News Insights: Ransomware Hits B2B Payments Firm Billtrust — Krebs on Security

Business-to-business payments provider Billtrust is still recovering from a ransomware attack that began last week.  The company said it is in the final stages of bringing all of its systems back online from backups.

Ransomware Hits B2B Payments Firm Billtrust — Krebs on Security


Cybersecurity industry experts offered perspective –


Colin Bastable, CEO of Lucy Security:

“Billtrust is an ideal target for ransomware: financial, small employee-base at around 500 people, cloud and a key intermediary in multiple transactions between many businesses. With 550 employees, a ransomware attack can cover a lot of ground fast, starting with just one malware-bearing email.

Attacks don’t occur in isolation;  Billtrust is a nexus between many other businesses, so the chain-risk to third parties is significant and would be hard to mitigate.”


Pravin Kothari, founder and CEO, CipherCloud:

“As more and more information and the “crown jewels” of business, migrate to the cloud, organizations just do not have visibility and control that they had with their traditional enterprise security capabilities. Criminals are also finding it far easier to target the cloud by utilizing stolen passwords, ransomware, API vulnerabilities or misconfiguration to take over accounts and access all information like an authorized user, thus bypassing all security controls.

No matter what defensive measures security professionals put in place, today’s attackers are able to circumvent them.  Organizations need to change their approach to security from network and access centric to data-centric. It’s equally important to protect data with encryption and rights management, not just control the access. You can assume that hackers would get to your data in the cloud, sooner or later, leveraging a simple misconfiguration and a silly error by an employee.

Organizations must be aware of the growing risk with their data in the cloud and always protect personal identifiable information (PII) and protected health information (PHI). With the growing number of regulations on data privacy of individuals, such as EU GDPR (The General Data Protection Regulation), PCI DSS, HIPAA and California Consumer Privacy Act, exposing such data opens the organization to breaches, reputational damage as well as stiff penalties.”