Learn these lessons from a ransomware attack
Welcome to Cyber Security Today. It’s Monday October 19th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com. To hear the podcast click on the arrow below:
Today I’m going to talk about a ransomware attack last month by one of the most successful cyber gangs out there, and the lessons executives and IT pros can learn.
Cybersecurity experts have given the gang a number of names, but it’s often called Ryuk after the strain of ransomware it prefers. According to one estimate, the Ryuk gang has forced organizations to pay it millions of dollars since 2018.
The details of this particular attack come from an analysis by the security firm Sophos, one of whose products was used by the victim organization. The analysis gives an idea how determined and creative an attacker can be, and why your organization’s IT staff and defences have to be equally determined and creative.
The attack started on Tuesday Sept. 22nd with several employees getting highly-targeted phishing emails from a supposed customer. Each included what was said to be a document relating to money owing. That document was infected. The company’s spam filter recognized and quarantined the attachment, but one employee opened it anyway. It asked the user to enable editing so it could be read. I’ve warned listeners before that an attachment requiring permission to enable editing or macros is a sign of danger. By doing this the malware in the attachment is allowed to run. However, in this case the employee was too trusting and went ahead.
That particular malware installed a beacon which signaled across the Internet to the gang that it had been installed on a victim computer. It allowed the gang to hunt around that computer, looking for ways to get access to and infect other company computers. By the next day the gang had stolen administrative usernames and passwords and then got into the organization’s domain controller. This is a server that verifies users on computer networks. With access to the domain controller the gang could access the login credentials of all employees held in the Windows Active Directory and spread more malware to more company computers.
By late Wednesday — less than a day after the first compromise — the gang was ready to launch the ransomware. It did so by commanding the system to install malicious files on every computer. On Thursday morning the ransomware was spread and launched. The first target was the backup server. And that’s when things began going wrong for the gang. The ransomware was detected by the IT staff and stopped. The attackers changed tactics, trying repeatedly to shut down the antivirus software protecting 40 systems. The back and forth between attackers and IT defenders went on for two days. While the attackers were able to deploy ransom notes, they couldn’t get the ransomware launched.
I’ve simplified the details, but there are a couple of lessons from this incident: First, some attackers don’t merely launch automated cyberattacks. They have someone live at the other end of the line making moves and counter-moves. Second, organizations can’t rely on technology alone to stop attacks. In this case the company’s anti-malware identified the infected email attachment, but one employee was able to open it. Which is why regular security awareness training is so important. Third, use of multifactor authentication would have helped. It would have blunted the ability of attackers to use stolen passwords, particularly to get into the domain controller. Finally, most important, is that IT staff have to regularly watch for suspicious activity on the network. That means they must have visibility tools.
That’s it for Cyber Security Today. Links to details about these stories can be found in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cybersecurity professionals. Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.