At 11:59 one dark night, a power company’s computers started sending out alerts. Suddenly, they had stopped communicating with each other. As the power company’s IT staff hurriedly started an emergency investigation, it became immediately clear to them that their servers were under attack by ransomware. They knew this because their server’s screens displayed a ransom note demanding 28 bitcoins. The note also had instructions how to pay and how to unencrypt the machines when the payment was received. Instead of paying, the power company’s IT staff contacted the Check Point Incident Response Team. The team engaged and identified a very troubling chain of events.
Initially, the Check Point and power company teams joined forces to review logs, memory images and drive forensics. They soon determined the attacker directly infiltrated the company’s network by using a Remote Terminal Server connection that was directly exposed to the Internet. As the investigation unfolded, they discovered that the remote terminal server had been deployed to let vendors access the power company’s network. Next, Check Point’s response team found the telltale signs of a breach. They identified the tools the attacker used to reverse engineer user accounts and allow the ransomware to move laterally within the network.
As the team dug deeper, they determined that the original attack was not an exploited vulnerability in their software or an attack on the server. Instead the attacker simply guessed a very simple username and password using a brute force attack.
Knowing how the attacker was able to login and plant the ransomware on the company’s servers let the company’s management choose what they felt was best course of action to restore business operations. The company’s managers calculated that the value of the information that was lost due to the ransomware attack was worth at least 5 times what the ransom was. Sadly the company paid the ransom
Lessons Learned
Do not let systems access the Internet without security controls in place such as two-factor authentication, VPN’s, limiting direct Internet access, and others.