For an internationally renowned energy company with £1bn in annual turnover and 15,000 staff, compromise came in the form of a £1m ransom demand.
A false sense of security
On the surface, the company appeared to have all the basic security systems in place, including intrusion detection and firewalls at the perimeter. “Many CIOs would look at what this company had and deem all the security boxes ticked,” said Adam Bateman, Managing Director of Countercept. “But the reality is that many automated systems are easy for even an amateur hacker to work around".
The attack began as most modern-day attacks do – with the attacker performing reconnaissance on the organization and its security. By sending a series of emails to the company, the attacker tested the email filters to see what kind of files would go undetected by the company’s antivirus software.
Employees are still the greatest vulnerability
Twenty days after this initial recon, the attacker sent a phishing email to an employee that contained the Dridex malware, already knowing antivirus controls would not detect it. The malware utilized PsExec – a legitimate Windows processes – to run GPG, a similarly legitimate encryption program used by many organizations. “This kind of attack really pushes the boundaries of attack detection and incident response, as the use of legitimate business tools, such as PsExec and GPG, makes it difficult for an automated detection system to discern what is genuine and what is malicious,” said Paul Pratley, Head of Incident Response.
By the time employees began to notice that certain files could not be accessed, 70% of the company’s data was encrypted and the attacker was moving laterally across multiple geographical locations.
Timeline of the breach
It was at this stage that the company – who was aware of our services but not yet a client – contacted us. Our team were onsite within a day and were able to gain visibility of the estate within an hour. From that point, we were able to see where the attackers were, where they’d come from, and their access channels. Shortly afterwards, we had nailed down the predominant techniques, tactics, and procedures (TTPs) in use. “We had a master ticket with over 20 tickets in different states,” said Alex Davies, TechOps Lead at Countercept. “There were many different balls in the air.”
Ransom demand withdrawn
Two weeks after our teams first appeared onsite, the key assets that had been under the attackers’ control were contained – including domain controllers, domain admin logins, and high value assets – and work had commenced to rebuild the infected parts of the IT estate. Meanwhile, we triaged new findings and funnelled them over to the customer for handling, staying on hand to provide guidance and support all the while. In the end, the customer data was secured and the ransom demand made null and void.
“We prevented the customer not just paying a million pounds of ransom, but also eliminated the risk of its entire server estate being taken over and the catastrophic impact that would have had on its bottom line and brand,” said Adam Bateman.
Since then, we have been providing continuous managed detection and response to prevent such attacks from ever happening again. “Countercept provides the capability to defend against targeted attacks, and has already protected us from advanced cyber groups and substantial monetary losses,” said the company’s CIO. “As a technology leader I believe the Countercept offering to be unique and effective, and that it will improve the state of the attack detection industry.”
A growing trend
Attacks such as these are part of a growing trend where ransomware isn’t necessary to extort money from an organization. And while it is well known that it is not a matter of if, but when, a large, established organization will be compromised, this knowledge does not mitigate the damaging impact such breaches can cause.