By ProServeIT on July 26, 2017

A Hacking/Breach Case Study – A Cautionary Tale… With Advice


The WannaCry cyberattack in May affected over 200,000 machines across the globe.  Now a strain of Petya ransomware, dubbed “GoldenEye” has struck, affecting more than 12,500 machines in the Ukraine alone in the first six hours after the initial infection.

With such devastation coming from these attacks, it’s surprising that there are still organizations who don’t take proactive measures to defend themselves from cyberattacks. In fact, according to a 2016 report put out by the Ponemon Institute, only 42% of the 505 companies surveyed believe that they have some tools in place to mitigate external threats.

This same report also says that, on average, these companies experience more than one cyberattack per month, and that they spend approximately $3.5 million per year because of these attacks.


How Do the Hackers Get In?

All it takes is one point of entry to infect an entire network. Even in the case of WannaCry and GoldenEye, it started on one machine and spread from there.

Not so long ago, ProServeIT assisted a customer who was breached. An executive of the organization had clicked on a spam email link or had done something similar, which ended up compromising their identity.  Once that link had been compromised, the hacker installed root kits on the company’s domain controllers, and for several months (ProServeIT can trace the root kits back at least 5 months, although it was likely longer than that), the hacker monitored the executive’s emails and system.

Through this monitoring, the hacker learned that the company was going to be amalgamated into a larger organization.  Shortly before the amalgamation took place, the hacker created a separate domain name with almost the identical company name, but off by one letter.  Then they created email addresses, copied email signatures over from the company, and targeted the accounts payable departments of all the vendors that had worked for and with this company.  The hacker sent emails to each of the accounts payable people that made it look as though the CEO of the company was thanking the vendors for their partnership and, due to the amalgamation of the company, wanted these vendors to settle their accounts.  These emails looked legitimate, the vendors had no reason to suspect that anything was wrong, and potentially paid the money requested.

ProServeIT was able to close the breach and remove the malicious software. ProServeIT has since been working with the customer to identify and implement proactive security measures (both tools and process/policies) to prevent this from happening again. This cautionary tale goes to show how easy it is for one single individual to unknowingly be the cause of a breach.


How Long Does an Attack Take?

In the example above, the hacker (or hackers) was able to impersonate the company and fake the vendors of that company into paying money into a bogus account.  This is just one kind of cyberattack that’s out there, and, because the hackers were mostly just monitoring the accounts, it took months for the company to determine there was a problem with their systems.

Other types of cyberattacks, like WannaCry and GoldenEye, can take only minutes to infect and spread.  LogRhythm, a Security Intelligence Company, recently released an infographic on how Ransomware works, including the five phases of a ransomware attack. According to their infographic, it takes only fifteen minutes from Phase 1 to Phase 5.

A summary of these phases is below:

Phase 1. Exploitation and Infection

In order for an attack to be successful, the malicious ransomware file needs to execute on a computer.  This is often done through a phishing email or an exploit kit.

Phase 2. Delivery and Execution

During this phase, the actual ransomware executables are delivered to the victim’s system.  Upon execution, persistence mechanisms will be put into place.

Phase 3. Backup Spoliation

A few seconds later, the ransomware targets the backup files and folders on the victim’s systems and removes them to prevent restoring from backup.  This is unique to ransomware – other types of crimeware don’t bother to delete backup files.

Phase 4. File Encryption

Once the backups are completely removed, the malware will perform a secure key exchange with the command and control (C2) server, establishing those encryption keys that will be used on the local system.

Phase 5. User Notification and Clean Up

With the backup files removed and the encryption dirty work done, the demand instructions for extortion and payment are presented.  Quite often, the victim is given a few days to pay.  After that time, the ransom increases.

Source: LogRhythm


So What Can You Do? Here are 6 Helpful Tips!

Here are six tips that your organization can take to prevent a ransomware attack:

  1. The most important thing that you can do is to back up your data properly! Be sure to save your data to a drive that isn’t part of your operating system – either an external hard drive, secondary internal drive, or Cloud storage (or, better yet, a combination of back-ups!).  Azure Site Recovery (ASR), as part of ProServeIT’s Disaster Recovery-as-a-Service, is a great possibility for protecting your data. 
  2. Keep an inventory of all of your digital assets and their locations. This will help you know which systems you have, so that you can be sure a cybercriminal is not attacking a system you’re unaware of.
  3. Keep your software, operating systems, and applications up to date at all times.
  4. Keep your network segmented. By not placing all your data on one file share that’s accessed by everyone in the company, you will be able to better protect yourself from cyberattacks.
  5. Train your staff on cyber security practices. Be sure to emphasize why they should not open attachments or links from unknown sources. Develop a plan to communicate with employees if a virus were to reach your company’s network.
  6. Have your IT team perform periodic tests on your system to determine if there are any vulnerabilities. If you don’t have an IT team, consider using a credited IT security company to perform these tests for you.


From a Simple Assessment to a Comprehensive Security Strategy, We Can Help!

If you’re unsure of how to get started protecting your organization from the external cyberthreats that are prevalent today, talk to us to first run a simple assessment. We’ll show you a complete picture of your security, and, based on your security status, we can help you come up with a comprehensive security program to help mitigate cyberattacks like WannaCry and GoldenEye. ProServeIT has been assisting companies for over 15 years with their specific security needs, and we can do the same for you.  Don’t wait – contact us today!

Published by ProServeIT July 26, 2017