High-end audio-tech specialist Bose has disclosed a ransomware attack, which it said rippled “across Bose’s environment” and resulted in the possible exfiltration of employee data.
The incident began on March 7, according to a disclosure letter sent to the Attorney General’s Office in New Hampshire, which kicked off a successful incident-response process, the company said. While the letter didn’t mention how much the ransom was, a company spokeswoman confirmed to media that Bose declined to pay up and instead was able to rely on its own resources to regain control of its environment.
“Bose initiated incident-response protocols, activated its technical team to contain the incident, and hardened its defenses against unauthorized activity,” according to the letter, sent more than two months after the incident. “In conjunction with expert third-party forensics providers, Bose further initiated a comprehensive process to investigate the incident. Given the sophistication of the attack, Bose carefully, and methodically, worked with its cyber-experts to bring its systems back online in a safe manner.”
As is the case with many modern ransomware attacks, the cyberattackers may have purloined company data to ratchet up the pressure on the headphone- and speaker-maker. They were able to access HR files for six former employees, which included names, Social-Security numbers and compensation-related information, the team determined – but it’s unclear whether the data was successfully stolen.
“The forensics evidence at our disposal demonstrates that the threat actor interacted with a limited set of folders within these files,” the letter explained, adding that it couldn’t confirm the state of exfiltration one way or another.
“Bose has engaged experts to monitor the Dark Web for any indications of leaked data,” the company said, adding that it notified the affected individuals. “Bose has not received any indication through May 19, 2021 its monitoring activities or from impacted employees that the data discussed herein has been unlawfully disseminated, sold, or otherwise disclosed.”
Remediating the Ransomware Attack
During and after the attack, Bose said that it implemented the following measures:
Ransomware World: Maturing and Changing
It’s unclear which ransomware gang hit Bose, but the process of exfiltrating information under cover of the ransomware attack itself is increasingly common. This so-called “double-extortion” approach has given way to a new wrinkle called “triple extortion,” where crooks lock up files, steal data and also steal the data of partners and suppliers of the victim company.
The economy of ransomware continues to mature too – so much so that many Dark Web forums where ransomware operators sell their wares have implemented a kind of “People’s Court” to dispute claims and wrongdoings. Affiliates can file a claim and have their time in front of a jury.
Join Threatpost for “A Walk On The Dark Side: A Pipeline Cyber Crisis Simulation”– a LIVE interactive demo on Wed, June 9 at 2:00 PM EDT. Sponsored by Immersive Labs, find out whether you have the tools and skills to prevent a Colonial Pipeline-style attack on your organization. Questions and LIVE audience participation encouraged. Join the discussion and Register HERE for free.