Case study: How a phishing email led to a multi-million-dollar ransomware attack

As a Sophos Partner, we would like to share a cautionary story about the costly ransomware attack.

The Sophos Rapid Response team was recently called in to assist a company experiencing a major ransomware attack. After the attack had been contained, the Rapid Response team investigated the incident to understand how it started. Here’s what they discovered:

Three months before the attack, an employee received a phishing email. The email appeared to come from a colleague in another office – it’s likely that the attackers had accessed the co-worker’s email account to trick fellow employees into trusting the message.

The message was very short and written in poor English. It asked the employee to click on a link to check a document. The link was in fact a malicious weblink and when the employee clicked on it, they enabled the attackers to get the access credentials for the Domain Admin.

The Rapid Response team believes the phishing email was sent by an Initial Access Broker, a cybercriminal that focuses on securing access to organizations’ environments and then selling the access on to other adversaries for use in a range of attacks including ransomware and data theft.

In this case, the victim’s IT team stepped in and shut down the phishing attack. That seemed to be the end of it.

Eight weeks later, however, a malicious actor installed and ran two tools, Cobalt Strike and PowerSploit PowerView, on the victim’s computer. These are commercial tools used legitimately by penetration testers, and also by cybercriminals for malicious purposes. The attackers probably used PowerView to perform network reconnaissance, while Cobalt Strike provided persistence, enabling them to remain in the network.

For about two weeks after the attackers’ exploratory activity everything went quiet. The Rapid Response team believes this was because the Initial Access Broker was looking for a suitable buyer for the access credentials.

Once sold, the new “owners” were quick to take advantage of their purchase. They soon appeared on the network, installed Cobalt Strike on more machines, and began to collect and steal information.

Three months after the original phishing email, the attackers unleashed REvil ransomware at 4 am local time and demanded a ransom of $2.5 million.

Get AI-powered phishing protection with Sophos Email:

• Advanced machine learning identifies phishing imposters and BEC attacks
• Real-time scanning for key phishing indicators blocks social engineering techniques
• Pre- and post-delivery protection stops malicious links and malware

Related articles:

The ways we can help your business be protected

Key Trends in Cyberthreats for 2022

Cybersecurity Awareness for your staff

Why Hackers Target Nonprofits & How to Defend Against It