Be careful around pirated software. A student at an unnamed bio-molecular research institute in Europe accidentally opened the door for a ransomware attack on the organization after installing a piece of “cracked” software, according to security firm Sophos.
The research institute has been conducting COVID-19 research and has close partnerships with local universities, enabling students to connect to the facility’s internal network via a remote access client from Citrix. Unfortunately, one student with access to the network downloaded a piece of pirated software, which helped expose the research facility to the attack.
According to Sophos, the unnamed student “wanted a personal copy of a data visualization software tool they were already using for work.” However, a single license for the software can cost hundreds of dollars per year. As a result, the student searched for a “cracked” version of the software product to use on a Windows laptop.
“They found what appeared to be one and tried to install it. However, the file was in fact pure malware and the installation attempt immediately triggered a security alert from Windows Defender,” Sophos said.
The security alert from Windows Defender should’ve been a red flag enough. But for whatever reason, the student decided to disable the Windows antivirus program and the laptop’s firewall.
“This time it worked,” Sophos said. “However, instead of a cracked copy of the visualization tool they were after, the student got a malicious info-stealer that, once installed, began logging keystrokes, stealing browser, cookies, and clipboard data and more. Somewhere along the way it apparently also found the student’s access credentials for the institute’s network.”
Sophos then speculates the hacker behind the malicious info-stealer decided to sell the login credentials to the operators behind the notorious Ryuk ransomware strain. "The underground market for previously compromised networks offering attackers easy initial access is thriving," said Peter Mackenzie, manager of Rapid Response at Sophos.
Thirteen days after the pirated software was installed, a mysterious remote desktop protocol connection was made to the research institute using the student’s login credentials. “Ten days after this connection was made the Ryuk ransomware was launched,” Sophos added.
Fortunately, the research institute had backups in place, but they were not up to date. So the facility lost a week’s worth of research data due to the attack. It also had to rebuild the affected computer systems, costing more time and resources.
“Perhaps the hardest lesson of all, however, was discovering that the attack and its impact could have been avoided with a less trusting and more robust approach to network access,” Sophos said. For example, the company notes the remote access to the research institute had no two-factor authentication in place.
Sophos uncovered the intrusion’s original source after the security firm was brought in to contain the threat. The company not only examined network logs, but also analyzed the laptop the unnamed student used to download the pirated software.
Sophos added: “In this case, the implementation of robust network authentication and access controls, combined with end user education might have prevented this attack from happening. It serves as a powerful reminder of how important it is to get the security basics right.”