Experts said that they were able to find during the investigation of an attempted ransomware attack.
The cybercriminal group installed software for remote computer control on 130 machines in the corporate network of one of the companies, preparing to encrypt the data stored in it, but at the last moment their plan was thwarted, because information security experts discovered suspicious software and notified the company about it.
The efforts of cybercriminals, which resulted in the installation of remote control software on more than a hundred computers, were identified by the information security company Sophos. The experts initiated an investigation immediately after they discovered the Cobalt Strike software on the network, a legitimate penetration testing tool that is gaining popularity among ransomware operators.
The ultimate goal of cybercriminals was to encrypt as much of the network as possible using the ransomware REvil, but they did not have time to carry out their plans. True, the hackers did manage to encrypt several unprotected devices and delete the stored online backups when they discovered that they were “caught on the hot”.
According to the ransom notice on one of the computers that REvil managed to encrypt, the victim had to pay $ 2.5 million for the decryption key. However, the ransom was not paid.
Be that as it may, the attackers managed to gain enough control over the network to install the software on more than a hundred computers without anyone in the company noticing it.
Paul Jacobs, head of the Sophos Incident Response Team, said it is not unusual to have remote access software on employees’ devices in a pandemic.
“After finding Screen Connect on 130 computers, we decided it was installed specifically to support remote workers. However, it turned out that the company did not know anything about it, and the attackers installed it to provide themselves with access to the network and compromised devices, ”Jacobs explained.
The hackers used several methods to gain initial access to the network, but most often they turned to phishing attacks on company employees. In addition, there were signs of exploitation of vulnerabilities in firewalls and VPNs, as well as traces of brute force attacks on RDP available over the Internet.
Sophos Rapid Response Team Manager Peter Mackenzie provided several guidelines for protecting against ransomware attacks.
“First, make sure that every single computer on your network has security solutions installed and that they are all centrally managed. Attackers love unsecured machines. Next, make sure they get patches on a regular basis, and remember that if the computer hasn’t rebooted for a year, it doesn’t have any patches, ”McKenzie said.