This major ransomware attack was foiled at the last minute. Here's how they spotted it

Cybersecurity researchers detail what they found during an investigation into an attempted ransomware attack - and what other organisations can learn to avoid becoming victims.
Written by Danny Palmer, Senior Writer

A ransomware gang installed remote desktop software on over 100 machines across a network, and their plans to encrypt the network were only foiled at the last minute when cybersecurity experts were called into a company after suspicious software was found on its network.

The efforts made by criminals to lay the foundations for a ransomware attack, which resulted in legitimate remote access software being installed on 130 endpoints, were discovered when security company Sophos was brought in to investigate the unnamed company after Cobalt Strike was detected on its network. 

Cobalt Strike is a legitimate penetration testing tool, but it's commonly used by cyber criminals in the early stages of a ransomware attack. One of the reasons it is used by cyber criminals is that is it partially runs in-memory, making it difficult to detect.

SEE: Cybersecurity: Let's get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)

The goal of the gang was to encrypt as much of the network as possible with REvil ransomware, but because the cyber criminals were detected before they could finalise their preparations, the attack wasn't successful – although they managed to encrypt data on some unprotected devices and deleted online backups after they noticed they'd been spotted by investigators. 

A ransom note left by REvil on one of the few devices that was encrypted revealed a demand of $2.5 million in bitcoin for a decryption key – although this wasn't paid.

But the attackers had managed to gain enough control of the network in the runup to install software on over 100 machines – and the company that was being targeted didn't notice.

"As a result of the pandemic, it's not unusual to find remote access applications installed on employee devices," said Paul Jacobs, incident response lead at Sophos.

"When we saw Screen Connect on 130 endpoints, we assumed it was there intentionally, to support people working from home. It turned out the company knew nothing about it – the attackers had installed the software to ensure they could maintain access to the network and compromised devices."

This was just one of several methods that cyber criminals used to maintain their hold on the network, including creating their own admin accounts.

But how did cyber criminals get onto the network in the first place in order to use Colbalt Strike, set up remote access accounts and gain admin privileges?

"From what we have seen in our investigations, there is a variety of methods used, most commonly it is users being phished often weeks or months earlier, then there is the exploitation over firewall and VPN vulnerabilities or brute forcing RDP if it is exposed to the internet," Peter Mackenzie, manager of Sophos Rapid Response told ZDNet.

In this instance, the attempted ransomware attack wasn't successful, but ransomware is so prolific at the moment, organisations are regularly falling victim. REvil, the ransomware used in the incident investigated by Sophos, was deployed in the successful ransomware attack against JBS, with the cyber criminals behind it making off with $11 million in bitcoin.

SEE: Security Awareness and Training policy (TechRepublic Premium)

However, there are steps that all organisations can take to avoid cyber criminals from being able to gain access to the network in the first place.

"Firstly, ensure every single computer on your network has security software installed and managed centrally. Attackers love unprotected machines. Next, make sure they are getting patches regularly and remember if a computer hasn't rebooted for a year, then it likely hasn't applied any patches either," said Mackenzie.

But while using technology correctly can help protect against cyberattacks, it's also useful to have eyes on the network. People who have a good understanding of what's on the network can detect and react to any potentially suspicious activity – such as the use of Colbalt Strike, which resulted in the ransomware attack detailed in this case being discovered before significant damage was done.

"For the best cybersecurity, you need people watching what is happening and reacting to it live, that is what can make the biggest difference," said Mackenzie.


Editorial standards