Cleaning Up A Cybersecurity Mess: Blue Mantis Details The ‘Aftermath’ Of A Ransomware Attack
The Russian hacker group BlackCat got the password from the dark web and proceeded to breach the company’s core Microsoft Active Directory environment, said Blue Mantis Chief Operating Officer Jay Pasteris.
The nightmare ransomware attack on a privately held national call center provider for some of the largest companies in the world started with a customer logging into the company’s system with their own password and credentials.
The problem was the customer was using an open remote desktop protocol (RDP) into the system with inadequate password and multifactor authentication controls, said Jay Pasteris, the chief operating officer of security superstar Blue Mantis, which was called in to help clean up and resolve the breach.
Not only was the customer allowed to log in without multifactor authentication, but the password the customer was using had never been changed. “Ultimately that agent’s password got posted on the dark web,” said Pasteris.
[RELATED: 10 Major Cyberattacks And Data Breaches In 2024 (So Far)]
The Russian Hacker Group BlackCat got the password from the dark web and proceeded to breach the company’s core Microsoft Active Directory environment, said Pasteris.
“Ultimately that hacker was able to move laterally, elevate privilege across this company’s environment to the point where they found their way to the main domain controller within this organization,” Pasteris said. “Once there they were able to camp out there, surveil the environment, learn the environment and actually build a ransomware package in that environment using the company’s own GPOs (Group Policy Object settings) to deploy that (ransomware) to the organization.”
Pasteris and Blue Mantis Vice President of Information Security Jay Martin along with three top security experts detailed the “harsh” realities of the breach in a rare look behind the scenes of the high profile ransomware attack. The company that was hit was providing call center software and services for companies across multiple industries, including technology companies, banking, and retail, in multiple countries.
The candid cyberattack post-mortem came at Blue Mantis’ first annual inaugural Cybersecurity symposium held earlier this year.
With a push of a button, the BlackCat ransomware organization “shut down the entire organization,” said Pasteris. “And they did it in a way that as they siphoned the data off, it would siphon a bit off and then encrypt a bit.” The sophisticated malware payload from the outset “wreaked havoc on the organization,” he said
The initial device that was compromised had an extended detection and response product that was simply not configured properly. “They had done a lot of acquisitions, they had merged companies together, they took on different components, so that software was not configured properly,” said Pasteris.
Once the company got hit by BlackCat the initial response was not to call in an incident response team but rather to try to restore the environment with backups, said Pasteris.
The problem was the company’s attempt to restore the backups was “redeploying the malware” throughout the company’s IT environment, said Pasteris.
“This went on for a while and during that phase what they didn’t realize they were doing when they were (attempting to) restore environments, redploying and reimaging they were contaminating the crime scene,” said Pasteris. “They were removing logs. They were removing evidence, all needed to get back online fast in a meaningful way.”
The company’s intentions to do the “right things” in a pressure packed rush to get back online quickly “kept making the situation worse,” said Pasteris. “That led to many months of rebuild.”
Ultimately, the company ended up paying some of the ransom, but it “didn’t help” because the data was “still leaked and siphoned off to other organizations,” said Pasteris.
Martin, a cybersecurity veteran, said before the attack the company that was hit was looking at bringing Blue Mantis on board to do a security assessment. At that time, the CISO was asked if the company was using multifactor authentication.
“The answer was yes,” recalls Martin. “Well they were but not everywhere…What we found out after was they deployed multifactor to their own users remoting into the environment but once you got into the environment you didn’t have to use MFA. How the bad actors got in was they took advantage of one of their customers’ user names and password. There was no MFA (multifactor authentication) on that.”
Blue Mantis continues to see a lack of security controls at companies, said Martin. “This comes down to what’s normal in your environment?” he said. “What applications do you have and how are you protecting those applications. A lot of organizations don’t keep track of their assets: how they are protected and how they do defense around those apps?”
Pasteris says the company hit by the breach was a “tremendous organization” with an outstanding reputation and a CEO who if you asked him about the firm’s cybersecurity stance would have responded that it was “buttoned up and good.”
