Pitney Bowes Says Ransomware Behind System Outages'All Options' Under Consideration for Recovery, Mailing Equipment Giant Says
Mailing equipment manufacturer Pitney Bowes says it has been hit by file-encrypting malware, disrupting customers' ability to use many services. But the firm says that no client data appears to have been compromised.
See Also: Healthcare Sector Threat Brief
The company, based in Stamford, Connecticut, offers a number of mailing and postage services, including manufacturing widely used postal meters and shipping software.
“At this time, the company has seen no evidence that customer or employee data has been improperly accessed,” Pitney Bowes says in a statement posted on its website.
But it says that as a result of the ransomware attack, many of its online offerings remain inaccessible, including customers' ability to access its postage supply web store as well as to automatically upload envelope-printing transactions from machines, which they typically do at least once every day and once daily after hours.
"If you have funds on your meter you will be able to process mail," the company advises postage meter users. "Until the system is restored you will not be able to refill your system."
The company's user forums continue to redirect to the company's statement about the attack. Users have expressed frustration at the outage.
It's a real pain. We are a research company and send out large volumes of mail occasionally. Poor Comms from them in terms of updates.— Mike Devereux (@Devereux1Mike) October 14, 2019
Some customers noted that the outage comes at critical time for IRS tax filings. Tuesday is the deadline for taxpayers who requested a filing extension for their 2018 U.S. tax return.
Fun fact: Oct.15th = IRS filing deadline for those who filed 2018 extensions back in April.... ability for acct firms to stamp & certify mass quantities of doc packages is key. #pitneybowes #malware https://t.co/FuGm2UoF3T— Elizabeth Wharton (@LawyerLiz) October 14, 2019
Pitney Bowes processes 16.5 billion pieces of mail annually, and it runs presorting facilities that feed packages and mail into the U.S. Postal System. Those systems have been affected, but Pitney Bowes has yet to say to what extent.
“Presort services were impacted, but we are working with clients and the USPS to mitigate any business disruption,” the company says.
Ransomware continue to put many businesses, municipal governments and schools in a bind. Earlier this month, the FBI issued a new advisory saying that ransomware attacks “are becoming more targeted, sophisticated and costly, even as the overall frequency of attacks remains consistent.”
The FBI says it has seen a sharp decrease in indiscriminate ransomware attacks. But the losses from the successful attacks - often targeting healthcare, industrial and transportation companies - have become increasingly costly (see: Texas Pummeled by Coordinated Ransomware Attack).
Attackers often first infect systems by sending phishing emails with attached malware. Also, they hunt for vulnerabilities in remote desktop protocol - or go on dark web marketplaces to buy stolen credentials for access to organizations via RDP - which is widely used in Windows environments but may have vulnerabilities or weak authentication credentials, the FBI says.
‘All Options’ Considered
The FBI, together with law enforcement agencies and many security experts, continue to recommend that victims never pay a ransom, in part because there’s no guarantee attackers will furnish a working decryption tool. But the bureau has continued to acknowledge that the choice is up to victims. In its most recent alert, it also notes that it has seen victims increasingly paying a ransom.
“The FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers,” the FBI says.
Pitney Bowes indicates all options are on the table, although it did not directly say that paying its attackers is one of the options it is considering.
“Our technical team is working to restore the affected systems, and it is working closely with third-party consultants to address this matter,” the company says. “We are considering all options to expedite this process and we appreciate our customers’ patience as we work toward a resolution.”
Some cyber insurance policies will cover paying ransoms. Investigative website ProPublica reported in May that some digital forensics firms negotiate ransoms to help organizations recover. A follow-up story by ProPublica indicated that insurers may prefer paying the ransoms because it costs less than undertaking a recovery effort (see: Do Ransomware Attackers Single Out Cyber Insurance Holders?).
When asked if Pitney Bowes has cyber insurance, a spokeswoman told Information Security Media Group that the company doesn't have more information that it's currently prepared to release.
Executive Editor Mathew Schwartz contributed to this story.