When an Eastern European chain store was attacked by ransomware, Nixu specialists flew over to help. This started a fascinating chain of events. Our story might seem like an agent story, but this is a true Nixu customer story. Nixu’s cybersecurity specialist Juha was interviewed for the story.
Somewhere in Eastern Europe, a gang of criminals break into the network of a local chain store at 10:34 pm. Between 3 am and 8 am, the attackers activate malware on computers connected to the company’s network.
Nixu’s information security specialist Juha has just said in a meeting to his supervisor that it has been very quiet in the incident response scene when they receive information on the cybersecurity incident registered by the customer seven minutes earlier at 10:23 am. It’s immediately clear that the situation is serious. At 4:30 pm, the customer decides: “Fly over here and fix the situation”.
Juha and another Nixu employee, who speaks the local language well, take the first available flight on Saturday morning. They carry an incident response kit which includes, for example, a disposable laptop, write blockers and other forensics tools.
“These computers are installed for Digital Forensics and Incident Response (DFIR) purposes at Nixu’s office just before use. They are only used for this work, and the data in them will never end up on our computers or any of our networks. With write blockers, we can read data on the hard disk without, for example, altering evidence,” says Juha.
On Saturday at 12:30 pm, the Nixu duo is on the customer’s premises and ready to work. The Eastern European chain store has been a victim of a ransomware attack twice in two weeks. Ransomware is a malware that hijacks the computer or system, encrypts a part or all the data on the computer, and then demands a ransom for decrypting the encrypted data.
The attack was detected when the warehouse employees tried to use the back-end system and noticed that it doesn’t work. The duty officer observed that they were under an attack and shut down the systems.
The first attack didn’t cause massive damage, but this time the situation was different. The attack has disabled most of the company’s network and the employees were forced to shut down the entire IT infrastructure. They didn’t dare to start the systems and had no idea who the attackers were or what kind of techniques they were using.
“Although turning off the computers is an acceptable solution that stops the attack in ransomware incidents, in this case it was done too late to be of help. At least 39 different systems were totally encrypted. The lost systems included 50-60 servers and development workstations. The warehouse back-end systems as well as the ERP systems of three stores were completely encrypted and unusable. The backup copies of the warehouse systems and the entire email system were lost since they were also encrypted,” says Juha.
The customer told Juha that the specialists and police who visited the premises after the first attack couldn’t help them since there were not enough available virus protection log files. That is the reason why the customer has a pessimistic view on Nixu’s help as well.
In the Digital Forensics and Incident Response (DFIR), the aim is to restore the customer’s business operations as quickly as possible. This requires that the damage must be limited and it must be investigated as to how the attacker managed to break in and move around inside the system.
“If the spreading technique is unknown, nothing can be done for the attack at the network level. But first, we should know precisely what kind of a network the customer’s network is. It is only thereafter that it is possible to protect the network. In this case, the customer had not documented their network at all. The first day was spent building an overall picture of the network. We interviewed the employees, illustrated the network by drawing it by hand, and tried to figure out the network and where the attack came from,” says Juha.
By Saturday evening, Juha and his colleagues have managed to map the edges of the network, that is, the points that are in contact with the Internet that the attackers may have used to break in the system. It’s not clear yet from where the attackers have managed to get into the network and how they moved around in there. However, Nixu’s specialists have a preliminary view of the events. Based on Nixu specialists’ view, the customer starts to collect and deliver the disk images of certain computers during the night between Saturday and Sunday.
The other Nixu’s specialists maps the most important systems that must be up and running in order to restore the business of the customer company. In the meantime, Juha carries out a forensics investigation on the received disk images and finds a point from where the attackers have managed to get into the system as well as the technique that the attackers used to move forward in the network.
First, the attackers have contacted a computer in the company’s network using an RDP connection. Then, they have searched for passwords on the computer, scanned the network shares near the computer, installed the encryption software on all of the computers that they were able to find and then listed which computers would be targeted next.
Once the basics of the attack have been clarified, Nixu’s specialists can start building a quick recovery plan based on which the customer’s employees start to reset the company’s systems.
