Full Report
Symrise has fallen victim to a Clop Ransomware attack.
Analysis Summary
# Incident Report: Symrise Clop Ransomware Attack (Dec 2020)
## Executive Summary
Symrise, a global flavor and fragrance developer, suffered a debilitating ransomware attack executed by the Clop threat group in December 2020. Attackers gained initial access via a phishing campaign, leading to the encryption of 1,000 devices and the exfiltration of 500 GB of sensitive, unencrypted data. The attackers employed double-extortion tactics, publicizing stolen proprietary data to pressure the company into paying an unknown ransom.
## Incident Details
- Discovery Date: Approximately December 22, 2020 (Date of reporting)
- Incident Date: Circa December 2020
- Affected Organization: Symrise
- Sector: Flavor and Fragrance Manufacturing (Ingredients/Chemicals)
- Geography: Not explicitly stated, but Symrise is a global entity.
## Timeline of Events
### Initial Access
- Date/Time: Prior to December 22, 2020
- Vector: Successful email phishing attack.
- Details: Attackers sent malicious emails containing links that initiated malware downloads, leading to initial network compromise.
### Lateral Movement
- Details: Not explicitly detailed in the source, but necessary to impact 1,000 devices and access servers containing 500 GB of data.
### Data Exfiltration/Impact
- Date/Time: Concurrent with encryption/post-encryption phase.
- Details: Attackers exfiltrated 500 GB of unencrypted data (including passport images, audit reports, and confidential fragrance ingredients). Subsequently, 1,000 devices on the Symrise network were encrypted by the Clop ransomware.
### Detection & Response
- Date/Time: Reporting date December 22, 2020.
- Details: The incident became public knowledge when Clop posted evidence of the breached data on their public leak site, indicating the company was engaged in sensitive data negotiation or dispute. Response actions (containment, eradication) are not detailed, other than the public standoff over the ransom.
## Attack Methodology
- Initial Access: Successful email phishing attack (malicious links deploying malware).
- Persistence: Not detailed.
- Privilege Escalation: Not detailed.
- Defense Evasion: Likely inherent within the execution of the deployed ransomware payload.
- Credential Access: Not detailed.
- Discovery: Not detailed.
- Lateral Movement: Implied by the scope (1,000 devices affected).
- Collection: Data harvesting to acquire 500 GB of sensitive information.
- Exfiltration: Data theft preceding or concurrent with encryption.
- Impact: Device encryption (ransomware) coupled with data extortion (double extortion).
## Impact Assessment
- Financial: Ransom price unknown; costs related to incident response, remediation, and potential regulatory fines are implied.
- Data Breach: 500 GB of sensitive, unencrypted data stolen, including confidential fragrance ingredients, passport images, and audit reports.
- Operational: Encryption impacted 1,000 devices, suggesting significant operational disruption.
- Reputational: High impact due to the public exposure of supplier relationships (Nestle, Coca-Cola) and the leak of highly sensitive IP (fragrance formulas).
## Indicators of Compromise
- **Network Indicators (Defanged):** N/A (Not specified in the source).
- **File Indicators:** Clop Ransomware executables/payloads.
- **Behavioral Indicators:** Mass file encryption across 1,000 endpoints; unusual outbound data transfer correlating with 500 GB exfiltration.
## Response Actions
- Containment: Inferred necessity to isolate 1,000 infected devices and stop further data egress.
- Eradication: Not detailed.
- Recovery: Inferred process of system rebuilding and data restoration after the incident timeline.
- **Note:** The most prominent public "action" mentioned was engaging with the threat actor's extortion demands (or refusal thereof), as evidenced by the data leak site posting.
## Lessons Learned
- Phishing defense mechanisms (email filtering, user training) proved insufficient against a targeted campaign.
- Data exfiltration occurred before encryption (double extortion model), meaning data loss occurred even if systems were eventually restored or re-imaged.
- Protection for highly sensitive Intellectual Property (fragrance ingredients) was inadequate, as this data was exfiltrated unencrypted.
## Recommendations
- Significantly enhance email security gateway capabilities to block sophisticated phishing links and attachments.
- Implement robust **Network Segmentation** to prevent ransomware from spreading to 1,000 devices post-initial compromise.
- Review and strengthen **Data Loss Prevention (DLP)** policies, particularly regarding sensitive IP (fragrance formulas) and PII (passport images).
- Ensure all critical data assets are subject to **strong, immutable backups** that are segmented from the primary network to facilitate faster recovery when dealing with extortion demands.