Unveiling the anatomy of a ransomware attack

Find out how you can protect your assets with robust cybersecurity measure.

Ransomware: a cautionary tale

Here at Solis, we have seen a steady rise in ransomware groups targeting SMEs over the past twelve months. With more limited resources to devote to cyber security than larger corporations, SMEs make an inviting target for ransomware groups.

In the case study that follows, we anatomise a real-world ransomware attack, highlighting the vital role played by good cyber security hygiene in protecting assets and end-users against the ever-increasing threat of ransomware attacks.

Early on a Monday morning, Solis received an alert flagging up a ransomware attack on a customer’s global network. Our Incident Response team immediately set about triaging the incident and performing initial containment actions to secure the network from the current threat. Unfortunately, the threat actor had already deployed a ransomware payload, leaving the customer unable to function at full capacity.

While work continued on containment and business resumption, our forensic experts carried out vital data capture to help our forensic investigators determine the precisely nature and extent of the compromise. 

We were able to determine that the threat actor had launched an attack from an anonymous IP address in the early hours of Saturday morning. The attack targeted the customer’s Virtual Private Network (VPN) with a password spraying attack. The VPN had not been configured to authenticate users through Multi Factor Authentication (MFA) and had not been patched, leaving it dangerously vulnerable.

Within thirty minutes of launching their attack, the threat actor had gained access to the customer’s network. Once in, they had wasted little time, quickly escalating privileges by compromising an old service account with a weak password. They then used this account to move laterally through the customer’s network, taking advantage of internal remote desktop connections and compromising multiple servers. They also installed third-party remote access tooling that would allow them to get back into the network in future.

Unveiling The Anatomy Resources Blog 756X300px

After successfully compromising the wider network, the threat actor turned its attention to identifying data of value, exploring network shares with names indicative of sensitive data. The threat actor then installed additional tooling and began exfiltrating data.

Data logs reviewed by Solis as part of our investigation, confirmed that the threat actor had stolen more than 400GB of data from the customer’s network. This included sensitive files and documents.

Finally, the threat actor had disabled the customer’s antivirus product and deleted backups before deploying ransomware throughout the network, which resulted in widespread data encryption and incapacitated the customer's operations.

This case study highlights the need for SMEs to make sure any remote access into their network is secured with appropriate safeguards like MFA. It also underlines the importance of ensuring that externally facing devices are continuously updated with the latest security patches. 

The deliberate targeting of service accounts illustrated by this case study, shows the importance of adhering to strong password policies. It also provides a vivid illustration of the value of protecting such accounts by implementing the Principle of Least Privilege. This means restricting users to the absolute minimum level of access (or permissions) they need to carry out their assigned role.

Ransomware attacks: Solis’ top five tips for SMEs

  • Develop and regularly test an incident response plan
    While having a plan won’t stop an attack, it will be crucial should the worst happen, helping you respond more efficiently
  • External support will almost always be needed
    Making sure you have rapid access to appropriate external support will be crucial to the success of any response
  • Protect remote services
    Implement robust access control policies and mandate MFA for any form of remote access
  • Enhance your security tooling and controls
    A Managed Detection and Response (MDR) service provides continuous proactive monitoring, detecting and responding to threats, and often preventing attacks in the earliest stages
  • Ensure good data backup and recovery practices
    Adopting a 3-2-1 strategy (3 copies of your data, on 2 different media, with 1 copy kept offsite) ensures resilience and accessibility to data, should the worst happen.