“We are working closely with third-party forensic investigators…”
Cygilant, a Boston-based security firm, boasts “enterprise-class Security-as-a-Service for threat detection, response and compliance so you can sleep at night.”
Its own incident response team is unlikely to have slept well over the weekend, after the company itself fell victim to an apparent Netwalker ransomware attack.
Cygilant runs a Security Operations Centre (SOC) for predominantly mid-sized businesses, among other security services. It was founded in 2001 and has raised a total of $34 million in funding over eight rounds, Crunchbase data shows.
Cygilant Hacked: Docs Posted by NetWalker
It acknowledged the attack publicly on September 4, after screenshots of internal documents were posted to a site on the dark web associated with the Netwalker group. The intrusion vector and extent of the compromise are unclear.
(Netwalker intrusions typically start via exploitation of outdated server software like Weblogic or Tomcat, or phishing attacks, Sophos analysis shows. Among the threat group’s recent wins: a $1 million payout by the University of California).
Christina Lattuca, Cygilant’s chief financial officer, said the company was “aware of a ransomware attack impacting a portion of Cygilant’s technology environment.”
“Our Cyber Defense and Response Center team took immediate and decisive action to stop the progression of the attack. We are working closely with third-party forensic investigators and law enforcement to understand the full nature and impact of the attack. Cygilant is committed to the ongoing security of our network and to continuously strengthening all aspects of our security program.”
Brett Callow, who tracks ransomware attacks at his security firm Emsisoft, said documents confirming the incident had been removed from the Netwalker page over the weekend, suggesting negotiations had started with the group — or perhaps that a ransom had been paid.
Cygilant is aware of a ransomware attack impacting a portion of Cygilant’s technology environment. Our team took immediate and decisive action to stop the progression of the attack and is working closely with third-party forensic investigators and law enforcement.
— Cygilant (@Cygilant) September 4, 2020
Cygilant is far from the only SOC or indeed broader IT services provider to fall victim to ransomware over the past year. Everis, one of the largest managed service providers in Spain was infected with a version of the BitPaymer ransomware in November; fellow Spanish security firm Prosegur, which runs six SOCs, was hit by Ryuk the same month.
Security firm Trend Micro meanwhile saw a limited breach in early 2019, while Avast suffered a sophisticated breach in October 2019 by unknown attackers.
In April 2020, meanwhile, US IT services heavyweight Cognizant — a $16.8 billion by 2019 revenue stalwart of the Fortune 500 — admitted that a Maze ransomware attack had hit internal systems and was causing service disruption for clients.
Managed service providers across any industry segment (fintech, IT services, etc.) are an alluring target for ransomware crews: the downstream pressure from customers when services are knocked out builds huge pressure on such companies to resolve the incident fast, heightening the likelihood of a payout for criminals.