Ransomware: How one click can get a company into big trouble
AT & T's cybersecurity experts have lifted the curtain on how cyber attacks are carried out using ransomware. Using an unnamed food manufacturer as an example, AT&T Cybersecurity Director Bindu Sundaresan told ZDNet about how the ransomware gets into the attacked network and what precedes it.
The attackers used phishing emails and exploited known vulnerabilities ranging from outdated hardware to default passwords. First, they downloaded the Emotet and Trickbot malware onto the attacked network, and then the ransomware Ryuk, which encrypted the files.
The affected company decided not to pay the ransom and turned to AT&T security experts for help, who restored its systems in 48 hours. However, if the company were concerned about timely updating vulnerable resources and installing secure settings, it would be possible to do without the help of specialists, since the attackers would not have an entry point.
Like most ransomware programs, Ryuk infiltrates attacked networks at the final stage of the attack. However, unlike them, a Ryuk attack does not start with an attack on remote ports, but with phishing emails. The victim receives an email with a Microsoft Word document disguised as an invoice, and after opening it, the malicious code executes a PowerShell command that downloads the Emotet malware to the target system.
Notably, PowerShell commands are generally not used by users who do not need administrator privileges. Therefore, if the company had disabled PowerShell for such users, the attack would not have advanced further.
After strengthening Emotet on the network, Trickbot enters the arena, stealing credentials for authorization in corporate accounts and cloud services in order to gain access to other network segments.
Although information security specialists managed to restore the company's networks relatively quickly, the two-day downtime cost it a tidy sum. And the restoration of networks is not a cheap process. In addition, following the incident, the company needed to update its systems to prevent cybercriminals from repeating the attack.
Like many other victims of ransomware, the company could have avoided a cyberattack if it had fixed known vulnerabilities in time. The same cannot be said for one of the world's largest aluminum producers, Norsk Hydro, for which the ransomware attack was a real nightmare, although basic cybersecurity requirements were met.