Cleaning products maker Clorox has reported losses of $49 million in connection to a cyberattack it suffered in August of last year.
On Monday, August 14, 2023, Clorox disclosed it had identified unauthorized activity on some of its IT systems. Despite a business continuity plan, the incident resulted in wide-scale disruptions to the company’s operations throughout the quarter, which ended September 30, 2023.
Clorox says it expects operational impacts from the cyberattack to continue into the second quarter, though the majority of order processing operations have returned to automated processes. Among other consequences of the cyberattack, net sales are expected to decrease between about $487 million and $593 million.
The company never revealed the nature of the attack, but based on a brief description, we must assume it was a ransomware attack. Ransomware experts have attributed the attack to ALPHV/BlackCat, but attribution is hard. This is especially true when the victim decides to pay the ransom, because their details aren’t made public by the attackers. When an organization refuses to pay, the attacking ransomware group will typically publish the organization’s details, along with its data, on their leak site, which are our main source of information about who did what to who.
The ALPHV ransomware gang is arguably the second most dangerous “big game” ransomware operator, as you can see in many of our monthly ransomware reviews.
The costs of the cyberattack, which included payments to third-parties that were hired to help investigate and remediate the attack amounted to $49 million.
Clorox was forced to shut down many of its systems due to the attack, which triggered order processing delays and significant product outages.
The fact that the disruptions lasted as long as they did, does not bode well for the business continuity plan. Add to that the suspicion that the ransom was paid, and we can conclude that backups were perhaps insufficient or not readily deployable.
These are things that, however cumbersome, need to be tested. Waiting for the actual emergency as the first test is never a good idea. Another indication that things may not have been up to par was the chief information security officer (CISO) leaving in November, while the company was still recovering from the cyberattack.
How to avoid ransomware
- Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
- Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
- Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
- Stop malicious encryption. Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
- Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
- Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.
Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.