The ￡30k Solution to a ￡1.5M Ransom: A Cybersecurity Cautionary Tale

How a ￡30k expenditure would have saved a ￡1.5m ransom demand.

I’m sure we’ve all had a moment when we reflect on a scenario which was so obvious, we kick ourselves for not acting faster on our gut instincts: Buying shares in Google or Telsa when they first floated. Dabbling in a few Bitcoins when they were sub-one dollars. Or reading the horror stories we see weekly where companies get hit with a ransomware attack and believe it will never happen to us because ‘someone else’ has got it covered.

Sadly, and all too often CyberQ Group are pulled into Incident Response situations where we see a spiral of security failures over many months culminating in a catastrophic and sometimes business-threatening event. This is one such story.

The ‘oh sh*t moment’.

At 11 am on a Tuesday morning our client’s Managing Director (they weren’t a client at this point) received a phone call from an “Eastern European sounding man” (odd I agree) advising them they had been breached by ransomware. The caller claimed to be “an agent calling on behalf of the hackers – and to call ‘this’ number to discuss ransomware payment”. The Managing Director's quick validation with his IT department confirmed they had indeed been infected, and four of their five servers were encrypted by Medusa ransomware.

Our client promptly contacted their System Integrator to advise them of the problem, and the Integrator, who quickly realized they were well out of their depth, brought in CyberQ Group. The client was completely confused, they had firewalls, and SentinelOne (basic) installed on endpoints, so were safe from a cyberattack….. right, surely?

By 11:40 am we were sitting with the client having created a war room and playing out the scenarios of what had happened, the IoCs (Indicators of Compromise), and what could possibly happen next.?

Tragically, we found the IT infrastructure was highly exposed to attack. Their logical network was a mess. Internet – firewall – MPLS network – circuits onto different sites were all interconnected. There was no DMZ, no storage of logs, no Access Control policies, and no Multifactor Authentication. Worst of all, encrypted backups. SentinelOne was installed but not fully optimized, and one client had even been disabled. The servers were running Windows 12(R2) and known vulnerabilities had not been patched. Even SentinelOne had found 4,000 vulnerabilities with the client’s network, although no action on these had been taken.

In effect, the client was dead in the water. No customer records, no suppliers’ records, no maintenance contracts, no payroll, and most importantly the Intellectual Property their client’s business was based upon (our client was a design house specializing in bespoke designs for a specific vertical industry) was also all encrypted. Worse still, the malware had resided in the network for long enough to encrypt the backups and exfiltrate a lot of data.

Medusa.

The accent of the mysterious caller sounded “Eastern European” according to our client's Managing Director, and we soon established the ransomware was courtesy of the Medusa bad actors. By 3 pm we had made our key recommendations to our client:

1. Alert the ICO (Information Commissioner's Office) and the local Cybercrime unit of the police. Also to engage the firms’ lawyers for legal coverage of the following actions below.

2. Having established the encryption was serious, the client would need to contact the bad actors, Medusa, to discuss ransom options. I should stress CyberQ Group didn’t advocate paying a ransom but contact with the bad actors would likely be necessary.

3. Quickly build a plan for communications internally and externally:

• Firstly, to staff who had been sent home from work with no idea why (as they couldn’t work because business was now at a standstill) and whose salaries would be delayed.
• Secondly to their customers advising them of an operational problem.
• Thirdly to their suppliers, who were likely to have invoice payments delayed.

4. Have a plan for a public escalation IF the bad actors escalated the attack so there was a risk of reputational damage.

5. Get the business owners together, and the board, if necessary, to agree on a figure which the company would agree to pay in ransom if needed.

6. In the meantime, price up the feasibility of simply buying new servers, all with clean hard disks and attempt to rebuild the company’s IT infra’ and business operations from scratch.

7. ?Lastly, create a ‘Binance’ account for a cryptocurrency payment should ransom payment be needed.

Playing with the bad actors.

