When ransomware groups offers security tips

Sicherheit (Pexels, allgemeine Nutzung)[German]Interesting story: I have noticed a post on BlueSky that mentions a special goody for cybersecurity victims.  After an attack, when a victim received the decryptor and the key to decrypt his files, he asked if he could have a "security report" that would reveal how the IT network had been penetrated. And the victim did indeed receive some clues.


Advertising

These are all known safety tips, but I'll briefly summarize them here. Here is BlueSky's post with the chat history between Akira and the victim:

In the first sequence from the screenshot above, the victim receives the instructions for decryption:

decrypt.exe —path —secret: Private key —logs — 
decrypt.exe —path C:\ —secret [redacted] —logs trace 
decrypt.exe —secret [redacted] —logs trace

The victim then thanks them and writes that they are now trying to decrypt. They then ask: "Can you provide a security report or tell us how you got in and what we need to do better?"

The Akira ransomware operators then provides a number of good suggestions which are actually well known. Here's the breakdown of how Akira got into the network:


Advertising

  • Initial access to your network was acquired on the dark web.
  • Then Kerberoasting was performed and we obtained hashes of passwords.
  • Then we simply brute-force them and obtained the domain admin password.

The hackers spent weeks in the victim's network. In the process, the attackers were able to discover a number of errors that the victim should definitely rectify. Here are the tips from the Akira operators:

  • None of your employees should open suspicious e-mails or suspicious links or download files, let alone execute them on their computer.
  • Use strong passwords and change them as often as possible (at least 1-2 times per month). Passwords should not match or be repeated on different resources.
  • Install 2FA wherever possible.
  • Use the latest versions of operating systems as they are less vulnerable to attacks.
    Update all software versions.
  • Use antivirus solutions and traffic monitoring tools.
  • Create a jump host for your VPN. Use unique login credentials that are different from those of the domain.
  • Use backup software with cloud storage that supports a token key.
  • Educate your employees as often as possible about online security precautions. The biggest vulnerability is the human factor and the irresponsibility of your employees, system administrators, etc.

The chat concludes with "We wish you safety, peace of mind and many benefits in the future. We thank you for your cooperation with us and for your prudent behavior with regard to your security. Proof of data deletion will be provided shortly." Maybe someone can use some of the advice.


Cookies helps to fund this blog: Cookie settings
Advertising


##1

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *