BlackCat/ALPHV Ransomware Victim: McDermott International, Ltd

Description

• McDermott International Incorporated in Bermuda. 04/29/2023 I have recently found concerning information about McDermott International. Under the guidance of Mr. Michael Peterman (Head of Cybersecurity), the company decided to engage ClownStrike and their external disaster recovery team, instead of using internal resources. This has led to a significant financial burden for the company. From what I have observed, the internal team at McDermott seems to spend most of their time engaging in unproductive behavior. I have looked at team communications from various organizations, and McDermott’s case stands out as particularly unique. The way McDermott allocates resources is also questionable. They have chosen to outsource Network Operations Center (NOC) and Security Operations Center (SOC) to Tata Consultancy Services (TCS). Despite having an in-house SOC, McDermott sought ClownStrike’s assistance even before we locked over 200 ESX hosts. As many people know, their blog posts are mainly for marketing purposes. Our records indicate that McDermott has retained ClownStrike’s red team audit services, known as RedMint, since 2016. This long-standing relationship further highlights the company’s reliance on external services and the costs associated with them. While I don’t expect McDermott to reach out to us, and I don’t really care if they do, I must say that some companies might garner sympathy in such situations. However, in this case, it seems like McDermott’s actions warrant a closer look. We plan to release confidential documents and evidence of corruption in the coming weeks. McDermott has the option to come forward and address the situation or continue to rely on ClownStrike, which may not be the most effective solution. In addition, we will disclose their 2022 internal red team audit, which is deemed “Confidential.” The company has invested many millions per year in over ten security solutions, such as Splunk, Crowdstrike, Sentinel One, Trellix/McAfee, Cisco Umbrella, Cisco AMP, Cisco IronPort, Microsoft ATP, Tanium, and external NOC & SOC services, while engaging TCS for managing these tools. Their poor money management skills have previously led them to bankruptcy, and they continue to make questionable decisions. After McDermott’s non-disclosure agreement (NDA) tactic, I thought the company might consider paying to mitigate damage. Surprisingly, they didn’t even view the relevant page. I will continue to analyze the information I have acquired. So far, I have found possible signs of corruption, as well as several questionable NDAs and arrangements with companies and nations that McDermott shouldn’t be involved with. It seems that instead of taking proactive measures, the team’s conversations, which occurred before our final action, reveal their incompetence. This will become more evident once we begin releasing documents and data. Notably, over 200 ESX hosts were locked under the watch of ClownStrike’s active incident response teams, which were brought into the engagement days before our event, further demonstrating their inefficiency. As I proceed with the investigation, I will share findings regarding corruption, suspicious NDAs, and other questionable dealings. McDermott’s teams had plenty of opportunities to address the situation before our encryption event, but they failed to do so. The release of documents will further highlight their inadequacies. The entire IT team at McDermott appears to be incompetent, and it wouldn’t surprise me if they are hiding this entire event from the executives and the rest of the company’s staff, disguising it as network maintenance.