#COVID19 Researchers Lose a Week’s Work to Ryuk Ransomware

An organization involved in COVID-19 research lost a week’s worth of critical data after a Ryuk attack which used a stolen password, according to Sophos.

Cybersecurity vendor Sophos revealed the case yesterday as a cautionary tale of what can happen when organizations don’t follow security  best practice.

The problem was traced back to one of the university students that the European research institute collaborates with as part of its outreach programs.

That student obtained what they thought was a ‘crack’ version of a data visualization tool they needed, except in reality it contained information-stealing malware. The individual apparently disabled Windows Defender and their PC firewall after the security tool triggered a malware alert pre-download.

The malware harvested keystrokes, stealing browser, cookies, clipboard data and, it transpired, the student’s log-ins for the research institute.

“Thirteen days later a remote desktop protocol (RDP) connection was registered on the institute’s network using the student’s credentials,” Sophos explained.

“A feature of RDP is that a connection also triggers the automatic installation of a printer driver, enabling users to print documents remotely. This allowed the Rapid Response investigation team to see that the registered RDP connection involved a Russian language printer driver and was likely to be a rogue connection. Ten days after this connection was made, the Ryuk ransomware was launched.”

Although the unnamed biomolecular specialist had back-ups, they were not fully up-to-date, meaning that a week’s worth of vital research was lost. The firm also suffered a significant operational cost as all computer and server files had to be rebuilt from the ground-up before data could be restored, the security vendor said.

“It is unlikely that the operators behind the ‘pirated software’ malware are the same as the ones who launched the Ryuk attack,” said Peter Mackenzie, manager of Rapid Response at Sophos.

“The underground market for previously compromised networks offering attackers easy initial access is thriving, so we believe that the malware operators sold their access on to another attacker. The RDP connection could have been the access brokers testing their access.”

Sophos recommended organizations deploy multi-factor authentication (MFA) for access to any internal networks, especially from third-parties, keep software regularly updated, segment networks and restrict account privileges.

It also urged customers to lock down RDP access with static Local Area Network (LAN) rules, via a group policy or using access control lists.

Leave a Reply