What's new
Largest cc shop C2bit

The experts presented the investigation of the ransomware attack step by step


Extreme Hot Vendor
Verfied Vendor
Premium User
Jan 28, 2016
Reaction score
The details of the hack and other forensic data are of great value to organizational security teams.

Although all companies attacked by ransomware are different, they can still learn from each other's experiences. A step-by-step examination of a ransomware attack can help organizations realize that they may also be vulnerable to such attacks and explain what steps to take to avoid these attacks.

At the online conference (ISC) ² Security Congress, SCADAfence CEO Elad Ben-Meir unveiled the details of an investigation into a ransomware attack on a major European industrial enterprise earlier this year. The details of the hack and other forensic data are of great value to organizational security teams.

The cyberattack described by SCADAfence began at night. As a result of the incident, several critical services ceased to function. The IT team at the affected enterprise found a ransom note on many devices on the corporate network. At first she intended to pay the ransom, but after the ransomware raised the price, she changed her mind and turned to the SCADAfence Incident Response Team for help.

During the first seven hours of the attack, over 200 critical servers were encrypted and the entire production line came to a halt. Prior to arriving at the scene, experts instructed the enterprise IT team on how to isolate the threat at one specific location on the network to contain its spread, reduce the downtime of affected systems, and keep the evidence intact.

Experts began collecting evidence even before arriving at the scene. They asked the enterprise IT team to collect images of the affected systems, registry and configuration files as soon as possible, and other information that could assist in the investigation.

Arriving at the scene, experts examined the infected computers. They looked for devices with signs of malicious activity, such as attack tools, that could lead to further spread of the infection. “This gave us a unique picture of what is communicating with what and how an attack can be stopped by identifying those connections,” Ben-Meir said.

The specialists checked the machine configuration, suspicious executables, file timestamps, log files, and event logs. The suspicious executables and binaries were sent for further analysis to the reverse engineering experts. The forensic analysis showed the source of the attack, the tools used in it, and indicators of compromise of the collected binaries and executable files.

Within hours of arriving at the scene, researchers noticed network scanning activity from a machine that was not on their list of infected devices. The scan was not visible in the firewall logs because some networks were bridged using a network card (NIC) on the machine, rather than routing through the firewall. The enterprise IT team was unaware of these configurations and assumed that all inter-segment traffic was routed through the firewall.

The cybercriminals used several methods to penetrate the corporate network. First, the attackers disabled Windows updates and tried to hide their activity by storing executable files in legitimate folders. Second, they turned off endpoint protection, and third, they locked down input devices during encryption so that employees in the enterprise could not stop the encryption process.

The situation was under control 10 hours after the specialists arrived at the scene. Investigators found out that the infected machine was a third-party device operated by an external contractor, and its sole purpose was to provide an entrance to the operating technology network for service and support. The machine had an external IP address, which made it difficult to find it in the firewall logs, and an open RDP port accessible via the Internet. Moreover, the device has not been updated for a long time, and its firewall has been disabled.

Many companies use at least one unmanaged device that allows access to the entire network. Due to lack of resilience, such a device could allow a threat to spread throughout the network. It is critical for organizations to know who is connecting to their network, whether the device has security updates installed, and whether endpoint protection is enabled.

Ben-Meir strongly encouraged the company to segment its networks. “The smaller the segments, the tougher and better manageable they are, and the less the threat is likely to spread, less real damage to infrastructure, and less disruption to production,” he said.