The statistics speak for themselves: the increase in ransomware attacks turns out to be across different organizations, regardless of their industry. This phenomenon can be attributed to several factors, including lack of adequate investment in IT infrastructure renewal and cybersecurity specific training.
Incident: story of a ransomware case
At 7 a.m., Cyberoo’s 24-hour, 365-day-a-year Security Operations Center (SOC) receives a report via the Black Button on the website (www.cyberoo.com) from the IT manager of an Italian company.
The picture left no doubt: encrypted server infrastructure, signs of exfiltration, and ransom demand by the criminal group: ransomware attack. There was one piece of good news, however: the backups were intact.
From the outset, the investigation was challenging given the degree to which the infrastructure was compromised: aside from the firewall and EDR consoles, there was nothing else to gather information useful in reconstructing the attack.
Only after reconstructing the infrastructure and verifying the backups was it possible to analyze the virtual machines (VMs) and gather useful elements to reconstruct the chain of events. Data from domain authentications, VPN accesses, and other artifacts had to be cross-referenced to determine with reasonable certainty that the account of an employee of the organization had been hacked,browsed a document share containing a file with all IT infrastructure login credentials, and downloaded tools to compress and exfiltrate data.
Further investigation of the endpoint, i.e., an employee’s personal PC used for the VPN connection, confirmed that the endpoint had been compromised by stealer-type malware.
Conclusions
This case underscores the importance of perceiving training not as a mere bureaucratic requirement imposed from above, but as an essential tool for increasing cybersecurity awareness and skills. Until then, attackers will always win it easy.
Awareness should be created at all levels of the company:
- starting with management, which is often reluctant to use systems for dual authentication or other basic security systems;
- to IT staff, who still too often save login credentials within a NAS or file server;
- to the employee, who uses his company e-mail (and the same password) to access social networks.