{"id":729,"date":"2024-10-04T16:44:09","date_gmt":"2024-10-04T22:44:09","guid":{"rendered":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/?p=729"},"modified":"2024-10-04T19:56:13","modified_gmt":"2024-10-05T01:56:13","slug":"indigo-ransomware-attack-a-comprehensive-ayalysis","status":"publish","type":"post","link":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/2024\/10\/04\/indigo-ransomware-attack-a-comprehensive-ayalysis\/","title":{"rendered":"Indigo Ransomware Attack A Comprehensive Ayalysis"},"content":{"rendered":"\n

OVERVIEW<\/strong> On 8th February 2023, Canada\u2019s largest book retailer Indigo Books & Music Inc. suffered a ransomware incident that shut down its whole business. At store point of sale systems and e-commerce systems were infected and had to shut down and stop their entire systems to contain the spread of the attack. The Attacker was able to access employees\u2019 data including social insurance numbers. Management immediately reacted by engaging with cybersecurity experts and Canadian police services and communicating with stakeholders promptly. The restoration of services was gradual, as in-store operations resumed within days, and the website was partially back online by Feb. 28, while e-commerce abilities were back on March 8 almost one month after the attack [1][2][3]<\/p>\n\n\n\n

\"\"
[12]<\/figcaption><\/figure>\n\n\n\n

Indigo Attack Techniques: <\/strong>It was confirmed that the attacker used LockBit ransomware to pass through Indigo’s network by one of several common methods: Unpatched vulnerabilities on public-facing services on systems being exploited, malicious attachments in phishing emails, or otherwise acquired compromised credentials via social engineering [2][6].<\/p>\n\n\n\n

Indigo Response: <\/strong>Prioritized containment before restoration. First, they took all systems offline to stop the malware from spreading any further. Next, they hired cybersecurity experts to dig for the root cause of the breach and start cleaning up. At first, the Inigo returned to in-store limited operations with cash-only transactions. Then, they partially restored the website with limited functionality, and later time the e-commerce capabilities were restored to normal. During the process Indigo continually communicated transparently with Stakeholders, reporting on the situation and recovery progress as it happened[1][10].<\/p>\n\n\n\n

Potential Network Vulnerabilities: <\/strong>The ransomware attack uncovered several of Indigo’s network infrastructure weaknesses. The attack might have been the result of insufficient network segmentation, a lack of robust access controls and privilege management, a lack of robust endpoint detection and response solutions, and possibly outdated, unpatched systems on the internet-facing infrastructure. Phishing still was an option, and likely also some employee cybersecurity awareness issues [2][6][7].<\/p>\n\n\n\n

\"\"
[11]<\/figcaption><\/figure>\n\n\n\n

Losses and Mitigation:<\/strong> The attack economically affected both e-commerce and store operations, which led to a significant drop in revenue [8]. Moreover, that would bring potential reputational damage and loss of customer trust[4]. Indigo confirmed that no customers’ sensitive data including credit card information were compromised[5]. The social insurance numbers (SIN) of employees were breached, however. To mitigate the effect of this data breach, Indigo offered affected employees 2 years of credit monitoring by TransUnion Canada at no charge [3]. Indigo decided to not pay the ransom and spent almost a month restoring all systems to full functionality [1].<\/p>\n\n\n\n

\"\"
[9]<\/figcaption><\/figure>\n\n\n\n

Security Recommendations<\/strong> [2][6][7]<\/p>\n\n\n\n