Ryuk Ransomware Attack Sprung by Frugal Student

[silversurfer]

A European biomolecular research institute involved in COVID-19 research lost a week’s worth of research data, all thanks to a Ryuk ransomware attack traced back to a student trying to save money by buying unlicensed software. 
 
Security researchers at Sophos described the attack in a report published on Thursday, after the security firm’s Rapid Response team was called in to mop up the mess. 
 
Hey, everybody makes mistakes, the researchers said. That frugal student made a few of them. But the student’s goof-ups advanced to a full-fledged ransomware attack because there weren’t security measures in place to stop those missteps from happening, the researchers said. 
 
As so many organizations do, the institute allows outsiders to access its network via their personal computers. They can do so by using remote Citrix sessions that don’t require two-factor authentication (2FA). 
 
The lack of required 2FA should raise red flags right there, never mind the fact that Citrix is one of the most widely used platforms that threat actors are actively looking to exploit so as to steal credentials. In April, the U.S. National Security Agency (NSA)  issued an alert warning that nation-state actors were exploiting  vulnerabilities that affect VPNs, collaboration-suite software and virtualization technologies. 
 
That included Citrix, along with Fortinet, Pulse Secure, Synacor and VMware, all of them being  in the crosshairs of the advanced persistent threat (APT) group known as APT29 (a.k.a. Cozy Bear or The Dukes). The NSA said at the time that APT29  is conducting “widespread scanning and exploitation against vulnerable systems in an effort to obtain authentication credentials to allow further access.”

Read more: Ryuk Ransomware Attack Sprung by Frugal Student | Threatpost