We see it almost every day in our on-site operations: Ransomware encrypts a company"s data – and the entry was often a “successful” phishing attack.
This was also the case with an organization in the education sector: a ransomware caused the full encryption of our customer"s entire internal administrative network. Fortunately, the attack was contained after nearly 9,000 end devices were compromised. In all likelihood, the attackers had penetrated the network via a phishing email, and an employee clicked on a malicious link and downloaded the malware.
Once on the device, it spread unnoticed: for several weeks, the attackers observed network activity, looking for vulnerabilities, and finally found what they were looking for on the Citrix XenServer. The hackers were then able to log in and gain access to parts of the administrative network, including a file server. Using brute force and password spraying, they cracked the admin password, accessed the domain controller, gained access to the entire IT infrastructure via a “golden ticket”, dropped a DLL on the file server and distributed it to all clients via GPO. The hackers thus managed to steal sensitive Active Directory data. Trufflepig Forensics found traces of further large-scale data theft attempts, but these failed thanks to IT security precautions.
Thanks to a good backup concept, the affected company was able to restore most of the data. Nevertheless, it took months before the IT security elements and networks were set up again and the company was fully operational again. The incident shows that a single link click can have fatal consequences for the entire company, despite an existing IT security strategy. This is a risk that can be significantly reduced through awareness-raising and training.
