In a recent podcast interview with Cybercrime Magazine's host, Charlie Osborne, Scott Schober, Cyber Expert, Author of "Hacked Again," and CEO of Berkeley Varitronics Systems, discusses the recent cyberattack on Blue Yonder, including how the incident impacted supply chains, effective steps an organization can take after a ransomware attack, and more. The podcast can be listened to in its entirety below.
Welcome to The Data Security Podcast sponsored by Cimcor. Cimcor develops innovative, next-generation file integrity monitoring software. The CimTrak Integrity Suite monitors and protects a wide range of physical, network, cloud, and virtual IT assets in real-time while providing detailed forensic information about all changes. Securing your infrastructure with CimTrak helps you get compliant and stay that way. You can learn more about Cimcor and CimTrak on the web at cimcor.com/cimtrak.
Charlie: Scott, welcome. Thank you for joining us.
Scott: Wonderful to be here with you, Charlotte.
Charlie: So, in this episode, we're going to be discussing a ransomware attack suffered by Supply Chain Management Company, Blue Yonder.
Now, for the benefit of our listeners, the attack took place in November, and Blue Yonder customers have truly felt the impact. Scott, what were the ramifications of this ransomware attack? And what happened?
Scott: Yeah, it's kind of an interesting one here, and it was carried out by an interesting name, the Termite Ransomware gang, and I think they really came about following a strain of other ransomware and another group, Babuk Ransomware, and they were fairly large. I think they already extorted about $49 million in ransoms already, and a bunch of payments, and it looks like Termite kind of built upon that backlog of things and picked it up again. So it's really a newer ransomware gang.
They began surfacing in about 2024, and in this particular case, they really disrupted and impacted Blue Yonder customers. And those were the likes of Starbucks, and Sainsbury's, and Morrison's. Some large, large companies that have global presence, and in particular, like Morrison's, they specifically experienced a lot of issues with their warehouse management systems. So these are really kind of targeted supply chain consequences that resulted of a ransomware attack on Blue Yonder. So devastating impacts that start to happen because these things unfold over time and cause nothing but grief for all of their customers and their partners in the chain.
Charlie: According to reports, Termite said it has stolen 680 GB worth of data. Scott, how much of a problem is this? I mean, we hear all these numbers bandied about a lot when it comes to these groups. 680 gig, is it really a big deal?
Scott: Yeah, absolutely. And that's a really great point that you bring up. The sheer size of data that's been compromised is amazing. And that's likely gained through a combination of maybe phishing attacks, but also them exploiting different vulnerabilities. And sometimes, honestly, they just go on the dark web and they'll purchase stolen credentials. So the combination of all that allowed them to get into the network, steal that massive trove of 680 GB of data, and then if you break down, so what's in that data? And I guess, it's really the gems, the bits that are valuable to them. They say it was over 16,000 email lists, which are useful now because they've got all these contacts and information for what?
For future phishing attacks.
So they really build upon this. There was about 200,000 insurance documents. Obviously, insurance documents contained financial details, sensitive personal information for clients that had that. So it's really scary there. And I guess one thing to really highlight is. This was what's called a double extortion attack, which is kind of a combination of data encryption to disrupt systems. And then also data theft to leverage for ransom demand. I call it the 1-2 punch.
So that makes it really powerful for them to negotiate a ransom and maximize this and really cause Blue Yonder and those in the supply chain there a lot of pain, and that makes it happen much quicker, I think—the payout—and much more lucrative.
Charlie: I'm glad you mentioned the payout because it is a controversial practice, but I would still love to hear your opinion on it. Do you think organizations should ever pay such ransoms?
Scott: Excellent question. My first answer is no.
For the obvious reasons. You're emboldening cyber criminals. You're financing their criminal empire. You're giving them more money to give them more tools and techniques and grow. That being said, here's where I personally have drawn the line. If it affects lives. What do I mean? In other words, if it's a targeted attack against a hospital, an ER, where it shuts down and they can't get access to patient records and X-rays and emergency procedures, and people die.
You know what? Pony up the money and pay the ransom.
And hospitals have insurance that helps and other things, because people's lives are what's paramount. That's what has to be protected first and foremost.
For these other things, hey, if I can't get my Starbucks coffee, okay. You know what? That's okay. It's not going to kill me or anyone else. But I think we really got to focus on drawing that line in the sand and saying, hey, if it affects a life, pay the ransom. Get back online and keep things moving. The negative side of that is obviously then ransomware gangs may then start to target more critical things, such as healthcare systems and hospitals and doctors and things like that, because they know that they're going to get paid out. So it's walking that fine line. But as a rule of thumb, start with the premise: don't pay the ransom. And again, since these are businessmen, these ransomware gangs keep in mind just because they say, "Hey, give me X number of millions of dollars," That doesn't mean what the payout actually is, it's always negotiated. It's actually back and forth that goes on to get a reasonable acceptance on this. And again, even if one pays, the ransom does not guarantee that they'll get the, you know, decryption keys to decrypt the data and turn the system back on and back to normal. So there's a level of trust, and it's hard to trust and find an honest thief if you know what I mean.
