ScanSource experiences ransomware attack as CISA issues advisory

GREENVILLE, S.C. – ScanSource, Inc., a hybrid distributor connecting devices to the cloud, announced that it was affected by a ransomware attack that impacted some of its systems.

The company discovered the intrusion on May 14, 2023, and immediately launched an investigation into the attack while implementing its Incident Response Plan. In the company’s official release, ScanSource said it is actively managing the incident and are taking steps toward remediation. “The company is working closely with forensic and cybersecurity experts to investigate the extent of the incident, minimize disruption and mitigate the situation. ScanSource has notified law enforcement authorities,” the release said.

The incident comes right as the Cybersecurity and Infrastructure Security Agency (CISA) released a joint statement with the Federal Bureau of Investigation (FBI), and Australian Cyber Security Centre (ACSC) to distribute information about a ransomware group identified as BianLian.

“BianLian is a ransomware developer, deployer, and data extortion cybercriminal group that has targeted organizations in multiple U.S. critical infrastructure sectors since June 2022,” the CISA wrote. “They have also targeted Australian critical infrastructure sectors in addition to professional services and property development. The group gains access to victim systems through valid Remote Desktop Protocol (RDP) credentials, uses open-source tools and command-line scripting for discovery and credential harvesting, and exfiltrates victim data via File Transfer Protocol (FTP), Rclone, or Mega. BianLian group actors then extort money by threatening to release data if payment is not made.”

As ransomware attacks become the most prominent form of corporate blackmail, a security researcher from Picus Security, Hüseyin Can Yuceel, weighed in during correspondence with Security Systems News. ““BianLian is a reference to Chinese performance art involving rapid movements and quick mask changes,” he said. “It is an apt name for a ransomware group known for being adept at evasion and lateral movement.”

“Ransomware has become the most used tool in financially motivated cyber threat actors' toolsets. However, it is not the only method to extort money from their victims. We observed a significant rise in encryption-less extortion attacks that only relies on the exfiltration of sensitive data. Although these attacks do not leverage the power of cryptographic encryption algorithms, they still pose significant risks to organizations. In encryption-less extortion attacks, threat actors steal their victims' confidential data and threaten to disclose stolen data unless the demanded ransom is paid. In 2022, the LAPSUS$ group became infamous for their encryption-less extortion attacks against well-known companies such as Nvidia, Samsung, Uber, Rockstar Games, and Microsoft.”

He concluded, “Organizations should be aware of the rise of exfiltration-based extortion attacks and follow CISA's recommendation of validating their security posture against this emerging threat.”

ScanSource assured stakeholders that the security of its systems and the impact that the attack has had on its employees, customers, and suppliers is of the utmost importance to the company. It also said that it is currently working diligently to bring systems back online while mitigating the impact the malware incident has had on its business. “ScanSource regrets any inconvenience or delays in business this may cause customers and suppliers in North America and Brazil and appreciates their patience.”

The full CISA advisory can be read at www.cisa.gov. More from Picus Security at www.picussecurity.com.