Date: 01 July 2021

Title:  This major ransomware attack was foiled at the last minute. Here’s how they spotted it 


This major ransomware attack was foiled at the last minute. Here’s how they spotted it | ZDNet

Danny Palmer

Cybersecurity researchers detail what they found during an investigation into an attempted ransomware attack – and what other organizations can learn to avoid becoming victims.

A ransomware gang installed remote desktop software on over 100 machines across a network. Their plans to encrypt the network were only foiled at the last minute when cybersecurity experts were called into a company after suspicious software was found on its network.  The efforts made by criminals to lay the foundations for a ransomware attack, which resulted in legitimate remote access software being installed on 130 endpoints, were discovered when a security company was brought in to investigate the unnamed company after Cobalt Strike was detected on its network.

Cobalt Strike is a legitimate penetration testing tool, but cybercriminals commonly use it in the early stages of a ransomware attack. One of the reasons cybercriminals use it is that is it partially runs in memory, making it difficult to detect.  The goal of the gang was to encrypt as much of the network as possible with Ravil ransomware. Still, because the cybercriminals were detected before they could finalize their preparations, the attack wasn’t successful – although they managed to encrypt data on some unprotected devices and deleted online backups after they noticed investigators had spotted them.  A ransom note left by Ravil on one of the few encrypted devices revealed a demand of $2.5 million in bitcoin for a decryption key.

As a result of the pandemic, finding remote access applications installed on employee devices is not unusual.  When they saw Screen Connect on 130 endpoints, they assumed it was there intentionally to support people working from home. It turned out the company knew nothing about it – the attackers had installed the software to ensure they could maintain access to the network and compromised devices.  There is a variety of methods used. Most commonly, users are being phished, often weeks or months earlier, then there is the exploitation of firewall and VPN vulnerabilities or brute-forcing RDP if exposed to the internet.

What to do?

Ensure every computer on your network has security software installed and managed centrally and regularly gets patches.

Ensure all computers are shut down and rebooted daily to get patched

Have knowledgeable personnel routinely scan the network for anomalies.

Train personnel on Phishing and Phishing techniques

Routinely back up your network to a safe location that is “air-gapped.”

What can you do when this happens to you?

If you find that your network has been compromised, immediately shut down

Identify and mitigate the breach and mitigate as soon as possible

Rebuild the network from a known “clean” backup