Keeping the best till last − our cyber-crime advent story for 2020 [part 3]

Author
Michelle Gehri
Published
07. December 2020

In the final part of our Advent story, we show you the importance of acting quickly and professionally in the event of a cyber-attack − because the other side is also doing exactly that. In the first two parts you learned how the initial attack took place using (spear) phishing and how months later, the hacker group paralysed the affected company’s data and the entire network. In this article, read about how we dealt with the ransom demand and whether or not we were able to save the company from disaster.

CSIRT command takes control

This "cyber-crime thriller" began late one night at the end of May, and what was meant to be "game over" followed soon after. At that time, a Swiss industrial company had become the victim of a targeted cyber-attack using the ransomware "NEPHILIM". As you have already read in the previous articles that tell our Advent story it was not just confidential data that was stolen and encrypted, it was the entire network. Our CSIRT was there to accompany the affected company right from the outset. The first piece of good news was that data was recoverable quickly, thanks to a very good backup strategy, and the rapid, professional response from the company's internal IT department. It took a little longer to completely restore the infrastructure...

As a first step, the Tanium agent was rolled out to tens of thousands of endpoints within a few hours so that analysis and forensic investigation could be started quickly, while ensuring that the company was protected. Because if the attackers were still in the network, this would immediately ring "alarm bells" and further protective measures could be introduced.

Of course, there was particular attention paid to analysing the incident, so that the attackers and their tools could be completely removed from the network and there would be no way in for further attacks in the future. To do this, the experts reconstructed the cyber-attack down to the last detail. Overall, the team was working on it for several weeks − not because they were slow, but because modern cyber-attacks are so complex and unfortunately, highly effective.

Following in the attacker's footsteps

Cyber-attacks are becoming more and more complex. Zero-day exploits and agile cyber-crime techniques are not easy to detect, but thanks to our EDR-as-a-Service, you too are able to work with the same professional tools as our CSIRT experts. Would you like to detect security incidents early and be able to react to them before any damage is done? Here you can learn more about our EDR-as-a-Service.

Unfortunately, in the case described here, the company lacked this kind of warning system, which meant that the known method of the hackers remained undiscovered. In order to avert danger, companies not only need to know the typical cyber-attack patterns, but should also be able to recognize them. We would like to shed some light on what the pattern looks like using the spear phishing attack demonstrated here:

  • Sending of spear phishing e-mails from a supposedly trustworthy source to selected company employees.
  • Employees' open spear phishing e-mails and the prepared attachments.
  • Launch of a malicious macro and installation of malware on the employees' computers.
  • Theft of access data and passwords of the local, compromised computer.
  • Use of access data to access connected systems in the domain.
  • Attackers' lateral movement in the network until they gain access to an administrator account.
  • Use of the administrator account to gain access to additional privileged accounts.
  • Use of privileged accounts and access data for access to business-critical systems, applications and data.

Keeping this approach in mind, our CSIRT experts also searched for corresponding traces within the compromised network. This enabled them to uncover the first signs of the so-called "Cyber Kill Chain" following the hackers' actual reconnaissance and arming phase. Of course, during this work everything had to be handled as if they were “wearing gloves". To this end, the crime scene was completely "sealed off". Any possible entrances, systems or escape routes were inspected, monitored and then closed down.

Should you pay or not? That's the big question with ransom demands

There was still the ransom demand to deal with: to pay or not to pay? Here, there are no right or wrong answers. There are a lot of different factors that play a role: the company itself (its size, the industry, etc.), whether a backup has been made, the risk factors, the amount of ransom demanded, etc. In this case, together with the customer it was decided not to pay the ransom. Everyone was aware of the risk that this data could potentially be published.

All’s well that ends well?

The company had a solid backup strategy, which meant that the recovery phase could be initiated alongside the analysis. Luckily, they also had a well-coordinated, professional IT team that worked incredibly hard on the rebuild and collaborated fully with our CSIRT. All’s well that ends well – just the way it should be for a real Advent story, or at least something like that...

Security incident – not without a reliable partner

As you can see, cyber-attacks can occur at lightning speed and are seldom without major consequences. How would you have reacted if this story had taken place in your company? Maybe you are lucky and are also able to rely on an experienced expert team that can take the first steps. However, our experience says otherwise. Often there is a lack of internal expertise and the resources needed to manage a situation like this in the appropriate way. Then again, there are plenty of other tasks that you need to be dealing with in such a tricky situation. But so long as you are not affected, you do not have to worry about it, right? Wrong!

Even the best security measures are not enough to protect a company from cyber-attacks today. Therefore, in the event of an incident you need to be able to act quickly, professionally and in a planned manner. But how? Here, our Incident Response Retainer is the best and most effective solution. In a shared onboarding workshop, we will prepare you for the emergency situation. If this should occur, we can react correctly together with you: quickly, competently and with a lot of experience − 24/7. You can find out more about our Incident Response Retainer here:

InfoGuard Incident Response Retainer

Share article