The following day, acting on behalf of our client, CyberQ Group called the telephone number given to reach the bad actors. They sounded pragmatic and professional. They claimed they had looked at Companies House to see ‘our’ company’s turnover and profit; and deemed a ￡1.5m ransom charge would be manageable for us.

As you can appreciate, it’s important for us not to show our hand too soon. The Medusa group had no idea if we could rebuild the business from back-ups and if so, at what cost. Therefore it was important to position ourselves as “mildly curious” about what their demands might be.

We identified 5 encrypted files which had been recently edited and sent these to the hackers (.pdf, .doc, .ppt, and .xls). These were so recent our client could recognize the files were current and accurate; so once decrypted, we could validate they were correct. This is the standard protocol for CyberQ Group. We needed the bad actors to prove they could decrypt the files and that they were genuine hackers, not another bad actor claiming credit for someone else’s work.?

We also needed to satisfy ourselves that they did have the decryption software. They confirmed this by return – they could, and did decrypt our 5 encrypted test files. To preserve their anonymity, they asked us to use Anonfiles.com (used to anonymously share files) to exchange files with us.

Affronted.

Our client was appalled by the size of the ransom demand. At this point, we were gently suggesting perhaps the easier option would be to negotiate with Medusa to buy the decryption code. Our client agreed to a payment, but not to the full demand being asked. At this point, on behalf of our client, we entered into a tentative negotiation with Medusa.

In the meantime, our forensics team traced the likely attack to a phishing email sent to a senior director of our client. The likely infection came from another client of theirs who was attacked via a phishing email (2 weeks previous). This email account had sent a further 400 other phishing emails. So tragically our client hadn’t been the original target of the attack. However, their poor security posture lay them vulnerable to malware.

Meanwhile, our client was exploring options to avoid a ransom by simply buying new servers and rebuilding systems from scratch. Fortunately, the CFO has saved a lot of financial data to a thumb drive. Our client was also keen to pay staff significant bonuses and overtime for rebuilding the IT processes from scratch. Their logic is they'd rather pay their own staff than pay a ransom demand.

Outcome.

Finally, an agreement with Medusa could not be reached, and our client chose to rebuild their entire IT infrastructure and restore as much data as possible, essentially, they chose to start afresh. We deployed two new servers with Win22; built a config review (from gold image), patched end-points for hardening – and took 300 other actions for medium and low-risk vulnerabilities.

But the bad actors weren’t finished. Because so much data had been exfiltrated before the encryption and ransom demand, the bad actors then threatened to publish on the dark web confidential client information. “All for sale – audit reports, statements, contact lists, schematics of designs, customer list - we compromised your supplier, and we have all your data” was the message.

Again, our advice to our client was to consider the reputational damage and to pre-warn their customers. The bad actors then started to “market” on the dark web our client’s data which had been stolen. As part of CyberQ Groups Incident Response service, we were monitoring the dark web for such activity. Within minutes of the advertisement appearing, they had 753 views.

Current state.

As is often, sadly, the case, our client was completely unaware of the security exposures they had, and today they are still rebuilding their business. Reputational damage has occurred, and sizable costs incurred rebuilding their IT infrastructure. The unpaid ransomware demand was ￡1.5 million, and while it’s currently impossible to estimate the true cost of the damage to our client, they are, after several months, still in recovery mode. For a company of this size and profile, CyberQ Group estimate ￡30k per year would provide cyber maturity assessments, penetration testing, and other cybersecurity services which would have gone a long way to mitigate such attacks.

Call to action.

As the threat landscape continues to evolve, the question isn't if a ransomware attack will occur, but when. Are you adequately prepared to counter such a cybersecurity crisis? Don't leave your organisation's digital health to chance. Connect with CyberQ Group today. Our team of cybersecurity experts stand ready to fortify your systems and ensure you're fully equipped to ward off ransomware attacks. Let us help you in transforming your business to be cyber resilient. Get in touch with us now to start safeguarding your digital future.