Description

On December 8, 2023, Americold, the largest cold storage operator in United States sent a letter to approximately 130,000 current and past employees to inform them that some of their personal information may have been compromised in a cyber incident that took place on April 26, 2023. Some of the compromised data of they and their dependents included names, addresses, Social Security numbers (SSNs), driver’s license information, financial account information including bank account and credit card numbers, as well has health insurance and medical information. The company also filed a breach notification with the Maine Attorney General.

While not officially confirmed, it is suspected that the incident involved Cactus Ransomware, which emerged about a month before the breach at Americold. During the attack, Americold customers discussed service disruptions on Reddit. The company also communicated privately with its customers during that time, advising them to cancel or reschedule deliveries and shipments, except those critical for timely delivery.

Identify Indicators of Compromise (IoC)

While the company knew of the attack after experiencing disruptions to its systems, its investigation did not confirm that data had been exfiltrated until November. In addition, the Cactus Ransomware group is threatening to release some of the information it has in its possession including company audit information, customer documents, accident reports, and other human resource and legal information.

Actions Taken

Americold launched mitigation and remediation efforts immediately upon discovering the attack to limit its scope. In addition, they contacted law enforcement, and initiated a forensics investigation. The company informed those whose data was compromised that they would receive two years of complimentary credit monitoring services. They are also implementing additional security controls to prevent such attacks in the future.

Prevention

Microsoft just recently issued a warning on December 4, that the Cactus ransomware attackers are leveraging malvertising lures to spread the ransomware. Unfortunately, there is no “one” way to combat malware attacks such as ransomware. A multi-layer security layer is required, that includes web filtering and end point protection. Web filtering controls and monitors web traffic to block access to malicious websites. It prevents users from accessing sites known for hosting malware, including ransomware by blocking malicious payloads and known phishing sites that often serve as gateways for ransomware deployment.

Modernized endpoint security solutions today use a combination of signatures, heuristics, and behavioral analysis to detect and eliminate malware attacks. They can also enhance system security through local firewall protection. Utilizing web filtering and endpoint protection in tandem, along with email filtering, a next generation firewall, and network segmentation, creates a robust defense against ransomware threats. However, it’s important to remember that the effectiveness of these tools is contingent on a well-formulated strategy tailored to an organization’s specific risk profile. This is where the importance of a risk assessment can provide clarity and direction as to what type of risks your organization is the most prone to.