Schneider Electric, a leading French multinational in energy management, is grappling with a ransomware attack claimed by the group Hellcat. While ransomware attacks have become common, this incident stands out due to the bizarre ransom demand: the attackers have asked for $125,000 in baguettes. What can organizations learn from this strange cyber incident?
Hellcat, a relatively new ransomware group, claimed responsibility for infiltrating Schneider Electric’s systems through the Atlassian Jira platform, a popular tool for project tracking. Once inside, the attackers exfiltrated over 40GB of compressed data, including sensitive user information, projects, issues, and plugins, all of which they threatened to release unless Schneider paid the ransom.
The demand came with a twist: Hellcat wanted $125,000 in baguettes. This odd request raises questions about the psychological tactics behind ransomware demands. The attackers’ use of a public-facing threat—"Failure to meet this demand will result in the dissemination of the compromised information"—suggests they’re trying to create public embarrassment and ransom money may not be their true motive.
This breach is a reminder that no organization is immune to cyberattacks, no matter how large or seemingly secure. Schneider Electric’s systems were reportedly compromised through a vulnerability in its Atlassian Jira platform. While no specific vulnerabilities were immediately cited, it’s a good lesson that even trusted, widely used platforms can become targets for cybercriminals. Regular software updates, patches, and vulnerability assessments are essential to safeguarding critical systems.
Related: A guide to cybersecurity policies
Schneider Electric’s prompt response to the breach by activating its Global Incident Response team shows it is prepared to handle a crisis. A well-structured incident response plan can help mitigate the damage caused by a ransomware attack. Having a dedicated team ready to isolate affected systems, assess the damage, and communicate effectively with stakeholders can drastically reduce the impact of a cyberattack.
Ransomware attacks can lock organizations out of their data, but they don't have to result in a complete loss of information. Schneider Electric has stated that its products and services were unaffected, which suggests the company likely had robust backup and recovery procedures in place. Organizations should prioritize having secure offline backups of critical data and regularly test recovery procedures. This can allow businesses to restore operations without having to rely on paying the ransom.
Hellcat's ransom demand for baguettes is a bizarre but effective psychological tactic. Ransomware groups are using creative and unsettling demands to pressure victims. The idea is to make the situation feel absurd, further unsettling the victim and increasing the likelihood of compliance. While ransomware groups have always been ruthless, this new approach shows how these criminals are getting more inventive in their attempts to get attention and manipulate victims.
After a cyberattack, especially one involving customer data or operational disruption, transparent communication is important. Schneider Electric’s spokesperson provided a statement outlining the steps the company was taking to address the issue, which reassures stakeholders and the public that the company is handling the situation. Regular, clear communication with employees, customers, and regulatory bodies can help manage the fallout and preserve trust in the organization.
To prevent future ransomware attacks, organizations must take a proactive approach to cybersecurity, including:
Recovery time depends on the attack’s scope, the organization’s preparedness, and the effectiveness of backup and response plans. Some organizations recover within days, while others may require weeks or months, particularly if extensive data restoration, investigation, and system rebuilding are needed.
Ransomware attacks are lucrative for cybercriminals, especially with low-risk and high-reward potential due to weak security measures across many organizations. Additionally, the rise of RaaS platforms has allowed less-skilled attackers to launch sophisticated ransomware attacks.
Cybersecurity insurance can help cover financial losses associated with ransomware, including data recovery costs, legal fees, and business interruption losses. Policies vary widely, so it’s essential to understand coverage specifics, especially as some insurers may limit or restrict coverage for ransomware payments.