Cyber Security Today – Why a warning wasn’t enough to stop this ransomware attack

Advanced warning should have stopped this ransomware attack, and more on two-factor authentication

Welcome to Cyber Security Today. It’s Monday June 15th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.

Cyb er Security Today on Amazon Alexa Cyber Security Today on Google Podcasts Subscribe to Cyber Security Today on Apple Podcasts

Last Friday I talked about ways in which cyberattacks, including ransomware, can be stopped. Today I want to talk about a ransomware attack that wasn’t stopped even though the victim organization was warned. The story of the incident comes from security reporter Brian Krebs, who was tipped off by a cybersecurity firm late last month that hackers had gotten into the IT system of the city of Florence, Alabama. In fact the researcher had figured out the computer the hacker used to get into the system belonged to the IT manager. Krebs called the city and left a warning message that got to the right person, a system administrator, who called him back. The infected computer was taken offline and the account of the owner was changed. “We got everything taken care of now,” the reporter was told. Well, it wasn’t, because on June 5th the hidden ransomware was triggered and shut the city’s email system. The city says it will pay just under $300,000 ransom to get its system back to normal. What went wrong? The city had lots of warning.

It appears that the city didn’t go far enough to protect its systems. The IT manager said after being warned he was trying to get city council approval to hire a cybersecurity firm to help rebuild the computer network, but decisions weren’t made fast enough.

There’s a big lesson here to all organizations: The purpose of most ransomware attacks is to infect as many computers and servers as possible before scrambling data. So if ransomware is confirmed on one computer then all the software on every system has to be deleted and re-installed — what professionals call rebuilding the network. Is your organization ready to do that quickly?

That Friday podcast also talked about the importance of two-factor or multi-factor authentication as an extra step to make it harder for an attacker to break into an organization with a stolen or guessed username and password. A column from IBM’s Security Intelligence blog published after I recorded my podcast makes the same point. It also argues that multi-factor authentication has to be added to all applications that need logins, not just email or the corporate virtual private network.

Finally, here’s another example of how multi-factor authentication can be invaluable to protect an organization. To see how hackers work a security company called Cybereason set up an internet-connected computer infrastructure that pretended to be an electricity generator’s network. This kind of test is called a honeypot, and its designed to attract attackers to learn lessons. Similar to many organizations, this fake company had a way that allowed staff to remotely log into the network with a password. Within three days of connecting to the internet hackers had discovered the fake electricity company, and, using an automated tool, guessed the administrator’s access password and logged in. Cybereason told me the password was of medium complexity. Two-factor authentication would have made it much harder for the attacker, the company acknowledged. Of course, the idea of this particular honeypot was to not make it too hard for a hacker so researchers could see what they would do. After breaking in the hacker tried to access to the domain controllers. This is crucial. In a Windows environment a domain controller is a server that approves users’ authentication to computer resources. If a hacker can take over the domain controller they can access anything. Finally, in this test the hacker deployed ransomware on any computer they could. Among the lessons is that IT security teams have to be more vigilant in watching for cyber attacks.

That’s it for Cyber Security Today. Links to details about these stories can be found in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cybersecurity professionals. Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening. I’m Howard Solomon

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada
Howard Solomon
Howard Solomon
Currently a freelance writer. Former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, Howard has written for several of ITWC's sister publications, including ITBusiness.ca. Before arriving at ITWC he served as a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Follow this Cyber Security Today

More Cyber Security Today