How companies get infected by ransomware

This ransomware post is not about your company, this post is about another company – because your company is secure and well protected right? The company VulnX has been running for years, it has 100 clients and it is a successful business. Their IT infrastructure is maintained by their system and network administrator.

They use various security solutions like Firewalls, Antivirus software and network monitoring services. They also have a SIEM installed which provides critical information about the events that are taken place in the IT infrastructure of VulnX.

So now you know a little about VulnX, we are going to take a deep dive into the compromise of VulnX. Just to make it clear. VulnX is a FAKE company. It is made up.

A nightmare

On a sunny but cold day one of the sales employee’s runs into the office of the system administrators – the sales employee which is known for being motivated, eager and successful informs that he opened an email attachment, and once he viewed the attachment his computer started renaming file names on the device.

The sales employee says that he does not know what to do, and he claims that important files are stored on that device which have to be recovered.

The system administrator calms the sales employee, and tells him to standby while some research is being performed. The system administrator opens up his SIEM and security monitors and to his big surprise, he sees that the infected device of the sales employee is scanning for shares on the network – on the same moment, another employee storms in the office of the system administrator – she states that all her designs and marketing files have been locked, including the once on the network shares and external storage devices that were connected to her device.

The experienced system administrator decided to disconnect the infected machines and network shares in the subnet that had been compromised. He immediately send out a mail towards the entire company – informing them that a ransomware attack has targeted the company – and that people should take extra care when opening email attachments. He also informed the company that the network shares from the sales and design teams have been disconnected.

Now that the system administrator had created a moment, he started investigating the compromised devices, he discovered that they were hit by the Locky Ransomware. The wallpapers of the infected devices had changed into a ransom letter that informed the user to pay-up the ransom via a bitcoin transaction.