InfoGuard AG (Headquarter)
Lindenstrasse 10
6340 Baar
Switzerland
InfoGuard AG
Stauffacherstrasse 141
3014 Bern
Switzerland
InfoGuard Deutschland GmbH
Landsberger Straße 302
80687 Munich
Germany
“Welcome back. It's us, again... Your files are encrypted and currently unavailable. You can check – all the files on your system have the extension XXX. By the way, it is possible for you to restore everything, but you will have to follow our instructions, otherwise you will not be able to get your files back (EVER). It's just business...” Although it sounds like a sinister cyber-crime story, unfortunately this is real. In this blog article, we present another ransomware attack. The new victim is a multinational company.
The InfoGuard Computer Security Incident Response Team (CSIRT) received an urgent call from a multinational organisation. Significant parts of their network had been encrypted with the Sodinokibi malware, aka REvil. The attackers had penetrated the network using a network protocol (rdp) via a Windows server located in the Microsoft Azure Cloud. The company's Azure infrastructure was connected directly to the internal network. The attackers then gained access to a domain administrator account, which they used to penetrate the internal network just a mere 90 minutes after the initial breach.
Just a day and a half after the initial breach, the attackers had begun exfiltrating a significant amount of data onto an FTP server. Just one hour later, the network was encrypted, starting with the domain controllers. Once the attack was well underway, a recently installed network monitoring appliance recorded a series of alarms, but nobody was monitoring the appliance at the time! This is one of the reasons why the attackers were successful. The ransom note that was found on the encrypted computers indicated a Dark Net address via which the transaction was to take place. The victims could also use this platform to contact the attackers and request evidence of the exfiltration and more information about the attack. Hence, the attack lasted less than 48 hours from the initial break-in to the encryption of data and systems!
Mathias Fuchs, InfoGuard's Head of Investigation & Intelligence, will explain in our video what happened next, and whether or not the company paid the ransom demand.
The most common way for REvil to access the target device is via a malicious phishing e-mail. The e-mail usually contains a link with a request to download a zip file. With zip files, malware has an easier time bypassing anti-virus protection systems, and so can spread more quickly. REvil belongs to the “Ransomware-as-a-Service” family of products, and it appears to be linked to the infamous Gan Crab malware. This means that they not only make money directly by extortion, but also via the sale of kits that allow other attackers to create and distribute their own ransomware. These characteristics meant that in the fourth quarter of last year, REvil was the most lucrative ransomware, even though it had been discovered right at the beginning of the year. It generated almost eight per cent more revenue than the Ryuk ransomware.
How would you have reacted if this were the story that played out in your company? We know you would agree that this is absolutely the worst case scenario – and hopefully it will never happen to you! All the same, it makes sense to prepare for this situation. In such a fraught atmosphere, what you need is an experienced partner you can rely on, because there are plenty of other tasks to contend with. As well as technical hurdles, you also have to deal with customers, business partners and, last but not least, staff and maybe even the public.
So you should be able to act quickly, professionally and in a well-planned manner if an incident occurs. But how? Here, our Incident Response Retainer is the best, most effective solution. In a collaborative onboarding workshop, we prepare you for an emergency. If one does occur, we can react correctly, together with you: quickly, competently and with a wealth of experience – 24/7. You can find out more about our Incident Response Retainer here: