Dragos blocks ransomware attack, brushes aside extortion attempt
A ransomware group has tried and failed to extort money from Dragos, the industrial cybersecurity firm has confirmed on Wednesday, and reassured that none of its systems or its Dragos Platform had been breached.
What happened?
“The criminal group gained access by compromising the personal email address of a new sales employee prior to their start date, and subsequently used their personal information to impersonate the Dragos employee and accomplish initial steps in the employee onboarding process. The group accessed resources a new sales employee typically uses in SharePoint and the Dragos contract management system. In one instance, a report with IP addresses associated with a customer was accessed, and we’ve reached out to the customer,” the company explained.
The attackers also tried to access Dragos’ messaging, IT helpdesk, customer support, financial, employee recognition, sourcing and procurement, and marketing systems, and were thwarted by role-based access control (RBAC) protections.
The attackers claim that they exfiltrated over 130 GB of data, but they didn’t manage to deploy ransomware (“a known TTP of this criminal group,” according to Dragos).
Nevertheless, they sent repeated messages to company executives and publicly known contacts, threatening to make the stolen data public if they don’t get paid.
“The cybercriminal’s texts demonstrated research into family details as they knew names of family members of Dragos executives, which is a known TTP. However, they referenced fictitious email addresses for these family members. In addition, during this time, the cybercriminal contacted senior Dragos employees via personal email. Our decision was that the best response was to not engage with the criminals. The data that was lost and likely to be made public because we chose not to pay the extortion is regrettable,” the company said.
Advice for companies
Dragos has made the welcome and praiseworthy step of publicly sharing the details of the attack.
They published a timeline of the attack (starting on May 8) and explained that “every thwarted access attempt was due to multi-step access approval.” They have also shared indicators of compromise and security recommendations for companies.
“Transparency and defense can win,” noted Dragos co-founder and CEO Robert M. Lee.
“We hope sharing this can help other organizations prepare. And to be clear, the person who’s personal email address was compromised before they started on boarding at Dragos will absolutely be one of our valued employees (when they get their accounts back). We don’t blame victims at Dragos and no one else should either.”