News Insights: Ransomware gang leaks data from US military contractor the PDI Group | The Record by Recorded Future

Recorded Future is reporting that the PDI group, a major supplier of military equipment to the US Air Force, appears to have fallen victim to a ransomware attack. The group behind the Babuk Locker ransomware has posted samples of the data and is threatening to leak more than 700 GB of data they claim to have stolen from PDI’s internal network in a ransom demand.

News Insights:

Experts with SCYTHE and Gurucul offer perspective.

Jorge Orchilles, CTO, SCYTHE:

     “We continue to see the evolution of ransomware gangs going from only encrypting files to performing “double extortion” as it raises the probability they will get paid. The data posted on these leaks sites can only be verified by the target organization.”

Saryu Nayyar, CEO, Gurucul (she/her):

     “The attack against PDI follows a common pattern with hybrid ransomware attacks. The attackers exfiltrate data before encrypting it, then extort money with the threat of releasing it if their demands are not met. The surprise here is how much data was apparently stolen. Attackers sneaking out a few Gigabytes of data is plausible. However, stealing almost a Terabyte without being noticed indicates their perimeter defenses weren’t even looking for this kind of data exfiltration. We have seen this level of data theft in other attacks. Organizations need to review their policies and security stacks, and deploy tools that can identify mass data transfers like this, such as DLP and security analytics platforms.  Stopping the attackers before they get in is ideal but identifying and stopping them quickly once they’re inside is vital.”