A Student Pirating Software Led To A Full-blown Ryuk Ransomware Attack

BACKGROUND:

A student’s attempt to pirate an expensive data visualization software led to a full-blown Ryuk ransomware attack at a European biomolecular research institute. After the research institute suffered the attack, Sophos’ Rapid Response team responded and neutralized the cyberattack. This attack lost the institute a week’s worth of research data and a week-long network outage as servers were rebuilt from scratch and data restored from backups.

Experts Comments

May 10, 2021
Rajiv Pimplaskar
CEO
Dispersive Holdings, Inc.

While there is no fail safe method for preventing user error, this is a great example of a costly and dangerous attack made possible due to reliance on password based credentials. Ryuk ransomware was able to harvest the student’s credentials during the initial reconnaissance phase of the attack. The biomolecular institution's policy facilitating Bring Your Own Device (BYOD) and relying only on Citrix and VPN technologies allowed the attack to penetrate deeper into the organization.

 

ZDNet

.....Read More

While there is no fail safe method for preventing user error, this is a great example of a costly and dangerous attack made possible due to reliance on password based credentials. Ryuk ransomware was able to harvest the student’s credentials during the initial reconnaissance phase of the attack. The biomolecular institution's policy facilitating Bring Your Own Device (BYOD) and relying only on Citrix and VPN technologies allowed the attack to penetrate deeper into the organization.

 

ZDNet reports that almost half of ransomware attacks use stolen credentials or guessing default or common passwords. Passwordless authentication methods such as “phone as a token," biometrics and / or FIDO security keys are now available that can deter or prevent credential compromise and lateral movement of ransomware. Organizations should embrace a passwordless authentication strategy, both for their workforce and the user base, to bolster security and treat identity as the new perimeter.

  Read Less
May 10, 2021
Timothy Nursall
Active Defence Advocate
Illusive

Traditionally, an insider threat is believed to be an unhappy employee or someone seeking personal gain. This report is further evidence that we must broaden our definition of an insider. Cases like this, where the insider didn't have malicious intent, show that threat actors will nonetheless exploit this to gain access to internal networks. An ‘assume compromise’ security strategy needs to be implemented to increase focus on cyber hygiene and accelerate detection of post-exploitation

.....Read More

Traditionally, an insider threat is believed to be an unhappy employee or someone seeking personal gain. This report is further evidence that we must broaden our definition of an insider. Cases like this, where the insider didn't have malicious intent, show that threat actors will nonetheless exploit this to gain access to internal networks. An ‘assume compromise’ security strategy needs to be implemented to increase focus on cyber hygiene and accelerate detection of post-exploitation activities.


It’s important to adapt our definition of threat and detection controls to this broader definition of what constitutes an insider threat.

  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.