In its quarterly report, toy maker Mattel announced it was the victim of a ransomware attack on its information technology systems that caused data on a number of systems to be encrypted  in July 2020.

According to the report, Mattel contained the attack and, although some business functions were temporarily impacted, it restored its operations. A forensic investigation of the incident has concluded, and no exfiltration of any sensitive business data or retail customer, supplier, consumer, or employee data was identified, the company explained. The company noted there has been no material impact to Mattel's operations or financial condition as a result of the incident.

Ivan Righi, Cyber Threat Intelligence Analyst at Digital Shadows, a San Francisco-based provider of digital risk protection solutions, explains: “Threat actors targeted Mattel with an unnamed ransomware variant, which impacted some of its business functions in July 2020. However, the company stated that attackers did not exfiltrate any data. This incident highlights the continued threat of ransomware for large organizations. Ransomware threats have evolved from leveraging standard data encryption methods to include data exfiltration and exposure components. We have seen the creation of multiple ransomware variants and data leak sites every month, and this trend is likely to continue due to the high popularity of ransomware and ransomware-as-a-service (RaaS) variants. Attacks have become more targeted, and ransom payments have become higher, often reaching values between USD 3-10 million for large companies."

Righi adds, "Ransomware threats for companies often include lengthy downtime, data exposure, legal complications, and brand damage. Organizations within critical sectors, such as healthcare, are more directly affected by threats of downtime. Simultaneously, large technology companies are often more focused on data exposure components, although the multifaceted threats pose a high risk to all organizations. Primary attack vectors for ransomware include weaponized attachments sent via phishing emails and the targeting of Remote Desktop Protocol (RDP). Organizations should restrict RDP behind an RDP Gateway and enable Network Level Authentication if RDP is required to be internet-facing. Additionally, organizations should develop robust patch management policies and promote security awareness programs to train employees to identify suspicious emails and report them to the appropriate security teams.”

Brandon Hoffman, Chief Information Security Officer at Netenrich, a San Jose, Calif.-based provider of IT, cloud, and cybersecurity operations and services, does not believe that the targeting of Mattel specifically was any indicator of a new campaign. Instead, he believes it was most likely because they were victimized recently and many times cybercriminals go back to successful campaigns and try for another round.

"It is clear to everybody the big bet this year, and likely again next year, is ransomware. Ransomware is relatively easy to deploy and can pay off in a major way. With the holiday season upon us, there should be expectations that ransomware campaigns will increase again. Most retailers depend heavily on online business and adversaries view this as an opportunity to “hit them where it hurts”. Meaning if they can cripple systems during Black Friday, Cyber Monday, or other large shopping related events, organizations may be more willing to pay and get systems back online. It’s a matter of lost revenue for service availability versus the cost of the ransom," says Hoffman. "The best thing organizations can do is ensure security fundamentals are functional as to avoid the likelihood of ransomware because even after paying the ransom we have seen cases where recovery has been slow or not effect in totality.”