Clop and BlackCat Ransomware Gangs Claim Separate Attacks Against Estée Lauder

  • Two of the most prolific ransomware gangs which gained infamy in recent years, Clop and BlackCat, are believed to have attacked Estée Lauder.
  • The Clop ransomware exploited the MOVEit Managed File Transfer vulnerability to access the company’s systems.
  • The beauty products company has engaged cybersecurity experts and law enforcement to investigate the incidents.

This week, cosmetics giant Estée Lauder confirmed it suffered a cybersecurity incident after two ransomware gangs claimed to have victimized the U.S.-based company. The double whammy led threat actors to access its systems and exfiltrate some data.

Two of the most prolific ransomware gangs which gained infamy in recent years, Clop and BlackCat, are believed to have attacked Estée Lauder, disrupting its regular system and business operations.

Erich Kron, security awareness advocate at KnowBe4, told Spiceworks, “In these days when timing is critical for the production of items, cyberattacks can cause far more issues than many organizations are prepared for. Ransomware can seriously impact production, and data theft can lead to very significant regulatory fines, especially for multinational or global organizations.”

The BlackCat ransomware gang, also known as ALPHV, claimed to have stolen 130 GB of company data and hinted at the data relating to customers, employees, and suppliers. At the same time, Clop said it could get 131 GB of Estée Lauder data. Both threat groups did not encrypt the company’s systems, as is typical of contemporary ransomware gangs.

Sally Vincent, senior threat research engineer at LogRhythm, told Spiceworks, “While numerous companies in the retail sector have prioritized enhancing the customer experience and providing seamless online services, unfortunately, investment in security strategies to mitigate cyberattack vulnerabilities is often neglected until after an incident occurs.”

BlackCat went on to gleefully point out that it had access to the Estée Lauder network despite the company calling in Microsoft’s Detection and Response Team (DART) and Mandiant for incident response.

It is unclear what the Clop ransomware syndicate wants from Estée Lauder though a statement on its leak site suggests indifference to monetary gains, although highly unlikely. The statement reads, “The company doesn’t care about its customers; it ignored their security!!!”

On the other hand, BlackCat is looking forward to negotiating with Estée Lauder. Failure to do so would be met with the leak of details on the stolen data, BlackCat threatened.

See More: Japan’s Largest Port Hit by Ransomware Attack, Operations Restored After 48 Hours

Avishai Avivi, CISO at SafeBreach, told Spiceworks, “I do not envy the Estée Lauder CISO, Executive Leadership, and its board. Unfortunately, their troubles are just now beginning. In the immediate aftermath, they have a significant loss of operational capability. Their future includes class-action lawsuits, regulatory fines, and extensive legal fees.”

While the attack path is yet to be ascertained, the Clop ransomware gang has actively exploited the MOVEit Managed File Transfer vulnerability since May this year and has already compromised multiple companies.

Meanwhile, BlackCat has supposedly exploited a different vulnerability. “The interesting twist, in this case, is that it’s a victim of two different malicious actor groups simultaneously,” Avivi added.

“While the two groups exploited different vulnerabilities, it brings up an important phenomenon. Malicious actors recycle and reuse vulnerabilities and malware toolkits. Our research indicates that the same 16 MITRE ATT&CK Tactics, Techniques, and Procedures (TTP) have been used in 90% of observed attacks.”

To fend off similar ransomware attacks, Vincent advised taking cognizance of the IT infrastructure configuration when the attack occurred. “This configuration should enable them to obtain a comprehensive forensic perspective of abnormal and malicious activities across all fronts. An appropriately configured security monitoring solution with full visibility into the environment likely would have identified indicators of compromise related to the attack. It could have helped thwart the ransomware gangs.”

Stephan Chenette, co-founder and CTO at AttackIQ, resonated similar opinions. “To prevent similar attacks in the future, organizations must gain knowledge of the common tactics, techniques, and procedures used by common threat actors, which will help them build more resilient security detection, prevention, and response programs mapped precisely to those known behaviors,” Chenette said.

“Organizations should also use automated solutions that safely validate their defensive controls against ransomware campaigns and their techniques to better prepare for the next threat.”

Proactive cybersecurity investments and education should also be encouraged to deter ransomware as a whole, considering 62% of all cyber incidents perpetrated by organized threat groups involve ransomware.

“My hope is that all companies learn from this painful experience. It is much more effective to invest a fraction of the cost upfront in proactive security control validation work to ensure their company’s security posture can withstand these attacks than to waste several orders of magnitude higher resources to fix the damage the malicious actors caused,” Avivi said.

How detrimental is the scope of MOVEit MFT vulnerability? Share your thoughts with us on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d love to hear from you!

Image source: Shutterstock