Ransomware, Incident Response

Fidelity National Financial back to ‘normal business operations’ after cyberattack

money background

After more than a week of disruption that left its real estate industry customers wondering how they could execute transactions, Fidelity National Financial (FNF) insists that the cybersecurity attack it disclosed on Nov. 19 has been contained and it’s moving forward with normal business operations.

In an SEC filing on Nov. 29, FNF reported that the company formally contained the incident on Nov. 26 and that it took measures to block access to the systems that disrupted its operations.

While ALPHV/BlackCat claimed responsibility for the attack in an X posting on Nov. 22, FNF has yet to confirm which group was responsible for the attack. Also, the move by ALPHV/BlackCat to take FNF off its dark website the same day of the SEC filing could potentially indicate that a ransom was paid, but this is also unconfirmed.

Rebecca Moody, head of data research at Comparitech, said if confirmed, the attack on FNF will join 22 ransomware attacks on U.S. financial organizations this year alone. According to Comparitech’s  U.S. ransomware tracker, financial companies have had an average of 49,000 records impacted per attack.

“ALPHV/BlackCat is responsible for the largest confirmed breach which was carried out on Progressive Leasing in September 2023 and affected 193,055 records,” said Moody. "FNF will need to provide ongoing updates as to the scale of this attack, whether it was indeed breached by ALPHV/BlackCat, and whether not any data has been involved."

Cyberattack on FNF described as 'catastrophe' in automated message

What’s fairly clear so far is that the attack disrupted FNF’s operations for some time. TechCrunch reported that one FNF subsidiary called the incident a “catastrophe” in an automated message played to anyone who called its customer support number. Some FNF subsidiaries reportedly did not have access to send or receive email or access to any system and asked customers to stay patient.

Callie Guenther, senior manager of cyber threat research at Critical Start, added that the attack on FNF appears to have been a ransomware incident, as indicated by the involvement of the ALPHV/BlackCat ransomware group. Ransomware attacks typically consist of encrypting a victim's data and demanding payment for its release. Guenther said the fact that FNF's operations were severely disrupted suggests the attack was extensive, affecting critical systems.

The attack's impact was widespread, said Guenther, affecting not only FNF, but also its subsidiaries and customers: real estate transactions were frozen, leading to confusion and uncertainty for individuals involved in buying, selling, or paying mortgages. This highlights the cascading effects that a cyberattack on a single entity can have across a network of interconnected businesses and customers, explained Guenther.

“FNF's claim of having ‘contained’ the attack by Nov. 26 implies that they were able to halt the spread of the ransomware and begin restoration processes,” said Guenther. “Containment is a critical step in incident response, but it's just the beginning of a longer recovery process that often involves data recovery, system repairs, and strengthening cybersecurity measures. The disappearance of FNF's listing from the ransomware group’s website could imply that a ransom was paid, although this is not confirmed.”

Andrew Barratt, vice president at Coalfire, said as an insurance services provider and a company that takes card payments for settlement and operating in regulated markets, FNF will be subject to a raft of compliance obligations. Barratt added that the FNF website still appears inaccessible or unresponsive in some regions.

“FNF sounds like they’ve probably got an uphill struggle to resolve this completely, leaving their customers and business partners probably wondering what’s going on,” said Barratt. “They’ve filed an SEC event, so this is a matter of public record now. The biggest surprise is that they haven’t got someone engaging with the media to advise their stakeholders how things are proceeding. There’s no shame in being a victim, but not keeping all the stakeholders informed of the progress seems very short sighted.”

Anurag Gurtu, CPO at StrikeReady, called the FNF cyberattack a significant event, especially considering the patterns of groups like ALPHV/BlackCat, known for targeting major financial institutions. Gurtu said ALPHV/BlackCat's focus on high-value targets like MGM and now Fidelity indicates a strategic shift in ransomware attacks towards organizations with substantial financial resources and critical data.

“This tactic not only maximizes potential ransom returns but also inflicts considerable operational disruption,” said Gurtu. “Financial institutions must therefore prioritize advanced cybersecurity measures, understanding that their size and importance makes them attractive targets for sophisticated cybercriminal groups. This trend necessitates a proactive approach in cybersecurity, emphasizing the need for continuous monitoring, incident response preparedness, and employee training in cybersecurity best practices.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.