Skip to main content
BOTWRansomware

Battle of the Week - Ransomware

The Battleground:

A Company's Network.

The Presumption:  

Having complex passwords chosen by the users to prevent unwanted access. Training employees not to use information that can be social engineered to find or notice when someone is using social engineering tactics.  

The Discovery:  

The company had contacted InfusionPoints stating that they had been ransomwared. After the Company, with InfusionPoints guidance, managed to shut down their network the Company then sent logs of infected machines for analysis review. After extensive review of the situation, InfusionPoints found that a single successful logon within their country, with no failed logons, was made on an admin account tied to the ransomware. The admin account had disabled monitoring capabilities to cover its tracks. Then the account started the ransomware process of encrypting data and locking down the network. There was no telling how long the malicious user had access to the account. 

Our Solution:  

The cause of the leaked password is still unknown. They suspect that the malicious user may have phished or social engineered the account. Make sure employees of your company use complex passwords that are not used by them on any other platform they use. Also, making sure employees are aware and tested on phishing attempts. Another way to help secure your network is by having as few admin accounts as possible. Having admin rights on a vast number of accounts does lead to security issues. 

Lessons Learned: 

Setting up complex password length and having those passwords reset on a regular basis can help prevent wanted access. Keeping your employees well trained on how malicious users use social engineering and phishing tactics to steal credentials. Companies should also have systems in place to be notified of activity outside of work hours.