In Switzerland, a wave of highly targeted attacks on medium-sized and large companies has been raging for several weeks now. The ransoms demands range from CHF 19,000 to CHF 5,655,000. To make sure you do not fall for these, our cyber security experts have documented the typical, frequently identical method for you:
How the attackers work
- Phishing e-mails, some of which are very elaborately faked, tempt employees to open an infected attachment or click on a malicious link. Alternatively, the attackers will gain access to exposed terminal servers. These are accessible via the Internet.
- This gives the attacker control over the equivalent endpoint in the victim's internal network.
- From here, the attacker moves through the network, much like some APT groups do. He increases his privileges until he has a domain administrator account.
- Once he has this account, the attacker moves on to the domain controller and there re-checks to see what other end devices he has access to. The entire user database is also extracted from the domain controller. This means that at a later point in time, the attacker is able to gain access once more to the victim's network unless the right countermeasures are taken.
- Starting from the domain controller, the attacker distributes and runs encryption malware on key corporate servers and clients. A message then appears on the affected computers asking the victim to contact the blackmailer.
The malware used by attackers varies from case to case. Some of the cases investigated have shown a combination of several of the following malware products:
- Emotet
- Trickbot
- Ryuk
- Cobalt Strike
- Metasploit
- MegaC0rtex
- QBot
What can you do about it?
To prevent incidents such as these, it is imperative that every employee is trained in how to use the IT infrastructure securely, specifically e-mails and their attachments, such as Word documents with macros. This is why every company should take appropriate security awareness measures. It is the only way to stop an incident at an early stage.
Our InfoGuard Cyber Defence Center also helps you to react promptly and interrupt the chain of attack before significant damage can occur.
InfoGuard provides you with fast, competent and experienced support when a security incident occurs!
These days, no one is safe from cyber-attacks ‒ it can happen to you at any time. If you are afraid that you will also be affected, contact us in advance in order to avoid the most serious damage. Our experienced specialists in the Cyber Defence Center take care of you ‒ 24/7. If you have an Incident, please contact us!