February’s cyberattack on aerospace precision parts manufacturer Visser Precision in Denver, Colorado brings about new pressures on the supply chain brought on by DoppelPaymer ransomware.
Rather than encrypting a victim organization’s data and demanding a ransom to unlock the stolen data, Doppelpaymer ransomware removes data from the victim organization and threatens to dump the data into public view unless the ransom is paid. The “data-dump” exerts pressure above and beyond former ransomware methods. In the words of security awareness advocate Javvad Malikin in a Forbes article on the breach, “even if the organization has backups in place, or can resume operations, the threat of leaking or selling commercially sensitive data and intellectual property will remain.” DoppelPaymer pressures both the target organization and downstream customers whose data is being published.
Sourcing parts to high-flying customers such as Tesla, SpaceX and Lockheed Martin, the recent attack against Visser highlights how evolved cyberattacks pose risk to reputation and bottomline. Visser’s nondisclosure-agreements with both SpaceX and Tesla, sales contact lists, tax forms, receipts and proprietary missile designs were launched into public view in the attack. The damage to Visser from this attack Is potentially far-reaching and long-lasting because:
- Revealing confidentiality agreements threatens the possibility of unveiling the contracts behind those agreements.
- Revealing pricing puts the victim at a disadvantage to competitors now and in the future, as victim is bound to those agreements, whereas competitors could undercut the victim’s price.
- Revealing contracts put victims at risk of breaking confidentiality agreements allowing customers to lawfully break favorable agreements. Furthermore, if a customer discovers competition is getting a better deal, they may sue for anticompetitive price discrimination under the Sherman Antitrust Act or the Robinson-Patman Act of 1936.
DoppelPaymer ransomware brings the “to pay or not to pay” dilemma to mind. While paying the ransom to recover the stolen data should be avoided to the furthest extent possible, several factors come into play when deciding how to recover from cyber-extortion. Many executives’ fiduciary responsibilities legally bind them to act in a company’s best interest. The decision whether or not to pay a ransomware extortionist involves deciding if paying is cheaper than attempting to recovering the data.
While reputational risk is hard to quantify, loss of current and potential customers has a definitive value. Ransomware variants such as DoppelPaymer and Maze have added layers of financial complexity to cyber incident recovery. When regulated data like personal information is involved, fines from the regulatory side can bring the cost up (in addition to the extortionists’ financial demands).
With ransomeware attacks, we typically think about the immediate response: martialing resources for incident response activities and communication, as well as containment through endpoint protection and file recovery. But the plot twists introduced by ever-more sophisticated cyberattacks emphasize the necessity of understanding the impact of a breach where your organization’s confidential information is entrusted to another party. When assessing the cybersecurity risk of a third party, confidence in your vendor’s ability to respond to a ransomware attack is essential.