Fidelity National Financial disclosed in an 8K filing with the Securities and Exchange Commission (SEC) on Dec. 10 that 1.3 million customers had their data exposed in a cyberattack.
However, the large real estate services company did not confirm in the filing if it was the victim of a ransomware attack. Instead, the 8K filing said FNF “determined that an unauthorized third-party accessed certain FNF systems, [and] deployed a type of malware that is not self-propagating.”
Security pros contacted by SC Media said it’s likely that FNF sustained a ransomware attack. When the story broke in early December, it was widely reported that the ALPHV/BlackCat ransomware group took credit for the attack — and today some news organizations were flatly calling it a ransomware attack.
“The involvement of the ALPHV/BlackCat ransomware group and the nature of the attack, which deployed malware that is not self-propagating and involved data exfiltration, suggests a sophisticated approach to ransomware deployment,” explained Callie Guenther, senior manager, cyber threat research at Critical Start. “The non-self-propagating nature of the malware indicates a targeted attack rather than a widespread indiscriminate infection.”
Ashley Leonard, chief executive officer at Syxsense, added that despite FNF not publicly saying “ransomware,” the filing information about the attack all point to ransomware, such as the not self-propagating, the exfiltration of data, and the fact that customer systems were not directly impacted.
“Typically, ransomware is not considered a self-propagating type of malware, meaning it cannot jump to other devices on the network and replicate itself,” said Leonard. "Ransomware usually starts from a phishing email, someone opening or downloading and running a malicious file like an attachment, or taking advantage of an unpatched system. This isn’t true of all ransomware (the notable exception is WannaCry), but given the precise language used here, it’s most likely ransomware."
FNF said in its 8K filing they became aware of the incident on Nov. 19, had it contained by Nov. 26, and completed its forensics investigation by Dec. 13.
The company said it has no evidence that any customer-owned system was directly impacted in the incident, and no FNF customers have reported that this event has occurred. FNF also said it was offering customers credit monitoring, web monitoring, and identity theft restoration services and is fielding questions from consumers. It also said at this time, they don’t believe that the incident had a material impact on the company.
Syxsense’s Leonard said it’s difficult for companies to know the full impact of a cyberattack right away. While incident response measures can identify the scope and governance, and risk teams can offer some modeling for impact, Leonard said the reality is that many ransomware gangs these days are using double or triple extortion techniques.
“The gangs hold the encrypted systems for ransom and make money by getting that ransom payment, but they also then post that data for sale on dark web sites for additional payment,” explained Leonard. “For any customers who had their data stolen, it can take months now for that data to be used, even if it is bought on the dark web now. Malicious hackers know that the months right after an attack like this, everyone affected is on high alert. So they sit and wait until people have forgotten about the attack and then launch efforts to steal identities.”