It’s bad enough that infosec pros have to worry about ransomware scrambling or stealing data — or both. But a recent report argues organizations need to pay more attention to another capability: Ransomware that harvests credentials across the network, allowing an attacker to penetrate the enterprise as often as they want.
The possibility was raised this week by security reporter Brian Krebs, who in a column warned that the usual remediation procedure after an attack of changing passwords for all user accounts that have access to any email system, servers and desktop works on the network may not be enough. Attackers are also siphoning off every password stored on every device a network as well.
Krebs came to this conclusion after looking into the November 2019 Ryuk ransomware attack on Wisconsin-based Virtual Care Provider Inc. (VCPI). The provider manages the IT systems for some 110 clients that serve approximately 2,400 nursing homes in 45 U.S. states.
A cybersecurity firm that sometimes intercepts communications between ransomware gangs told Krebs that before the VCPI ransomware was launched the attackers first infected the provider with the Emotet malware, which includes the Trickbot password-stealing module.
According to logs seen by the security firm and apparently lifted from VCPI endpoints, credentials copied by the attackers included those used by company employees to log in at more than 300 Web sites and services, including identity and password management platforms Auth0 and LastPass, multiple personal and business banking portals, Microsoft Office365 accounts, cloud-based payroll management services, commercial phone, Internet and power services, state and local government competitive bidding portals and Amazon, Facebook, LinkedIn, Microsoft, Twitter accounts.
“Moral of the story,” writes Krebs: “Companies that experience a ransomware attack — or for that matter any type of equally invasive malware infestation — should assume that all credentials stored anywhere on the local network (including those saved inside Web browsers and password managers) are compromised and need to be changed.”
And they need to be protected with multi-factor authentication.