Warning: Ransomware may be copying all credentials on victims’ networks

It’s bad enough that infosec pros have to worry about ransomware scrambling or stealing data — or both. But a recent report argues organizations need to pay more attention to another capability: Ransomware that harvests credentials across the network, allowing an attacker to penetrate the enterprise as often as they want.

The possibility was raised this week by security reporter Brian Krebs, who in a column warned that the usual remediation procedure after an attack of changing passwords for all user accounts that have access to any email system, servers and desktop works on the network may not be enough. Attackers are also siphoning off every password stored on every device a network as well.

Krebs came to this conclusion after looking into the November 2019 Ryuk ransomware attack on Wisconsin-based Virtual Care Provider Inc. (VCPI). The provider manages the IT systems for some 110 clients that serve approximately 2,400 nursing homes in 45 U.S. states.

A cybersecurity firm that sometimes intercepts communications between ransomware gangs told Krebs that before the VCPI ransomware was launched the attackers first infected the provider with the Emotet malware, which includes the Trickbot password-stealing module.

According to logs seen by the security firm and apparently lifted from VCPI endpoints, credentials copied by the attackers included those used by company employees to log in at more than 300 Web sites and services, including identity and password management platforms Auth0 and LastPass, multiple personal and business banking portals, Microsoft Office365 accounts, cloud-based payroll management services, commercial phone, Internet and power services, state and local government competitive bidding portals and Amazon, Facebook, LinkedIn, Microsoft, Twitter accounts.

“Moral of the story,” writes Krebs: “Companies that experience a ransomware attack — or for that matter any type of equally invasive malware infestation — should assume that all credentials stored anywhere on the local network (including those saved inside Web browsers and password managers) are compromised and need to be changed.”

And they need to be protected with multi-factor authentication.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows...

Unlocking Transformation: IoT and Generative AI Powered by Cloud

Amidst economic fluctuations and disruptive forces, Canadian businesses are steering through uncharted waters. To...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now