Avatar of Colum Traynor
Colum Traynor
 asked on

Cause of ransomware attack

Recently one of our sites suffered a ransomware attack. Luckily we had good image backups and were able to roll back to the previous healthy backup so downtime was only a few hours.

We now want to determine the point of the attack.

The site setup is as follows:

Office with 60 users
2 x Host Servers in a Hyper V Cluster with 4 VMs
One of the VMs is a 2012 Terminal server
Fortinet Firewall in place
10 users work from outside the office
They have laptops with software VPN on each
They firstly connect to the VPN and then RDP to the TS
ESET AV installed on all machines

Following the attack we checked all internal machines for ransomeware - we used malwarebyte - all machines appear to be clean

We examined the infected terminal server and discovered the following:
A high number of failed login attempts using various different accounts before the attack
Successful login via an AD user called accounts that is current not in use
Within a minute an executable file was downloaded to the downloads folder of this user profile
The following day the wallet ransomware signature was found under this user’s profile

We have kept the terminal server off since the attack.

My question is where is the likely source of the attack? Only VPN traffic is allowed through the firewall. Was the terminal server itself compromised or would it be more likely one of the laptops and in turn the TS?

Any help would be appreciated - thanks

Colum
Microsoft Server OSRansomware

Avatar of undefined
Last Comment
Colum Traynor

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
Thomas Zucker-Scharff

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
Thomas Zucker-Scharff

Colum Traynor

ASKER
Thanks. So how would such an attack happen and could it have been prevented?
Scott C

Most ransomware attacks come from users clicking on links or going to web sites that are less than reputable.

User education is one of the best forms of prevention, in addition to your hardware.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
SOLUTION
John Tsioumpris

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
Colum Traynor

ASKER
Thanks I will find that out - I am not sys admin but will check that and report back.
Thomas Zucker-Scharff

Users are the biggest problem and the hardest to fix.  User education only works if it comes from the top down. One of the campaigns with the best results is a fake phishing campaign. Click throughs generally go from ~85% to 15%!
SOLUTION
btan

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
SOLUTION
David Johnson, CD

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
btan

Like to understand why my answer ID: 42053584 is excluded for consideration?
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
myramu

Hello Colum Traynor,

To fight against these kind of attacks 2FA plays important role.
Implementing 2FA (Two Factor Authentication) protects you from ransomeware related attacks because they use stolen credentials to access the systems. Using 2FA process can help to lower the cases of identity theft, because the attacker would need more than just the users name and password details. Also install endpoint security on all systems, which should protect unauthorized modification on system MBR.

Good Luck!
Colum Traynor

ASKER
thanks for the great advice. We contained the problem and implemented the following:

Sophos Intercept x installed on all end point
Hardened Firewall
Implemented 2 factor authentication using DUO
Had a professional penetration test carried out by a 3rd party - passed :)

So looking much better now