Here is an interesting case we came across recently concerning a medium sized Irish packaging company. One of their finance team receives an email purportedly from one of their suppliers. Inside the email is an attachment. The employee knew this supplier so they open the attachment. Their Windows computer system goes a bit funny. A few minutes later, to their horror, they see a message on their screen that their files are locked and a ransom of 1.2248 Bitcoin needs to be paid. Shortly thereafter, other employees in the company start reporting that their computers have become inoperable and are also displaying a weird message.
So why did this employee open it?
In this case, the employee opened the email in good faith. After all it was an email from a trusted supplier. They assumed that it was safe.
How did this happen?
The suppliers email account got hijacked. In other words, a cyber criminal got control of their email account. A trusted email account such as this is of a lot of value to cyber criminals. Because, more likely than not, emails sent from a trusted account are exponentially more likely to get opened. Moreover, when a cyber criminal gains control of your email account, they usually have a ready-made list of targets your email address book.
Why didn’t anti-virus or their firewall catch this malicious attachment?
Ransomware groups are always one step ahead of computer security vendors. In this case, the ransomware code was obfuscated which meant that their Microsoft Defender endpoint protection and their firewall was unable to detect it.
Here’s is the worst bit…
The management of this packaging company urgently called in their MSP (tech support company) to sort the problem out. But here the story gets even worse. The MSP sends two of their most senior technicians on-site. These discover that their on-site backup server is also locked.
The outcome…
Some of the management team wanted to pay the ransom just to get things back up and running again. However, while 1.2248 Bitcoin seems rather paltry – it’s actually just over thirty thousand Euro. And they’re informed, even if they did pay, there was only a 30-40% chance of their files properly decrypting. So, they took the hard route of wiping all the machines and starting from scratch. And their admin teams had the painful and time-consuming task of reconstructing documents and accounts. While the Revenue was sympathetic to their plight, statutory obligations would still have to be fulfilled and accounts would still have to filed…
How could this event have been prevented?
Here is the interesting thing, the employee who opened the malicious attachment was actually slightly suspicious of it. But they still opened it. Apparently, the employee had, at the back of their mind, the belief that malicious stuff only comes from unknown senders. Unfortunately, the employee was not familiar with supply chain attacks. Even if the employee vaguely knew the dynamics of supply chain attacks and how cyber criminals exploit trusted email accounts to propagate malicious attachments and URLs, this event might never have happened. The employee might have listened to their instincts more. Robust cyber security awareness training changes common end-user misconceptions about cyber security. Robust cyber security awareness training changes attitudes and beliefs which lead to insecure IT security behaviours. This makes your organisation more resilient against such social engineering attacks which are now involved in almost 80% of all cyber attacks.