OUR SERVICES
System Compromise Investigations
During 2015 - 2016 we have seen a significant rise in the incidence of Cryptolocker and Spear Phishing attacks, as well as the regular compromise of hosted systems.
Attackers have been able to identify and exploit weaknesses in business IT systems as well as the naivety of users, resulting in the substantial loss of data and money. This should prompt all businesses to reassess and test the security of their systems. All businesses should be examining access control, reviewing the need for two-factor financial sign-off and questioning the effectiveness of their continuity and backup systems.
CASE STUDY
Cryptolocker Attacks
Cryptolocker (also known as Ransomware) involves computer systems being compromised by a Trojan file that encrypts all the victim's content.
In a business environment with network shares and user directories, that can involve a substantial amount of data - even more if the user has "Admin" rights. This type of system compromise has become common and we now regularly see evidence of remnant encrypted data on the systems we examine.
One matter we investigated in early 2016 involved the network connected printer/scanner/photocopier account being compromised through a brute force RDP attack. The business was compromised for five months before it was discovered and only when the attackers left a parting ‘message’ by downloading and executing the Cryptolocker executable. As the device had been set-up with an Admin account all network data was encrypted.
The first port of call in this type of attack is to rebuild the systems and restore the data. Unfortunately in this case we discovered that the backups hadn’t been working correctly for three weeks which meant a loss of three weeks data which had to be manually entered.
Our engagement on this matter related to identifying when and how the compromise occurred, what data (if any) was accessed and taken from the system, how the business responded to the attack, how the business IT service provider responded to the attack and how well the business was prepared to defend against and respond to future attacks.