Large-Scale Ransomware Attack Averted by Security Experts

An unnamed company was about to become the latest negative headline and suffer a major ransomware attack, but security researchers managed to avert the crisis in the nick of time.

ZDNet reported on the incident, which involved a large business bringing in security experts from Sophos onboard, after the discovery of a large number of Cobalt Strike instances installed on company computers. At first glance, this might not look like anything suspicious, since Cobalt Strike is originally a legitimate penetration testing tool. However, over the course of the past year Cobalt Strike has spiked in usage among cyber criminal circles as well.

After the company initially brought Sophos onboard to investigate the appearance of CobaltStrike on the network, the security researchers found that the entire network was being worked over and prepared for a full-scale ransomware attack.

The criminals were planning to use REvil ransomware and do as much damage as possible, encrypting data en masse. Luckily for Sophos' customer, the security researchers managed to spot the ongoing efforts to prepare the network for the ransomware payload and managed to avert the full brunt of the attack.

Only a small number of unprotected systems and devices were encrypted but that did not impact the company in any significant way. The criminals behind the attempted attack left a ransom note on those few devices they encrypted, and the ransom demand was to the tune of $2.5 million. Of course, given that the large-scale attack was foiled, none of that was paid.

What ZDNet and the Sophos investigation point out, though, is that the bad actors behind the attack managed to sneak the legitimate ScreenConnect remote access software on over one hundred company machines without anyone noticing and ringing the alarm.

Sophos Rapid Response team manager, Peter Mackenzie, quoted by ZDnet, said that the most common way for threat actors to gain an initial foothold on a network usually involves phishing users or exploiting VPN vulnerabilities or systems that don't have multi-factor authentication enabled on their VPNs.

REvil, the ransomware that almost hit the unnamed company in this lucky turn of events, was also used successfully against JBS - America's largest fresh beef and pork producer, and in the instance with JBS, the company wasn't so lucky. The ransomware gang behind that attack managed to squeeze a whopping $11 million out of JBS.

Mackenzie gave a few security pointers as well, including what the security industry as a whole has been trying to teach companies and businesses. The top recommendations include keeping up-to-date security software installed and managed from a centralized hub on all network devices and keeping every single system updated with the latest patches for all software it is running.