A Student Pirating Software Led To A Full-blown Ryuk Ransomware Attack

BACKGROUND:

A student’s attempt to pirate an expensive data visualization software led to a full-blown Ryuk ransomware attack at a European biomolecular research institute. After the research institute suffered the attack, Sophos’ Rapid Response team responded and neutralized the cyberattack. This attack lost the institute a week’s worth of research data and a week-long network outage as servers were rebuilt from scratch and data restored from backups.

Subscribe
Notify of
guest

2 Expert Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Rajiv Pimplaskar
InfoSec Expert
May 10, 2021 9:43 am

<p>While there is no fail safe method for preventing user error, this is a great example of a costly and dangerous attack made possible due to reliance on password based credentials. Ryuk ransomware was able to harvest the student’s credentials during the initial reconnaissance phase of the attack. The biomolecular institution\’s policy facilitating Bring Your Own Device (BYOD) and relying only on Citrix and VPN technologies allowed the attack to penetrate deeper into the organization.</p> <p> </p> <p>ZDNet reports that almost half of ransomware attacks use stolen credentials or guessing default or common passwords. Passwordless authentication methods such as “phone as a token,\" biometrics and / or FIDO security keys are now available that can deter or prevent credential compromise and lateral movement of ransomware. Organizations should embrace a passwordless authentication strategy, both for their workforce and the user base, to bolster security and treat identity as the new perimeter.</p>

Last edited 1 year ago by Rajiv Pimplaskar
Timothy Nursall
Timothy Nursall , Active Defence Advocate
InfoSec Expert
May 10, 2021 9:32 am

<p>Traditionally, an insider threat is believed to be an unhappy employee or someone seeking personal gain. This report is further evidence that we must broaden our definition of an insider. Cases like this, where the insider didn\’t have malicious intent, show that threat actors will nonetheless exploit this to gain access to internal networks. An ‘assume compromise’ security strategy needs to be implemented to increase focus on cyber hygiene and accelerate detection of post-exploitation activities.</p> <p><br />It’s important to adapt our definition of threat and detection controls to this broader definition of what constitutes an insider threat.</p>

Last edited 1 year ago by Timothy Nursall
Information Security Buzz
2
0
Would love your thoughts, please comment.x
()
x