LockBit Redux: Ransomware Gang Demands $80M, Leaks CDW Data

Information technology products and services company CDW is among the latest victims of LockBit’s exploits. The ransomware gang threatened to leak data stolen from the company if it did not pay $80 million. The demand was not met, and data has since been leaked. 

What does this attack mean for CDW, and how can other enterprise leaders think about their own organizations’ risk as data theft and ransom activity continues?

The Attack

CDW refers to the attack as “an isolated IT security matter,” according to an emailed statement. The data associated with the incident is on servers used for the internal support of CDW-G’s US subsidiary, Sirius Federal. “These servers, which are non-customer-facing, are isolated from our CDW network and other CDW-G systems,” according to the statement.

LockBit claims that CDW offered $1.1 million in response to its $80 million demand, CRN reports. The offer was not sufficient to prevent the threat actor from leaking data.

“We are aware that a third party has made data available on the dark web, which it claims to have taken from this environment. As part of the ongoing investigation, we are reviewing this data and will take appropriate action in response -- including directly notifying anyone affected, as appropriate,” CDW shares in its statement.

Related:What Are the Biggest Lessons from the MGM Ransomware Attack?

On Oct. 12, Jon DiMaggio, chief security strategist with threat intelligence platform Analyst1, took to X (formerly known as Twitter) to note that LockBit published two posts with CDW-G data on its leak site. The data appears to be “associated with employee badges, audits, commission payout data and other account-related information,” according to DiMaggio’s post.

In addition to potential reputational harm, CDW must also go through the necessary process of breach response. “They've got to bring in forensic people to figure out exactly how this attack occurred … and exactly what was exposed,” says Jon Marler, cyber evangelist at cybersecurity and compliance company VikingCloud. “There may be a lot more to the story than we know today.”

Depending on the nature of the leaked data, the company’s partners, customers, and employees could be impacted. “As long as they follow best practices, CDW will be fine. It’s just a question of what forms of attack are enabled against CDW’s customers and partners as a result,” says John Bambenek, principal threat hunter at Netenrich, a security and operations analytics SaaS company, in an email interview.

While LockBit did demand a ransom from CDW, Marler points out that this cybersecurity incident differs from what is typically considered a ransomware attack.

Related:To Pay or Not to Pay? The Ransomware Dilemma

“It sounds like this is more of a data breach with a ransom aspect versus a true ransomware attack that completely stops operations,” he tells InformationWeek. In a ransomware attack, threat actors typically use malware to encrypt data, disrupting or halting operations, and hold it hostage until the ransom is paid.

Multimillion-Dollar Ransom Demands

LockBit is no stranger to making expensive ransom demands. In July, the group demanded that Taiwan Semiconductor Manufacturing Company (TSMC) pay $70 million in exchange for data stolen via an attack on one of its third-party IT hardware suppliers. The $80 million demand of CDW joins the ranks of some of the highest ever demanded ransom payments, trailing behind a $100 million demand REvil made of Acer in 2021 and a $240 million demand Hive made of MediaMarkt in the same year.

“Ransomware operators are coin-operated. They’ll ask for as much as they can get, and if the victim won’t pay the ransom, they’ll try to sell the data to other criminals. I expect that this event will cause price inflation for ransoms across the board,” says Bambenek.

Ransomware activity has been hitting new highs in the first half of this year. Cyber insurance company Coalition reported in its 2023 Cyber Claims Report: Mid-Year Update that ransomware claims increased 27% in the first half of this year.

Related:Clop Ransomware Attacks: How Should CIOs Respond?

Reports have shown that the number of ransomware victims who pay has declined in recent years: 76% in 2019 compared to 41% in 2022, according to Coveware. But the payout can still be big for threat groups that successfully extort their victims.

Earlier this year, MGM Resorts International and Caesars Entertainment were hit with ransomware attacks. MGM opted not to pay, while Caesars paid $15 million.

“There's a reason that ransomware operators are still operating the way they do, and that's because organizations do still pay,” says Kevin Breen, director of cyber threat research at Immersive Labs.

Even if a victim refuses to pay, the exploit can make a splash that bolsters a group’s reputation. “This is exactly the kind of thing that LockBit absolutely loves because it really promotes their brand and strikes fear into the hearts of people,” says Marler.

Continuing Attacks

While ransomware activity may ebb and flow, it is going to continue as long as groups find vulnerabilities and see the potential for profit. Enterprise leadership is faced with defending their businesses against the realities of this threat landscape.

“Attackers have what we call first mover advantage. They get to decide exactly when, how and with what they want to attack these organizations. Whereas we as defenders, we have to monitor all the time for every possible attack vector,” says Breen.

Bambenek points out that the trend of astronomical ransomware demands is likely be reflected in rising cyber insurance premiums. Premiums increased 11% in the first quarter of 2023, according to insurance broker Marsh.

“Enterprise leaders certainly need to be thinking about ways to work with their insurance to lower the premium costs or preparing financially to deal with a large premium increase,” he says.

Organizations have resources available to help safeguard against ransomware. For example, the Cybersecurity and Infrastructure Security Agency (CISA) enhanced its Ransomware Vulnerability Warning Pilot’s catalog of known exploited vulnerabilities associated with ransomware campaigns.

“We understand how the attackers work and their motivations and what they do once they gain access,” says Breen.

With that knowledge, enterprise leaders can evaluate the security posture of their organizations and establish a solid incident response plan that will minimize the damage in the event of a breach or attack.

“We do the same things for fire safety. We don't think the house is going to burn down, but we still have fire extinguishers. We know how to call the fire department, and we know how to get everybody out of the house,” says Marler.