This story is based on true events and dives into what happens when initial contact is made with some of the most pervasive strains of ransomware precursor malware. This series of events highlights the difference between the continuous compromise assessment cybersecurity model that empower analysts to detect and respond to network threats using their existing cybersecurity stack vs. the traditional SecOps model typically based on SIEMs, which don’t have visibility into the initial stages of an attack.
In this case it all started with Qakbot, a precursor malware notorious for launching some of the most devastating ransomware attacks. This particular incident took place late on a Friday before a long holiday weekend.
For the purpose of this narrative and to keep the story anonymous we are using fictional names to distinguish two banks involved and we are using Bank 1 and Bank 2.
DAY 1
Qakbot was first detected on the network of two companies.
Bank 1
Using Lumu, Bank 1 detected the Qakbot infection in its earliest stage (after first contact with the adversary). The cyber team was alerted to the threat immediately and it was automatically contained through their response integration.
The blue team then used information from Lumu’s portal and took action to further contain the affected endpoints and began the investigation.
Bank 2
Bank 2’s cybersecurity manager relied on classic cybersecurity solutions that could not detect the first steps of the infection, allowing the malware to progress and stay completely undetected.
Bank 2 had been infected but they had no idea.
DAY 2
Bank 1 was way ahead and Bank 2 was just getting started.
Bank 1
Bank 1’s blue team detected how Qakbot executed through .wsf files PowerShell commands to try to contact their C2 servers, fortunately, now the machines were totally isolated and sanitized,
They continued to monitor the network to ensure that no other machines were infected.
The Bank 1 CEO praised the cyber administrator for his quick thinking acknowledging that Lumu’s abilities were instrumental in detecting the threat early on.
Bank 2
The Qakbot infection in the Bank’s network had spread extensively by the time it was finally detected late on day 2.
The cyber administrator initially dismissed the infection as a small risk and did not take immediate action to contain it. As a result, the infection had spread far and wide throughout the network.
The administrator’s confidence in traditional security tools proved insufficient to effectively contain the infection.
DAY 3
The benefit of a continuous model for threat detection was evident to Bank 1 while Bank 2 was trying to keep their head above water
Bank 1
The Bank 1 network had returned to normal, and the cyber manager implemented additional security measures to prevent future attacks.
The forensic team finished their incident report.
The CEO recognized the importance of investing in modern cybersecurity solutions that have saved the company from a potentially devastating attack.
Bank 2
Bank 2’s blue team tried everything to remove the Qakbot infection, but it was too late.
The PowerShell code embedded and coded into the .wsf and was executed, the Malware contacted C2 infrastructure, and the attackers deployed Lockbit ransomware.
They exploited a security breach in the domain server identified by Qakbot and company data was now being encrypted.
The Bank 2 cybersecurity manager informed the CEO.
DAY 4
Bank 1’s executive team shared the importance of cybersecurity with the company while Bank 2 was in a state of panic.
Bank 1
The CEO of Bank 1 reinforced the company’s security education programs, focusing on phishing campaigns (the most common vector of malware) to identify and avoid potential threats.
Bank 2
The CEO of Bank 2 panicked as the ransomware attack continued. Company data was held hostage and the cyber administrator was struggling to negotiate with the attackers.
DAY 5
Bank 1 was all good Bank 2 was facing serious consequences
Bank 1
Bank 1 was thriving, with no security incidents in sight.
Bank 2
Bank 2’s Cyber Manager faced legal troubles after attempting to negotiate with the attackers. They were unable to fully recover data using old backups.
This story emphasizes the importance of operating cybersecurity and how contact with adversarial infrastructure must be taken seriously from the beginning. Attacks are often launched when we least expect it.
Stay ahead of cyber attacks, employ a continuous model to detect and automatically mitigate these threats, and ensure you have the context needed to remediate it. To learn more about how Lumu enables SecOps teams, and to see this in action, we invite you to attend our live training session > register here.
