A student hunting down a free version of a data visualization tool downloaded a pirated version instead. A couple of weeks later, the company network of the research institute he was working at became infected with a notorious malware strain. The European research facility is involved in Covid-19 related research and life science studies.
When It’s Too Good to Be True…
In a post-incident report, security firm Sophos revealed how a European biomolecular institute became the target of a Ryuk ransomware gang after a student downloaded pirated software on his computer. The student was simply looking for a free version of a data visualization tool the institution was already using.
“When the student couldn’t find a suitable free version, they searched for a ‘Crack’ version instead. They found what appeared to be one and tried to install it”, explained Tilly Travers, Sophos’ public relations manager. “However, the file was in fact pure malware and the installation attempt immediately triggered a security alert from Windows Defender.”
The fact that the computer’s antivirus detected something was amiss should have been a red flag. But for whatever reason, the student decided to disable Windows Defender and, at the same time, appears to have also disabled the firewall. He tried to download the pirated software again. And this time… it worked.
Pirates Pave Way for Ryuk Gang
Unfortunately, the student inadvertently downloaded a malware loaden file. Unknown to the student, he installed a malicious infostealer instead of genuine software. This type of spyware logs keystrokes, steals browsers’ data, cookies, login credentials, and more. Thus, paving the way for other cybercrimes or cybercriminals to make their move.
Sophos speculates that the cybercriminals behind the infostealer then would have sold some of their loot on the dark web to the highest bidder. Thirteen days after the initial download, a computer named Totoro established a network connection using the student’s credentials. Another ten days later, cybercriminals launched Ryuk ransomware. This ransomware had been used on several occasions before, including a major attack on the Universal Health Services Hospital chain.
“It is unlikely that the operators behind the ‘pirated software’ malware are the same as the ones who launched the Ryuk attack”, said Peter Mackenzie, manager of Rapid Response at Sophos. “The underground market for previously compromised networks offering attackers easy initial access is thriving, so we believe that the malware operators sold their access on to another attacker. The RDP connection could have been the access brokers testing their access.”
Getting Security Basics Right
The research institute set up their network in such a way that people outside the organization could use their own computer to access their network via Citrix. Citrix is a digital workplace platform used by over 400,000 companies worldwide. Unfortunately, the connection didn’t ask for two-factor authentication. Consequently, the hackers were able to gain access to the institute’s network using only the student’s login credentials.
Citrix recommends two-factor authentication as an additional layer of security. If the institute had installed two-factor authentication, the device would have granted access to the user only after successful validation of passwords by both levels of authentication. Consequently, the hackers would have failed. “It serves as a powerful reminder of how important it is to get the security basics right”, commented Sophos.
Thankfully, the research institute didn’t pay and immediately asked security experts to step in. Moreover, the institute had proper backups in place. Thanks to those, they managed to rebuild computer and server files. Nonetheless, researchers lost weeks’ worth of data due to the attack, which significantly hurt some of their projects.