Technology Can’t Fix Governance: A Case Study in Ransomware

Technology Can't Fix Governance: A Case Study in Ransomware

An organization we work with was recently the victim of a ransomware attack. A senior member of the organization called the help desk to report that all of the files on his computer had been encrypted and it would cost around $1000 USD to get his files back.

The organization has strong technical controls in place including robust anti-virus, anti-spam, anti-phishing, and intrusion prevention technology, so they were caught by surprise by the attack. How could such an attack occur in an organization with good perimeter security in place? The organization’s technical staff reached out for assistance. After a brief investigation, an unusual weak link was discovered.

The department involved in the attack was in the midst of recruiting for an option position. In an attempt to attract a larger-than-usual pool of applications, the department decided to post the job description to Craigslist instead of going through the organization’s formal job recruitment portal.  Applicants were instructed to reply to a mailing list, so resumes would be shared with everyone on the search committee.

Shortly after the job posting went live, numerous applications began to arrive. Since members of the search committee were expecting emails from applicants with their resumes attached, it did not seem unusual for the following message to arrive.

Cryptoware Example 01

The email message contained a password-protected ZIP file with the password included in the body of the email message. Once unzipped, the file revealed a Microsoft Word document which contained a macro, a small computer program which can be embedded inside of another document.

Cryptoware Example 02

The obfuscated text is a BASE64 encoded string.  Decoding it reveals the true intention of the macro.

Cryptoware Example 03

Once the user opens the Microsoft Word document and clicks the button to enable macros, the script launches, causing Powershell on the local Windows computer to execute the embedded script. The Powershell script retrieves a malware executable from a remote host and then runs it, leading to the infection.  

In this case, the organization maintained good technical controls to ensure the availability of critical data -- specifically robust offline backups -- so no ransom had to be paid.  The system was simply re-imaged and the user’s data was restored from that morning’s backup.

This failure chain highlights the all-too-common case in which technical controls could not stop an attack.  The use of an encrypted ZIP file as a payload thwarted the ability of email scanners and perimeter systems to detect and block an email carrying a macro-laden Office document.  Anti-virus, intrusion prevention, and IP blacklisting systems had not yet acquired signatures for the malware or for the site being used to host the executable.  

This incident highlights the importance of all three pieces of the Cybersecurity puzzle -- people, processes, and technology. Even if your organization has state-of-the-art technical controls in place, your staff members can unwittingly and unintentionally leave your organization vulnerable to attacks. Without formal governance in place -- policies, procedures, and accountability for following these policies and procedures -- workarounds are easy. Even though the organization had a process in place for hiring and a recruiting system in place prepared to scan incoming resumes and cover letters, a department went rogue. The department’s intentions were good, but without using the tools and systems in place to try to prevent such attacks, the organization left itself exposed.

The key: focusing your organization’s Cybersecurity program on all three areas: people, processes, and technology. In many ways, technology is the easiest piece of the puzzle. Governance is a challenge, and one that needs to be worked on continually. Don’t underestimate its importance.

Contact us to discuss your organization's Information Security program or to get started with an Information Security Assessment.