BACKGROUND:
A student’s attempt to pirate an expensive data visualization software led to a full-blown Ryuk ransomware attack at a European biomolecular research institute. After the research institute suffered the attack, Sophos’ Rapid Response team responded and neutralized the cyberattack. This attack lost the institute a week’s worth of research data and a week-long network outage as servers were rebuilt from scratch and data restored from backups.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
<p>While there is no fail safe method for preventing user error, this is a great example of a costly and dangerous attack made possible due to reliance on password based credentials. Ryuk ransomware was able to harvest the student’s credentials during the initial reconnaissance phase of the attack. The biomolecular institution\’s policy facilitating Bring Your Own Device (BYOD) and relying only on Citrix and VPN technologies allowed the attack to penetrate deeper into the organization.</p> <p> </p> <p>ZDNet reports that almost half of ransomware attacks use stolen credentials or guessing default or common passwords. Passwordless authentication methods such as “phone as a token,\" biometrics and / or FIDO security keys are now available that can deter or prevent credential compromise and lateral movement of ransomware. Organizations should embrace a passwordless authentication strategy, both for their workforce and the user base, to bolster security and treat identity as the new perimeter.</p>
<p>Traditionally, an insider threat is believed to be an unhappy employee or someone seeking personal gain. This report is further evidence that we must broaden our definition of an insider. Cases like this, where the insider didn\’t have malicious intent, show that threat actors will nonetheless exploit this to gain access to internal networks. An ‘assume compromise’ security strategy needs to be implemented to increase focus on cyber hygiene and accelerate detection of post-exploitation activities.</p> <p><br />It’s important to adapt our definition of threat and detection controls to this broader definition of what constitutes an insider threat.</p>