Phishing & Ransomware Cases
Type of Attack: Phishing and Ransomware
Company Size: 600 employees
An attacker sent phishing emails to employees. One of the users opened the email, thought it was legitimate, and entered their username and password credentials. Since most people synchronize their computer password with their email password at work, the attacker was able to use the login details to access the VPN network. Once inside, the attacker conducted reconnaissance, figuring out “who’s who” in the organization and proceeded to send emails to targeted individuals from the compromised email account.
The attacker was inside the organization undetected for several months, and gained access to administrative accounts. They deciphered the timing of invoices and expected payments and obtained the company’s bank wiring details.
The attackers wired approximately $300,000 from the company’s bank account into their personal account. Additionally, they sent a number of pending invoices with updated false payment information, so the money would come to them when payment was made. If that wasn’t enough, the attackers also set off a ransomware attack, encrypting all of the company’s computer assets.
What We Did
There was a lot of cleanup work that needed to be done because of this attack, but our team dug in and devoted more than 300 man hours to get the job done. The company had 300 workstations, all of which needed to be reloaded due to the ransomware attack. We arrived on site and set up camp in a large conference room. We set up an imaging service to create copies of all of the computers. Fortunately, the company had encrypted backups and a SAN (Storage Area Network) snapshot, which truly saved them from irreparable damage.
We used the backups to start restoring services. Our team’s expertise and the additional hardware we brought in to help with remediation enabled us to get their business back up and running within three days. All of the workstations were reimaged within five days. Unfortunately, there was one site they did not have quality backups for. They did end up having to pay the ransom for this data. We were, however, able to help negotiate the amount down from roughly $850,000 to approximately $600,000. In these situations, companies are often powerless, as these ransomware attacks originate from non-extradition countries, leaving no options for recourse.
Regular, encrypted, and “air gapped” backups are a critical component for cybersecurity. Air gapping is the act of disconnecting the backup device from the network, so it can’t be compromised if the entire network is attacked. Failure to take these types of proactive measures can cost you dearly if an attack occurs. Employees should be educated on phishing attacks, and companies should make sure login credentials are not duplicated across email and network access.