The attackers have used a common ransomware package that can be bought on the black market. This ransomware does not only encrypt pictures and text files, for example but also all of the data on the hard disks. And with this specific ransomware it also encrypted all SMB shares the infected computer was connected to. After that, the ransomware demands a ransom for decrypting the encryption.
On Monday, the 27 stores of the customer operate in intermediate mode. The stores are always closed on weekends.
“Although the malware had uninstalled itself from the systems, we were able to find its tools. The findings were sent to Finland to Nixu’s Tier3 (T3) team. The tools were password-protected, but the specialists cracked them and investigated what the tools were doing. In this way, we made sure that we didn’t miss anything in the customer’s systems.
Juha is part of the T3 team, Incident Response Team that operates as the final tier of the Cyber Defense Center. The first tier, the T1 team, consists of specialists working in shifts and who serve 24/7, monitor the customers’ systems, and make pre-assessments of encountered security incidents. The T2 team makes a deeper analysis of the extent of the threat and transfers the case, if necessary, to the T3 team that has a comprehensive understanding and extensive experience in incident response as well as forensics and reverse engineering.
On Tuesday morning, four days after the alarm, the customer’s IT infrastructure is up and running and business restored. The POS back-end systems of only three of the 27 stores were not yet restored.
Nixu’s specialists give instructions to the customer on the following actions and how to prevent attacks in the future.
Instructions have been given and Nixu’s specialists return to Finland to prepare a final report on the incident. The report is submitted in a couple of weeks after the return.
“In incident response, we help the customer set up the systems, ensure that the systems remain up and running, leave follow-up monitoring at the scene to ensure that the ransomware will not start spreading again and give instructions on long-term follow-up and prevention measures. The customer may then decide whether they want to invest, for example, in monitoring services. Simply restoring the business after the attack is never a permanent solution,” says Juha.
After this incident, the company became Nixu Cyber Defense Center’s (CDC) customer. Once the systems were cleaned and back online in the new network, Nixu started to monitor them. Now Nixu can operate quickly using remote connections if the company faces another attack.
What can we learn from this case?
What was the ultimate reason for the attackers being able to break into the network? One single weak password, which was so weak that it’s among the ten most common passwords according to Wikipedia.
“The first entry is usually with automated tools, either brute forcing username and password or leveraging a well-known vulnerability with automated attack tool. After that, the question is only about who is the quickest one to take advantage of this. This is what happened in this case as well,” says Juha.
Later on, the forensics proved that the two attacks targeted at the company were carried out by two different groups of hackers who acted differently inside the network. The latter group acted with a strict systematic approach; 39 systems were encrypted in five hours. This group chose certain computers in the network as loops that enabled access to many places while the first group hopped from one computer to another.
Juha explained that the second attack could have been prevented if things would have been done correctly after the first attack.
“Systems were similarly accessed each time. In order to implement the corrective recovery measures, we had to make the customer understand the ultimate reason why the attacker was able to access the system and how widely the attacker moved around inside the system.
For example, if the network was divided into segments, possible attacks could be limited and its impacts mitigated. Then, the attack would be limited to a part of the network and would not penetrate the entire network, as it did in this case. The attack spread from the warehouse to the core of the system, and to the stores.
“Modern attackers break into one computer and proceed after that in the network using logins and passwords. Therefore, identity management is extremely important. Maintenance logins shouldn’t be used with weak passwords and there is no need for the developers to have administrator access to all the servers in the environment. Segmentations and firewalls, user management documentation. These are the factors that would have prevented this case,” says Juha.
Juha’s quick guide to network security:
1. Segment your network.
2. Take care of the identity and login management.
3. Know your network and document it. There is no standard solution for defending oneself against attacks, but all environments should be monitored 24/7 – preferably by information security experts at a Security Operations Center (SOC).
Nixu Files is a series of modern-day detective tales where we dive deep into some of our most thrilling client cases. The stories read like a nail-biting mystery novel, but we swear they’re far from fiction. Welcome to the world of cyber noir.