Ransomware Manufacturing Case
Type of Attack: Ransomware
Company Size: 100 employees
The attacker breached the server via the company’s VPN because it lacked multi-factor authentication (MFA), allowing anyone to remote into the network with just credentials and no further verification. Once in the network, the threat actor moved laterally to the SQL server and started the attack chain, which included exfiltrating data to a Russian cloud provider and encrypting two servers. The business was not worried about this data because it was not sensitive or personally identifiable information (PII). Based on a thorough investigation by our cyber experts, the initial access was likely through compromised credentials harvested on the dark web.
What We Did
Once on-site, our cyber experts assessed and contained the network and deployed incident response tooling. We started our forensic investigation by imaging the two encrypted servers and researching recovery options. The company had backups available but transitioned to and rebuilt its infrastructure on the cloud instead of on-premises. We helped the IT team build a new, simpler cloud infrastructure and set up its users. Our expert incident responders were able to get the company back up and running within five days.
In addition to returning companies to operations, Blue Team Alpha incident commanders aid with non-technical aspects of recovery. Incidents are incredibly stressful. Our responders often act as soundboards for on-site staff, help coach the company through the response, and aid in the grieving process often experienced during a cyber incident.
The company was down for several days, could not conduct business and was steadily losing money. Its reputation was also at risk, and because of this, management was concerned about losing its partners. We provided a report for the company to distribute, verifying that the incident was fully resolved and cleaned up.
Implement multi-factor authentication (MFA)
Multi-factor authentication (MFA) is a second check to verify your identity when logging in to your accounts. MFA utilizes at least two pieces of information to prove your identity. The information must be from two of three separate categories; something you know, something you have, and something you are. The most secure MFA requires all three.
MFA makes it more difficult for attackers with password-cracking tools to break into accounts. Even if a bad actor hijacks your password, the additional authentication methods help protect your account from being compromised.
Utilize strong and unique passwords
While creating a new and complex password for every account can be frustrating, it is essential for effective cybersecurity. Using strong passphrases or passwords for individual accounts makes it harder for attackers to gain access. If a hacker still manages to hack an account, having unique passwords stops the attacker from subsequently hacking all your accounts.
Secure password managers easily track and remember passwords across all accounts. Users need only to remember the master password used to log into the password manager.