Ransomware is one of the most popular cyber attacks faced by numerous organizations. On January 21 2020, Gedia Automotive Group faced a massive ransomware attack. A group of cyber-criminals exploited the Gedia IT system and deployed a ransomware known as Sodinokibi (aka REvil). This highly sophisticated ransomware encrypted victim’s data and threatened to publish sensitive data on the internet if the ransom is not paid. The german automobile parts supplier failed to respond to the offer.
Data Breach
On January 24 2020, Sodinokibi hacking group released a file containing Gedia’s Microsoft Active Directory, containing details of sensitive username and passwords, as a proof that they have infiltrated the company’s network. The Sodinokibi hacking group used two Russian-speaking underground hacking forums on the dark web. The post threatens to publish 50GB of sensitive data including blueprints, employees’ and clients’ information, if Gedia denies to pay the ransom. It has been revealed that the Sodinokibi hacking group used ADRecon to extract data from Gedia. It has been confirmed that the attackers targeted machines which were running Microsoft’s Windows Server 2012 within Gedia’s internal network.
Insights
100-year old, Gedia Automotive Group which has its headquarters in Attendorn, employs 4,300 people in seven countries including Spain, Poland, Hungary, China and the US. In response to this ransomware attack, the management decided to immediately shut down the network. This step was taken to prevent complete breakdown of their IT infrastructure. According to recent tweets, after analysing the files released by the hacking group, the attack points to the critical flaw disclosed by Citrix. Citrix has already patched the CVE-2019-19781 bug in the Application Delivery Controller (ADC) and Citrix Gateway. Data plays a crucial role in information security. If the ransom is not paid by the victim, attackers sell the victim data to the highest bidder, and publish the remaining data on the internet. This causes a huge impact on an organization's reputation. The victim is imposed heavy fines by the GDPR under the violation of information security and privacy laws.
Conclusion
Ransomware attacks affects the confidentiality and availability from the CIA triad. Since the data is encrypted, confidentiality is compromised. Moreover, the management took the decision of shutting down the IT systems. Here, Availability is compromised. In order to avoid being a victim to such attacks, organizations should keep their systems up-to-date. As soon as the patch is released, organizations should make sure that their machines are running on the latest firmware. If things go out of hands, the management, after reviewing all the options in hand, can take a wise decision of paying the ransom and get back the data safely.