When the breach took hold, the CEO and the leadership team faced “intense pressure” from affected customers.
Besides the pressure from clients, BlackCat had knowledge of the executives’ cell phone numbers and where they lived, “putting intense pressure on these executives 24 hours a day,” said Pasteris. “Ultimately as we stand here today they are back online but they are still struggling. This has been a long road for them.”
The company involved in the breach with Blue Mantis working with them did call the FBI in to assist in the aftermath of the breach.
Joe Bonavolonta, a former FBI special agent in charge of the Boston office who is now a managing partner at global risk management advisory firm Sentinel, advised businesses to become familiar with the name, phone number and email address of the head of the cyber task force at their local FBI office.
One big advantage of calling in the FBI is the ability of the agency to look across the entire 56 field offices to determine if there is already “open and active” investigations into the ransomware group.
The FBI, in fact, has subject matter expert field offices across all 56 field offices that have detailed knowledge of ransomware variants.
In fact, the FBI may have a “decryption key” for the ransomware or even a partnership with a private sector entity that has a decryption key, said Bonavolonta.
“One of the other things we bring to the table is our cyber action teams and our recovery asset teams,” he said. “The recovery asset team of it is a huge component because especially if payments are made in some cases we have the ability with the relationships we have developed with financial institutions throughout the country and really around the world is to potentially freeze and seize some of these assets or some of these funds before they actually go out,” he said.
Kevin Powers, founder and director of the Master of Science in Cybersecurity Policy and Governance programs at Boston College, for his part, said companies need to put in place well-tested proper planning response and management before a cybersecurity attack.
“If you are discussing when you are in the middle of a breach should we call the FBI or not that is a problem, that is something you should already have planned for and had discussions about,” he said. “It is truly a business decision.”
Customers need to have a detailed “incident response plan” on how they are going to respond to a cyberattack., said Powers. “Eight five percent of it should be taken care of,” he said.
What’s more, Powers said, once customers build a plan they need to test it in a “tabletop” exercise. “You need to sit down and go through it,” he said.
In the case of the call center provider ransomware breach, Pasteris said the company had an incident response plan but it wasn’t updated and they did not “actively” practice it. “What we experienced when it happened was a bit of mayhem, people were on vacation, and they didn’t know who was supposed to fill in,” he said.
Scott Lashway, partner at Manatt, Phelps & Phillips, LLP and co-leader of the firm’s cybersecurity practice, said customers need to understand their legal obligations once a breach occurs. “That probably begins with your obligation to thoroughly investigate what happened,” he said. “Where that legal obligation originates can be from statute, it can be from common law, say negligence standards. If you have single factor (authentication) and an outward facing access point there are a lot of security professionals that will tell you it’s only a matter of when not if you are going to get breached. Is that negligent? Well maybe that company only offered single factor when that product came out. Maybe you still use it because you don’t have a budget to upgrade to the latest version.”
Customers need to get “rid” of the mentality of “it’s not a matter of if but when” you get breached, said Lashway. “We all need to take a look at ourselves in the mirror and really get rid of that mentality. It has become an excuse. It has become an excuse that lawyers use to justify companies getting compromised and it has become an excuse in boardrooms when they are not funding your needs to build technology (that protects companies from cybersecurity attacks).”
Pasteris said the company that suffered the breach not only got hit by BlackCat but also was hit by another ransomware group that bought the data. “They came in, made a claim, showing an example of the data they bought,” he said.
“Now the customer was dealing with two ransomware groups trying to extort them,” said Pasteris. “One is really in. The other just has data and they were using that data to cause panic and fear, saying here is an example, pay us or we will release it.”
Pasteris said the aftermath of the attack clearly shows a company in distress. “The chaos that ensues is incredibly crippling to an organization,” he said, urging CIOs to be “loud” about implementing an assess, modernize and manage model to prevent attacks. “Because when you do get hit the other side of that breach is no place you want to be. It is disruptive. It is very taxing on the organization and individuals.”
Pasteris’ final advice for customers: “Make sure your organization understands true business resiliency. That’s where you have to live now because these attacks are coming so fast and furious.”