Has your business been targeted by malicious actors recently? What about foreign governments? Bad guys always seem to have a new trick up their sleeves, and this weeks blog is no different. I speak time and time again about how malicious individuals are targeting companies for their private company data, financial transactions, and even IP. This situation however involved ransomware used to lockdown an entire company’s data.
Recently, a small (15 to 20 person) medical office in California was hit with a few different types of attacks. For the company, employee, and customer privacy, the name of this business shall remain undisclosed. When this whole ordeal began Finchloom had no tie to this medical company, we were not doing any business with them. Finchloom ended up getting involved because the IT Admin that was working for this company was going out of the country for vacation and needed someone to support the users while he was gone as a ‘just in case’.
The day that the admin left the country for vacation however, the company was immediately hit with a ransomware attack. In this case, all the company machines and computers had locked them out, all the medical systems and data were compromised, and the company couldn’t do anything. The ransomware is a computer virus whose sole purpose is to extort ransom payments to release the data its malware has made useless by encryption.
How does it work?
This specific ransomware used a computer malware to install itself. The malware has the capability to defeat many anti-malware countermeasures and can completely disable a computer network if it has the right access. This ransomware can additionally seek out and disable backups of important files if kept on shared servers.
The reason that I bring all of this up, as you have probably guessed by now is it all relates back to Phishing. The Cybersecurity and Infrastructure Security Agency (CISA) website describes how most ransomwares infect and takes over computer networks: “phishing campaigns that contain either links to malicious websites that host the malware or attachments with the malware. Loaders start the infection chain by distributing the payload; they deploy and execute the backdoor from the command-and-control server and install it on the victim’s machine” (CISA Website). The phishing efforts generally contain malicious documents (or hyperlinks to them). When the victim enables it, a malicious macro or loader starts the infection sequence.
Suspicious Timing
Now knowing a little bit of the background of just what the ransomware was and how it is put onto victims machines, the timing of this whole ordeal seems a little off. The fact that the attack began immediately after the usual IT person left the country is a bit too ideal, almost timed intentionally… and that is exactly what happened. The perpetrators installed malware however they could initially, through fake websites, phishing emails, etc. to try and get employees to click on things that would begin a download of malware onto their machines. The malware is set up so that if it is run on a misconfigured Windows enterprise environment, it can automatically spread to every other system.
Once all computers in an environment are compromised, the malware then ‘phones home’ and tells the perpetrator that it has leached throughout the company. This is when the human operators come in and start looking around on the machines. With malware in place, these human actors can see anything on the network, read emails, etc. This is exactly how they knew that the IT admin would be going out of town, viewing all the emails throughout the company, and seeing that the one person who had a chance to stop them would be leaving. I still can’t believe how smart some of these criminals are, but each time I hear a story like this, I put less and less above them and start expecting more.
After scheduling the attack for the day the IT person left, they intentionally deleted or encrypted all other backups so there was no way for the company to bring itself back online once the attack had begun.
How was the ransomware resolved?
With luck and a good amount of foresight, the medical office had invested in cybersecurity insurance due to the nature of their business. We ended up working with this insurance company to rebuild their systems and manage the cleanup effort. We sent one of our employees on-site all day, every day for a couple of weeks to completely rebuild every single computer, and reset their server environments to their original states. The insurance company ended up paying the ransom to get back all of the company data, which in this case happened to be private medical data including pre and post op images, medical records, and more.
How can this be prevented?
There are a hundred different ways to protect your company’s data, and ransomware is preventable if you are aware that the threat of it exists, Windows environments can be configured so that malware within the system cannot spread.
Traditionally, companies used to have an administrator account on every computer, and companies’ administrators would use the same admin password on all machines. Once a single machine has been infected, the administrator account could then have its password read, and the criminal then has instant access to all of the machines with administrator accounts with that password.
Microsoft has a tool to fix this now called LAPS (Local Admin Password Solution). This critical tool randomizes admin passwords on every computer and then stores them on active directory. When an admin needs to access a computer or device, they go into AD and get the password for the specific computer that they are trying to access and then enter it into the computer. This way, if there is malware on the machine, only the single machine is compromised, and not the whole network.
How does Finchloom help protect against Ransomware?
For starters, if you have read some of my previous blogs, you would know that the first step to securing you company data and preventing issues like this is signing up for a free breach assessment. We can take a look into your company environment, determine if there are malicious actors in your environment already, and remove them if need be. Also, depending on your industry, we can make sure that your security measures are up to par and that your business is protected from there on out. Finchloom is your one stop security spot, and we pride ourselves in helping you stay secure, profitable, and safe for not only your customers, but your employees as well. To learn more about what Finchloom can offer and how we can help secure your business, contact us today! Thanks for reading!