SEC Filing Reveals Fortune 500 Firm Targeted in Ransomware Attack

Fortune 500 integrated services firm R.R.Donnelley & Sons (RRD) is the latest victim of the hacking collective known as the Conti Group. According to regulatory disclosures RRD was the victim of a network breach that resulted in stolen data in December.

RRD, a global firm with 33,000 employees, disclosed incident details in its U.S. Securities and Exchange Commission (SEC) 8-K form – filed Dec. 27. The company said it “had recently identified a systems intrusion in its technical environment,” according to the filing.

“The Company promptly implemented a series of containment measures to address this situation, including activating its incident response protocols, shutting down its servers and systems and commencing a forensic investigation,” the company disclosed. It also isolated a portion of its technical environment to try to contain the intrusion, the company said.

RRD didn’t name the perpetrator of the attack in the filing. However, a published report in BleepingComputing claims it was Conti, citing an online post the cybercriminal group made claiming responsibility and leaking 2.5GB of data allegedly stolen from the company on Jan. 25.

At first RRD said it was not aware of any data being stolen in the filing; however, the company revised this position and confirmed Wednesday in a separate SEC filing that data had been stolen in the attack, according to the BleepingComputer report.

RRD is working with a third-party cybersecurity expert and law-enforcement in a continued investigation into the incident, according to the December SEC filing. The company did not immediately respond to an email requesting more information about the attack sent by Threatpost Thursday.

Conti Ups the Ante

A number of ransomware actors already have been shut down by international authorities; REvil last week was the latest to be taken out in a massive raid by Russian authorities of its operations and assets.

However, Russia-based Conti—which has been called “ruthless” by researchers at Palo Alto Networks—not only remains active, but also continues to build on its skillset and target high-profile victims.

The group recently developed novel tactics to demolish backups, especially the Veeam recovery software—a move that can leave victims no choice but to pay the often exorbitant ransoms the criminals demand.

Conti also was the professional ransomware group to fully weaponize the dangerous Log4Shell vulnerability discovered late last year, building up an entire holistic attack chain to fully take advantage of the flaw.

The Evolution of Ransomware

Indeed, the RRD attack and Conti’s sharpening of its knives shows an evolution in the direction ransomware actors likely are to continue to take in 2022 after ransomware volumes hit record highs last year.

The chance of victims recovering data from back-ups are becoming slimmer, meaning companies have to be even more prepared for attacks before they happen, observed one security professional.

“Ransomware isn’t just about encrypting your data any longer,” Tim Erlin vice president of strategy at cybersecurity firm Tripwire, said in an email to Threatpost. “It’s now about exfiltrating your data and holding it hostage. The strategy of taking a copy of data to ransom means that simply having backups from which you can restore isn’t really a sufficient ransomware strategy.”

As it often takes time for organizations to put together what really happened in a ransomware attack—with the true impact being realized only later–they need to take a different approach than merely a response and remediation position, he said.

“A rigorous change detection and configuration management program can not only help prevent breaches, they can also help organizations figure out what happened faster,” Erlin said.

Password Reset: On-Demand Event: Fortify 2022 with a password-security strategy built for today’s threats. This Threatpost Security Roundtable, built for infosec professionals, centers on enterprise credential management, the new password basics and mitigating post-credential breaches. Join Darren James, with Specops Software and Roger Grimes, defense evangelist at KnowBe4 and Threatpost host Becky Bracken. Register & stream this FREE session today – sponsored by Specops Software.