At #BHMEA22, Thanassis Diogos (X-Force Incident Response Executive Consultant at IBM) told us about an aggressive double ransomware attack that left a victim in disarray.
The victim had, by their own admission, a highly critical data system that had been encrypted by ransomware group Afrodita.
Looking at the server, the first thing to be seen was the recovery file. “But you start to see something strange here,” Diogos said; “in this case, the ransom note on the server has been encrypted itself.”
This, of course, didn’t make sense. Why would an adversary make their own ransom note unreadable? How could they expect the victim to pay if they didn’t provide payment or contact information?
There was also an extension that appeared to come from a different ransomware: “This started to get really messy.”
What happened here – why was the ransom note encrypted?
It started with Afrodita encrypting the company’s critical data. The immediate response was to call the company’s internal IT support.
And that was the first mistake: because IT support teams are not the same thing as cybersecurity or incident response teams. As Diogos noted, With ransomware you don’t suffer from IT systems being down. You suffer from data not being available.”
The IT team then did what they were trained to do. They used Google to search for information and tools that would allow them to decrypt files and deal with Afrodita ransomware. They found – and downloaded – decryption tools online.
We know you’ve guessed it by now – but within one of those decryption tools was another ransomware, which the IT team downloaded and executed on the network.
“What do you think the IT support did after that?” Diogos asked; “They Googled again.”
“If you don’t train people, people will just follow their instincts. If you don’t train people, this is what will happen.”
The company simply wasn’t prepared for a ransomware attack. There weren’t any systems in place, no clear steps to follow, and no cybersecurity partners to call. The IT team did what anyone in their position would do, and followed a process that was familiar to them. But their lack of training meant the process they chose was completely inappropriate, and ended up causing more damage.
After a third party negotiator was hired to establish communications with both ransomware groups as well as the victim, the victim had to pay both groups to decrypt files.
Where did this problem begin?
It began with critical data that was not protected from a potential attack. That’s a huge mistake, causing problems that could be avoided – because if you know that certain data is critical, you should also know that it needs to be carefully protected within your infrastructure, as well as backed up safely outside of your network.
So this particular case is useful to help build an understanding of best practices and what must be included within effective preventative and protective measures.
“You can see lots of the weaknesses that they had,” Diogos noted. “They had no backups, no culture, no partners — if something happens, who am I going to call? And the teams I call, are they going to be trained?”
The lessons we can all learn here are:
Prepare. It’s naive to think an attack like this could never happen to you. Without proper preparation you will suffer acutely when an attack occurs. Your IT support team is not your cybersecurity team. Cybersecurity teams don’t just deal with robots and computing problems — they deal with people who are trying to deceive. It’s not just tech: it’s criminal psychology too.
Choose your partners early. And do extensive research to make sure you’re choosing the right partners.
Treat critical systems as though they really are critical. That means putting in real work to protect those systems long before anything bad happens.
Understand your environment. Diogos pointed out that clients often want to know who their enemy is — but that’s much less important than knowing your own environment. If you know your environment, you know where an enemy could get in – and that’s a protective practice that you can control.
Change your perspective on privileged accounts. According to Diogos, organisations need to shift their perspective here. Instead of ‘using’ privileged accounts, they must understand that they’re exposing privileged accounts – because privileged accounts are high-value access points for threat actors within your network. The more you expose privileged accounts, the more risk of a critical data breach.
To sum up in just one line: if you know you have critical data, you have to do the preparation to protect it.
P.S. - Mark your calendars for the return of Black Hat MEA from 📅 14 - 16 November 2023. Want to be a part of the action? Register now!