zephyr_p - stock.adobe.com

The ransomware routine: pages from the Secret IR Insider’s diary

The Secret Incident Response Insider shares behind-the-scenes stories of what really happens after organisations are hit by cyber attacks – and shows how they could have been avoided

It is 26 November 2020. We’re doing work for a medium-sized global enterprise that’s been hit by the Dharma ransomware. I’m sipping coffee while on a call with the IT director, discussing the plan for getting users back up and running after they’ve restored their systems from backups (the company’s IT team had the foresight to run regular backups and keep them air-gapped from its network – I wish more companies would do this). 

I ask him if he’s considered deploying multi-factor authentication (MFA) for the company’s users, as it helps to stop prevent malicious login attempts if credentials are stolen. He sighs. “No, I’d love to, but I’d get too much pushback from the board and from users because of the extra sign-in step.”

“Have you tried telling the board that if MFA was used, the attack may not have had any impact on the company at all, and you wouldn’t have had to work 18-hour days for the past week and a half to reinstall all the endpoints?” I ask.

He snorts. “My job seems to be keeping everyone happy, and security comes second.” 

I hear this a lot, so I make my usual compromise suggestion that all his IT administrators should use MFA, which at least stops attackers using stolen credentials or credential stuffing to get into privileged accounts where they can cause maximum damage. He agrees.

“Anyway, we need to get our remote contractors back online, so we’ll have to open RDP [remote desktop protocol] backup,” he adds. “They all use their own PCs, so we won’t be able to put anti-malware or our new EDR [endpoint detection and response] software on them, though.” 

I nearly choke on my coffee and I’m lost for words for a few moments. When I’ve cleared my throat, I point out that the Dharma attack most likely originated from the attacker using phished credentials to gain access to the RDP servers, and then planting the ransomware on the network. 

I suggest that, as a minimum, the company uses endpoint compliance scanning to ensure remote endpoints meet minimum security requirements before they are allowed to connect remotely. 

Boardroom banter

After finishing the call with the IT director, I’m asked to join a call with the company’s senior management to update them on how the work is progressing. 

“How many machines have you scanned for infections?” they ask.

About half of your total number of PCs, I reply. Some I haven’t been able to reach at all, and some I can’t scan because they are developers’ machines, and they don’t like administrators being able to scan them. I wait, but my point seems to go unnoticed.

“How many of those are infected with the ransomware?”

Around 80% of the machines I’ve scanned, I tell them.

“So what can we do with the infected machines?” they ask.

I say they need to be removed from the network, fully disinfected and only then reinstalled, otherwise there’s a risk of something being missed, or an unknown infection being left behind that could re-infect the network.

“That’s too big a job,” they say. “We have antivirus software, can’t we just get going with them and the software will pick up any infections?”

I point out that the antivirus software was disabled just prior to the ransomware attack by the hackers behind it, using administrator-level credentials that were probably harvested during an earlier phishing exploit targeting on of the company’s IT team. 

There’s a silence, and then someone asks: “Okay, we see what you mean. How do we stop this happening again?”

Now we’re starting to get somewhere.

Just as I’m describing how the disinfection process will work, and how we would recommend the use of MFA to help prevent these attacks in the future, I get a message on the internal team WhatsApp group. “Online retailer hit by a ransomware attack, can I join a call shortly?” Here we go again…

The Secret IR Insider works at cyber security services and solutions supplier Check Point.

A specialist in incident response (IR), they are on at the front lines of the ongoing battle against malicious cyber criminals, ransomware, and other threats.

Their true identity is a mystery.

Read more on Hackers and cybercrime prevention