Mimic: The ransomware exploiting Windows search
Discover an emerging ransomware family that’s using a legitimate Windows search tool to locate victims’ files before encrypting them.
Read MoreAt #BHMEA22, Thanassis Diogos (X-Force Incident Response Executive Consultant at IBM) told us about an aggressive double ransomware attack that left a victim in disarray.
The victim had, by their own admission, a highly critical data system that had been encrypted by ransomware group Afrodita.
Looking at the server, the first thing to be seen was the recovery file. “But you start to see something strange here,” Diogos said; “in this case, the ransom note on the server has been encrypted itself.”
This, of course, didn’t make sense. Why would an adversary make their own ransom note unreadable? How could they expect the victim to pay if they didn’t provide payment or contact information?
There was also an extension that appeared to come from a different ransomware: “This started to get really messy.”
It started with Afrodita encrypting the company’s critical data. The immediate response was to call the company’s internal IT support.
And that was the first mistake: because IT support teams are not the same thing as cybersecurity or incident response teams. As Diogos noted, With ransomware you don’t suffer from IT systems being down. You suffer from data not being available.”
The IT team then did what they were trained to do. They used Google to search for information and tools that would allow them to decrypt files and deal with Afrodita ransomware. They found – and downloaded – decryption tools online.
We know you’ve guessed it by now – but within one of those decryption tools was another ransomware, which the IT team downloaded and executed on the network.
“What do you think the IT support did after that?” Diogos asked; “They Googled again.”
“If you don’t train people, people will just follow their instincts. If you don’t train people, this is what will happen.”
The company simply wasn’t prepared for a ransomware attack. There weren’t any systems in place, no clear steps to follow, and no cybersecurity partners to call. The IT team did what anyone in their position would do, and followed a process that was familiar to them. But their lack of training meant the process they chose was completely inappropriate, and ended up causing more damage.
After a third party negotiator was hired to establish communications with both ransomware groups as well as the victim, the victim had to pay both groups to decrypt files.
It began with critical data that was not protected from a potential attack. That’s a huge mistake, causing problems that could be avoided – because if you know that certain data is critical, you should also know that it needs to be carefully protected within your infrastructure, as well as backed up safely outside of your network.
So this particular case is useful to help build an understanding of best practices and what must be included within effective preventative and protective measures.
“You can see lots of the weaknesses that they had,” Diogos noted. “They had no backups, no culture, no partners — if something happens, who am I going to call? And the teams I call, are they going to be trained?”
The lessons we can all learn here are:
To sum up in just one line: if you know you have critical data, you have to do the preparation to protect it.
Join the newsletter to receive the latest updates in your inbox.
Discover an emerging ransomware family that’s using a legitimate Windows search tool to locate victims’ files before encrypting them.
Read MoreWhat are non-human identities (NHIs) and why are they driving a paradigm shift in identity security?
Read MoreNew research shows that a growing number of organisations view cybersecurity as a strategic priority.
Read More