We'll be right back after a quick word from our sponsor.
Cimcor develops innovative next-generation file integrity monitoring software. The CimTrak Integrity Suite monitors and protects a wide range of physical, network, cloud, and virtual IT assets in real-time while providing detailed forensic information about all changes. Securing your infrastructure with CimTrak helps you get compliant and stay that way. You can find out more about Cimcor and CimTrak on the web at cimcor.com/cimtrak. That's C-I-M-C-O-R.com slash C-I-M-T-R-A-K.
And now, back to the podcast.
Charlie: As a cybersecurity journalist, I've kept an eye on the ransomware sort of market, as it were, considering it is now pretty much a very big, illicit business, and something that struck me was that even though the group is apparently quite new, it was all able to cause so much disruption with one attack by striking Blue Yonder. I wondered whether you thought perhaps this group, instead of being new, is actually something that's been rebranded, perhaps from one of the older groups that caught the attention of the FBI. For example, yeah, I do think that I kind of implied that a little bit in the beginning and just to expound on it a lot of times. The secret sauce a ransomware group has is a particular strain of malware or ransomware attack that works effectively, and in this case, there was a known successful Babuk ransomware version. What they did was they took that, and then they tweaked it. You start modifying the script a little bit and tweak it around to make it more personal. And I think that's really what the Termite Ransomware gang did. So, they built on something that was working and was successful, and likely they built upon a structured base and known targets and a procedure that was already outlined. So that's common. If we look at in the world of business, if there's a successful business, it starts to become a franchise model where someone else can come in, learn what to do correctly, and what not to do. And I think that's really what the Rermite Ransomware gang did.
They built upon success of other ransomware groups prior to them, and used the tools and techniques that work and avoided the things that didn't work and get you caught and get you to get locked up in jail, and that's a concern. So it tells us that ransomware groups are getting smarter. They're evolving. They're more focused attacks. They're extorting a larger demand in the ransom, and they're having more success by these focused attacks.
Charlie: I also read an interesting note from a CYJAX report which mentioned that the Termite support page reads, "We are ready to help you." The researchers suggested that the group might be attempting to masquerade as a legitimate penetration testing service, for example.
Why would they bother? What's the point?
Scott: I guess they're trying to learn more and take advantage of things if they're now vying to say, "Hey, we're a penetration testing service." They're getting money at both ends.
They're saying, "Hey, we can come into your organization. We could show you where your vulnerabilities and weaknesses are." And oh, by the way, off the record, they probably take that information and sell it to either another group that can then extort and get ransom from you or they themselves, another splinter cell will come in and do it. It kind of reminds me a little bit about companies. And again, this is rumored. I don't have proof for this, but it kind of makes sense. You hear about these companies that develop antivirus software and malware detection. And often, I've wondered how come they're so fast to detect these new zero-day variants. You wonder if the guy is not creating the malware and shipping it out the back door in hopes that they could now suddenly sell millions of dollars of antivirus and malware detection software. So it kind of feeds itself. I think a little bit of that when they get into that space, the world of penetration testing, they're really seeing and learning about known vulnerabilities that are within a company's network. So if they're providing service, they're getting paid for that. But now they've got these secret gems that they could use selfishly to attack them or sell it to someone else who could then go and attack them. So it's a very dangerous slope there.
Charlie: And Scott, to wrap up this episode, do you have any advice for organizations to mitigate the risk of ransomware attacks?
Scott: Yeah, absolutely. I think there's a couple fundamental things that we as business owners really need to focus in on and ask ourselves the question, do I have an effective phishing prevention campaign set up? That's often the entry point where all of this havoc starts. So if we are not conducting ongoing employee training so they can clearly recognize a phishing email, report it. Not being slapped on the wrist for it, or reprimanded or embarrassed, but rather praised or incentivized employees for reporting it. That's a huge, huge step. Second, I would say the importance of implementing multi-factor authentication - MFA. Really to limit the access of credentials being stolen and compromised. It really does work. Yes, it slows down the time to log in and access things especially remotely. It's another step. But layers of security have been proven to be very effective to build a strong cybersecurity posture. Also encouraging really organizations to have an effective patch management in place by regularly addressing vulnerabilities that these strong ransomware gangs are exploiting.
It's important to keep patching. Having also some type of incident response plan in place, something that's been tested, a contingency plan.
And what happens if and when you are a victim of a cyber attack, it will minimize any type of operational disruption that's important. And probably, finally, that ties in nicely with this Blue Yonder compromise here, ransomware attack, is some supply chain risk management companies need to spend the time, spend the money to truly vet their 3rd party vendors and what cybersecurity measures they have in place, so it could really prevent this ripple effect that seems to happen and that, I think, is really essential, those things.
Charlie: Scott, as always, thank you for taking the time to share your expertise with us today.
Scott: Wonderful being on with you. Thanks again. Stay safe, everyone.
