Good news for small businesses – Cybercriminals are not targeting you. But another type of criminal gang called Initial Access Brokers (IABs) whose sole purpose is to gain remote access to businesses’ IT systems and sell this access to Cybercriminals is trying to gain access. Their business model is one of volume. The more remote access they gain, the more money they make.

Let’s meet John, the CFO of a growing logistics and distribution company. He’s been with the company for a number of years. John, like many users, gets password fatigue, because he has so many websites, applications, and other systems that he needs a password for. He doesn’t use a Password Manager, so he uses a single relatively complex password (a nonsense word with a couple of symbols and numbers mixed in). He uses this same password for all of his business and personal websites, applications, and systems he accesses.

John uses many social media and personal email websites, and one of these websites was compromised, resulting in users’ usernames and passwords being stolen, and then dumped into the Dark Web for criminal gangs such as Initial Access Brokers to buy and trade.

One of these IABs purchased a list of credentials including John’s credentials from the Dark Web and began trying John’s credential on various websites and cloud applications such as Microsoft 365, Salesforce, Citrix Remote Access, and had success access Microsoft 365. This process took less than 24 hours.

Once inside John’s Microsoft 365 email the IAB was able to search John’s email for Remote Access instructions. Voila! There were instructions on how to access the company’s network remotely using VPN. A few minutes later, the IAB had gained remote access to the network. What made it even sweeter for the IAB is that John had domain administrator credentials. This entire process took less than 24 hours.

The IAB did a little background research about the company and found out that they had over 100 employees, with revenue exceeding $30 Million. The IAB sold access to a ransomware gang for a few hundred dollars. This also took less than 24 hours.

The ransomware gang then began their reconnaissance. They reviewed the data of the logistics and distribution company and found a lot of sensitive data such as intellectual property, employee background checks, Personally Identifiable and Information (PII). This process took less than a week.

Now the ransomware gang went to work, first exfiltrating the company’s sensitive data, then encrypting the company’s data with ransomware. This process took about a week.

Next up – demanding a ransom. This ransomware gang decided to go with double extortion – not only requiring a ransomware for decrypting their data, but also a 2nd ransom is for the ransomware gang promising to delete the company’s stolen data from their servers and not publish or use the data in other criminal activity. The ransom request was sent within 24 hours and was required to be paid within 3 days.

Unfortunately for John’s company, their backups had been deleted by ransomware gang prior to encryption. So, they ended up paying a multi-million-dollar ransom. Even worse news, they were only able to recover part of their data with the decryption key provided by the ransomware gang.

Lessons Learned

• Implementing Multi-Factor Authentication (MFA) for the company’s email and remote access solutions would have stopped this cyber-attack in its tracks. MFA is the #1 way to improve your cybersecurity posture.
• Implementing a Password Manager for all of the company’s users would make it easier for the users to use unique, complex, random passwords everywhere. And make it easier to change old passwords.
• Reviewing Administrator privileges regularly is a key component of any cybersecurity program. You should review not only on-premises Windows Active Directory privileges, but also Microsoft 365, and other critical systems.
• Remember that while cybercriminals aren’t specifically targeting you, if you make it easy for them to attack you, they will attack.

Want to learn more about how to improve your cybersecurity posture? Schedule a complimentary Cybersecurity Discovery call with us.