For the second time in a seven-month span, Pitney Bowes has been hit by a ransomware attack, but cyber experts and financial analysts cautioned against rashly judging the company's security practices - or assuming fiscal doom - with some suggesting that lessons learned from the first attack may have limited the damage of the most recent one.
In an online company statement, Pitney Bowes said attackers breached company systems and accessed "a limited set of corporate file shares" that "contained information used by our business teams and functional groups to conduct business-related activities." Presumably the attackers -- news reports state the actor is the Maze ransomware group -- will threaten to post the contents of these files if Pitney Bowes does not pay up.
However, the malicious encryption portion of the attack failed, as the firm was able to take evasive action and salvage its files. Also on the plus side, Pitney Bowes added that its products and services "remained operational and were unaffected" by the May 4 attack, and there is no evidence that the malware spread to any client or partner systems.
The company attributed its mitigation of the attack to endpoint detection and response and advanced threat protection tools, "which identified the malicious behavior and prevented the encryption malware from executing." It also credited its privileged account access management solution as well as its Security Incident and Event operations with minimizing the damage.
SC Media asked Pitney Bowes if any of these built-in protections were specifically introduced or enhanced following the original ransomware attack, but the company simply redirected us back to its official statement.
Carl Salas, senior credit officer at credit rating company Moody's Investors Service, said Pitney Bowes is facing a positive fiscal outlook, despite generating negative headlines for a second time after suffering a Ryuk ransomware attack last October.
"I think the company's done very well historically. I think the lessons learned over the last several years, but more recently with the Ryuk attack, have positioned the company well," said Salas, who emphasized the importance of Pitney Bowes avoiding the disaster recovery expenses often incurred by companies whose files and systems are rendered disabled by ransomware.
"...[T]he encryption issue would be potentially very costly," continued Salas, who believes the attackers may have even timed their strike to affect Pitney Bowes' latest earnings call, for maximum effect. "The company hasn't disclosed what the potential financial liability could be ultimately, but my view is that it's going to be much more manageable than if there was an encryption issue."
"So from a governance perspective, from a cybersecurity perspective, I feel good about where this company is, Salas concluded.
Leroy Terrelonge, Salas' colleague and cyber risk analyst at Moody's, agreed it was key that Pitney Bowes' operations maintained continuity. "...[W]e've stated again and again that these business disruption incidents are really the ones that tend to have the highest... financial impact for companies. And so the fact that they were able to avoid that is really good for their bottom line and is a credit positive thing... They learned from their past lessons and were able to put in place some governance and some tooling to help them avoid that reoccurring.
From a cyber perspective, experts were also forgiving.
A single attack, let alone two, can of course still harm a company's reputation with its clients. But Tim Wade, technical director, CTO Team at Vectra, urged caution not to make hasty assumptions about Pitney Bowes' security capabilities without understanding the full context of the two ransomware incidents.
"The metrics for effective and ineffective security may be complex and nuanced, must involve more than just a volumetric measure of incidents, and at a minimum must include the risk profiles of assets affected," said Wade. Proclaiming "two as the number of ransomware attacks you can suffer before you go from unlucky to bad is somewhat arbitrary, and may not account for how many incidents an enterprise successfully mitigated with the measures they pursued and put in place between incidents."
Charles Ragland, security engineer at Digital Shadows, noted that different attackers have different tactics, and while the October Ryuk attack may have called attention to certain areas of risk within Pitney Bowes, the latest attackers may have used a threat vector or method that wasn't accounted for, he explained.
“Pitney Bowes was attacked by two separate groups who use different methods of attack and malware delivery," stated Ragland. "Mitigating against one may not do much to mitigate against the other."
With that said, there are at least some basic ransomware red flags that companies can look out for, Ragland continued.
"Common ransomware infection and attack vectors include distribution of weaponized attachments via phishing and targeting of remote desktop protocol," said Ragland. "Many ransomware operators also target systems that are pre-infected with other types of malware. Organizations should create a robust security awareness program that trains employees to identify malicious emails and report them to an incident response authority. Restricting RDP behind an RDP Gateway and enabling Network Level Authentication can [also] provide security benefits if RDP is required to be internet-facing."