A gift, you wouldn't wish even on your worst enemy [Part 1]

Author
Michelle Gehri
Published
06. December 2019

Ryuk, Trickbot, Emotet & Co. – these are all the names of ransomware that made their mark in 2019 and are capable of spreading fear and terror. Quite a few companies have been affected in Switzerland too, and we accompanied some of them through these dark times. So our cyber security and cyber defence specialists know exactly the way that incidents like these work. In our four-part advent story, we tell you a slightly different Christmas story based on their experiences. We wish you merry reading!

Imagine – it's right before Christmas. You are the CEO of a successful company with several hundred employees. It's Thursday, just before home time, and you've just left an important meeting feeling satisfied. Three days later you're standing on the edge of ruin, fearing that you will lose everything you've built up over the past few years. What does this have to do with ransomware? Many CEOs and press officers have had to prepare themselves for situations like this, in other words, declaring their company virtually "dead".

Peter Fürst, the CEO of the (of course hypothetical) company E-Trade AG specialising in online trading feared the same, and he found out about Ryuk in detail. But let's look at things one by one...

Tuesday, 3 December 

11:30 a.m.: A new job application arrives on E-Trade AG's web-based application platform for the job vacancy that has been available for three months. Mr Wismer's covering letter sounds very promising, so Mr Lehner from HR goes ahead and opens the attached word document with the CV. When he opened it, a warning message appears informing him about the activation of a macro. Mr Lehner has read that it is advisable to be careful with this, but so far he has never had any problems, which is why he has accepted the warning message. Who knows, maybe they have finally found a new salesperson.

The thing that Mr Lehner can't see is that along with Mr Wismer's CV, the Trojan "Emotet" has also entered the corporate network and is now spreading unnoticed. Emotet also records the email traffic in order to create targeted spam emails – as happened in the case outlined above.

However, Emotet is not on its own for long; it reloads the "Trickbot" malware. Trickbot is a sort of spy with a preference for domain admin accounts and it mainly steals login credentials. This almost gives it a sort of skeleton key that allows access to all (!) data and systems. But what’s it all about?

Wednesday, 4 December 

4:50 p.m.: It' almost the end of the day when Mr Weiss receives an e-mail from the accounts department from a supplier. One of the employees is drawing his attention to a Christmas campaign which could be of interest to E-Trade AG. However, the campaign is only running until midnight. Mr Weiss had already read about the campaign in the newsletter a few days ago but had not yet found the time to take a closer look at it. But if he still wants to benefit from it, then now is the last chance! After all, the supplier's products are not exactly cheap.

Of course, Mr Weiss does not doubt the authenticity of the e-mail for a moment. He often deals with the supplier, knows the co-worker well, and the promotional campaign has even been announced in the newsletter. He clicks on the link and... nothing happens, in any case, nothing unusual. The page with the Christmas promotion comes up, but there doesn't appear to be anything interesting, so Mr Weiss closes the page and finally goes home. But he does not notice that evening what happens afterwards in the background, that the e-mail did not come from his supplier, but in fact, it’s a phishing e-mail from a cyber criminal…

Now finally the "Ryuk” ransomware comes into play – the third element alongside Emotet and Trickbot and part of a very dangerous malware cocktail. The infamous encryption software, which has installed itself after clicking on the pretend Christmas action, immediately gets to work. Ryuk not only encrypts all (!) data, but also alters the system configuration – because thanks to Trickbot, the attacker also can access all the systems and backups.

Thursday, 5 December 

7:55 p.m.: Mrs Ritter from admin is still in the office. At the moment she could probably be working round the clock, as the Christmas business is in full swing. But she also thinks that she needs to stop at some point and wants to shut down the computer right now. That's when she realises something's wrong. Suddenly she can no longer access the ERP, and another program sends an error message that she has never seen before. It’s funny – IT botch-ups are not uncommon, but she has never experienced this either. She decides to report the incident to the IT department and then call it a day. Tomorrow morning, everything will be back to normal – just the way it usually is.

9:15 p.m.: Even the security tools, which are permanently running in the background, have registered unusual activities. So an IT employee receives a push message on his mobile phone informing him that E-Trade AG has been attacked. But there's still no reason to panic, as the employee knows: The security solution has got everything under control. The attacker is always isolated and put in a sandbox where he can "let off steam" without causing damage – a proven and widespread standard procedure. The employee thinks it will be sufficient to just take care of the attacker tomorrow morning. And maybe it's just a false positive.

Phishing? You could be the next victim!

Phishing is not booming just during the Christmas season. So the first step towards effective cyber security is to raise employee awareness (the keyword is "security awareness”). Of course, the E-Trade AG employees also knew what a phishing e-mail is and what to look out for, and why you should take great care. But the problem is that these days it is becoming increasingly difficult to identify phishing e-mails. As with E-Trade AG, for example, via spear phishing, personal information was used that it would appear an attacker could not even know. But Emotet working in combination with Trickbot was able to search through all the data, including e-mails, so it knew all about the supplier relationship and the Christmas campaign. Frightening, isn't it?

www.infoguard.chhs-fshubfsimagesbloginfoguard-cyber-security-phishing-poster-preview-enHowever, Mr Weiss could have looked at other circumstantial evidence. What does the URL of the displayed link look like (it’s visible when you pass the mouse over it)? Does the sender domain match the "real" one? Are there any spelling mistakes? Our cyber security experts have created a special phishing poster for you. You will find a whole host of tips and tricks that you and your employees probably don't even know about. Download it for free now!

Phishing Poster

And if you want to know how our advent story turns out and the challenges E-Trade AG will continue to face, then don't miss the second part. We will be continuing next Friday, 13 December!

Share article