pages from the Secret IR Insider’s diary

by Joseph K. Clark

It is 26 November 2020. We’re doing work for a medium-sized global enterprise that’s been hit by the Dharma ransomware. I’m sipping coffee while on a call with the IT director, discussing the plan for getting users back up and running after they’ve restored their systems from backups (the company’s IT team had the foresight to run regular backups and keep them air-gapped from its network – I wish more companies would do this).

I asked him if he’s considered deploying multi-factor authentication (MFA) for the company’s users, as it helps prevent malicious login attempts if credentials are stolen. He sighs. “No, I’d love to, but I’d get too much pushback from the board and users because of the extra sign-in step.” “Have you tried telling the board that if MFA was used, the attack might not have impacted the company at all, and you wouldn’t have had to work 18-hour days for the past week and a half to reinstall all the endpoints?” I ask. He snorts. “My job seems to be keeping everyone happy, and security comes second.”


I hear this a lot, so I suggest that all his IT administrators use MFA, which stops attackers from using stolen credentials or credential stuffing to get into privileged accounts where they can cause maximum damage. He agrees. “Anyway, we need to get our remote contractors back online, so we’ll have to open RDP [remote desktop protocol] back up,” he adds. “They all use their own PCs, so we won’t be able to put anti-malware or our new EDR [endpoint detection and response] software on them, though.”

Secret IR

I nearly choke on my coffee, and I’m lost for words for a few moments. When I’ve cleared my throat, I point out that the Dharma attack most likely originated from the attacker using phished credentials to access the RDP servers and then planting the ransomware on the network. I suggest that, as a minimum, the company uses endpoint compliance scanning to ensure remote endpoints meet minimum security requirements before they are allowed to connect remotely.

Boardroom banter

After finishing the call with the IT director, I’m asked to join a buzz with its senior management to update them on how the work is progressing. “How many machines have you scanned for infections?” they ask. About half of your total number of PCs, I reply. I haven’t been able to reach some, and some I can’t scan because they are developers’ machines and don’t like administrators to watch them. I wait, but my Point seems to go unnoticed. “How many of those are infected with the ransomware?” Around 80% of the machines I’ve scanned, I tell them. “So what can we do with the infected machines?” they ask.

I say they need to be removed from the network, thoroughly disinfected, and only then reinstalled; otherwise, there’s a risk of missing something or an unknown infection left behind that could re-infect the network. “That’s too big a job,” they say. “We have antivirus software; can’t we just get going with them, and the software will pick up any infections?” I point out that the antivirus software was disabled just before the ransomware attack by the hackers behind it, using administrator-level credentials probably harvested during an earlier phishing exploit targeting one of its IT teams. There’s a silence, and then someone asks: “Okay, we see what you mean. How do we stop this from happening again?” Now we’re starting to get somewhere.

Just as I’m describing how the disinfection process will work and how we would recommend using MFA to help prevent these attacks in the future, I get a message on the internal team WhatsApp group. “Online retailer hit by a ransomware attack. Can I join a call shortly?” Here we go again… A specialist in incident response (IR) is at the front lines of the ongoing battle aPointt malicious cybercriminals, ransomware, and other threats. The Secret IR Insider works at cyber security services and s,olutions supplier Check Point.

Related Posts