Thu | May 20, 2021 | 12:15 PM PDT

Someone trying to save a few bucks on a software license triggered a Ryuk ransomware attack against a life sciences research institute. 

The attack cost the institute a week's worth of vital research data due to the fact that backups were not fully up to date. They also had to rebuild all computers and server files from the ground up so the backups could be restored.

But the hardest pill to swallow from this incident was learning the attack could have been avoided with a "less trusting and more robust approach to network access."

One single human mistake was all it took for hackers to gain access to the system.

College student's mistake causes ransomware attack

What do almost all university students have in common? They're all trying to save money in any way they can.

So, it's not too surprising that a student short on cash would look for a way to avoid paying for expensive software.

According to Sophos' Rapid Response team, this exact scenario is what kicked off the ransomware attack:

"The institute was exposed the moment one of these external university students apparently decided they wanted a personal copy of a data visualization software tool they were already using for work.

A single user license was likely to cost them hundreds of dollars a year, so they posted a question on an online research forum asking if anyone knew of a free alternative (the Rapid Response team know this because the student handed over their laptop for analysis once the full extent of the incident became clear).

When the student couldn't find a suitable free version, they searched for a 'Crack' version instead. They found what appeared to be one and tried to install it. However, the file was in fact pure malware and the installation attempt immediately triggered a security alert from Windows Defender."

It's great when Windows Defender does its job. Unfortunately, what the student did next put an end to that protection:

"The user disabled Windows Defender—and at the same time appears have also disabled their firewall—and tried again. This time it worked.

However, instead of a cracked copy of the visualization tool they were after, the student got a malicious info-stealer that, once installed, began logging keystrokes, stealing browser, cookies and clipboard data and more. Somewhere along the way it apparently also found the student's access credentials for the institute's network."

Nearly two weeks later, a remote desktop protocol (RDP) connection was registered on the institute's network using the student's credentials. Ten days after that, Ryuk ransomware was launched.

Here is security researcher Peter Mackenzie on how the situation unfolded:

"It is unlikely that the operators behind the 'pirated software' malware are the same as the ones who launched the Ryuk attack. The underground market for previously compromised networks offering attackers easy initial access is thriving, so we believe that the malware operators sold their access on to another attacker. The RDP connection could have been the access brokers testing their access.

Incident investigations are crucial because they allow us to see how an attack unfolded and help targets to understand and address security gaps for the future. In this case, the implementation of robust network authentication and access controls, combined with end user education might have prevented this attack from happening. It serves as a powerful reminder of how important it is to get the security basics right.”

Comments