Security Experts Warn That Victims of Ransomware Attacks MUST Change All Passwords

When an organization is hit by ransomware, many people tend to think that the only thing to worry about is restoring the data as quickly as possible. Earlier this week, however, cybersecurity reporter Brian Krebs told the story of a ransomware attack on an IT service provider that goes by the name Virtual Care Provider Inc. (VCPI), and in the process, he showed us how many other factors come into play when the hackers hold other people's data hostage.

We should probably start off with the fact that VCPI provides services to more than 100 nursing homes and healthcare facilities in 45 states. It shouldn't be too hard to see that disrupting the IT infrastructure of such a company could be quite devastating, but the real extent of the danger doesn't become apparent until you take a look at how the attack unfolded.

It was first noticed in the early hours of November 17's morning when the attackers unleashed the Ryuk ransomware on VCPI's network. Shortly afterward, all the data hosted by the cloud service provider was encrypted, and VCPI was told that it can have the key that unlocks the files if it pays out a staggering $14 million worth of bitcoin. It's a pretty big ransom, but then again, so is the amount of data that was held hostage.

The attack had a horrific impact on VCPI and its customers

VCPI's customers lost access to anything from email, through phone and billing systems, to payroll operations. Patient records were inaccessible, and some doctors were unable to place orders for vital drugs because of the attack, which meant that for some patients, the ransomware infection could have had fatal consequences. A few days after the incident, Karen Christianson, VCPI's CEO told Brian Krebs that her company doesn't have the resources to pay the ransom and that the attack could very well spell the end for the data hosting business.

The initial predictions didn't materialize, though. Although VCPI's customers experienced significant problems in the wake of the attack, the hosting provider did manage to restore the data. Probably in an attempt to limit the amount of PR damage VCPI suffered, Karen Christianson asked Brian Krebs to write a follow-up report on how the company recovered. Krebs agreed to schedule an interview, but shortly after the date and time were agreed upon, he received an email that got his attention immediately.

The extent of the infiltration becomes apparent

The message purported to be from a member of the hacking group that attacked VCPI, which, for Brian Krebs, at least, isn't really that unusual. The email's request, however, was rather strange. The crook asked Krebs to remind VCPI's CEO that the discount offer on the ransom was about to expire.

The alleged ransomware operator had somehow become aware of the scheduled interview, and Krebs doubted that this knowledge was based on guesswork. The cybersecurity reporter thought that in addition to the ransomware, the hackers had used other tools that had given them access to VCPI's internal systems and communications. Krebs called experts from Hold Security and asked them to help him get a better understanding of the scope of the compromise.

Soon enough, the investigation produced evidence that VCPI's infrastructure was first infiltrated way back in September 2018, most likely with the use of a malicious Word document laced with macro instructions. The Word document downloaded Emotet, a malware family noted for its worm-like features that allow it to move sideways within a network.

The hackers went on a password-stealing spree before deploying the Ryuk ransomware

After using Emotet to establish a foothold inside VCPI's network, the crooks deployed Trickbot – a banking trojan hailed for its versatility and powerful credential-stealing capabilities. Hold Security's experts even managed to intercept some communication between crooks, which suggests that during the VCPI attack, usernames and passwords for as many as 300 websites and online service providers were compromised. These included password management platforms, banking, billing, and payroll portals, prescription management and medical supply services, shipping and postage accounts, etc. Brian Krebs brought the evidence up during the interview with Karen Christianson, and although VCPI hasn't admitted to it officially, the fact that the interview ended abruptly shortly after that suggests that the CEO had absolutely no idea about the theft.

For a while now, ransomware operators have been focused on organizations rather than end users. We're no longer talking about script-kiddies looking to wreak some havoc and make a quick buck. More recent attacks are executed by sophisticated hacking crews who have quite a lot of tools and resources at their disposal, and sometimes, deploying the ransomware is only a small portion of the entire operation. Organizations like VCPI must learn that hackers can hit on many different fronts, and that login data is often the proverbial low-hanging fruit. That's why, as Brian Krebs concluded in his report, changing passwords should be high on the priority list for any company that has suffered a cyberattack, regardless of whether or not the incident involved ransomware.

January 9, 2020