it regularly, and back up very often. And there’s a good chance this is the exact kind of plan Randstad had in place.
It’s important to note, though, that this HAD to have come from a phishing email, which means someone DID click on a link. This is yet another reminder to ensure your entire organization is always aware. Every single employee needs to understand how important they are in this chain of security. Every single person has the potential to be compromised, which could open up the entire organization. Just one person! Making sure everyone understands the potential effects of clicking on a link without confirming it first is so very important. Look at the details of the sender, make sure you’re fully awake, make sure you’ve had your caffeine, be on your toes at all times.
Also, it’s good to see that they didn’t use the term “hacker” when referring to the Egregor attackers, recognizing the difference between those threat actors and the hacker community, which discovers and generally attempts to disclose vulnerabilities before an attacker can exploit them.