Security firm Sophos has revealed how using pirated software was the cause of a major ransomware (opens in new tab) attack that cost a major scientific organization a week’s work and a lot of money.
A student working at a European biomolecular research institute was allowed to use expensive data visualization software. However, he wanted a version of that software for his own device, but the license was most likely too expensive - so as a workaround, tried to install a cracked copy he found online.
The crack triggered a malware warning from Microsoft Defender (opens in new tab), which he not only ignored, but decided to disable the antivirus (opens in new tab) tool, as well as the firewall (opens in new tab), instead. Fast-forward a few weeks later, and the incident response team from Sophos learned that the crack was actually info-stealing malware.
- Here’s our list of the best endpoint protection software (opens in new tab)right now
- We’ve built a list of the best malware removal software (opens in new tab) on the market
- Check out our list of the best backup solutions (opens in new tab) available
The info-stealer was in use by a malicious third-party for a few days, doing what it does best - gathering keystrokes, stealing browser cookies, clipboard data and such. Somewhere along the way, Sophos explained, it found the student’s access credentials for the institute’s network.
Once enough data was gathered, Ryuk ransomware was deployed. It encrypted all of the data it found on the network, and most likely demanded payment in cryptocurrency.
Old backup
While Sophos did not go into details how much money the operators asked for, or whether or not the institute paid the ransom, it did say that the organization lost a week’s worth of data, given that its backup wasn’t up to date.
The institute also suffered operational impact, as all computer and server files needed to be rebuilt from the ground up, before any data could be restored.
“Perhaps the hardest lesson of all,” Sophos says, “was discovering that the attack and its impact could have been avoided with a less trusting and more robust approach to network access.”
It also said that the same group that placed the info-stealer probably wasn’t the same one that installed Ryuk. The most likely scenario is, once access was established, that it got sold on the dark web to the highest bidder.
Pirating software is not only illegal, but also dangerous, Sophos concluded.
- Here's our rundown of the best Windows 10 antivirus (opens in new tab) solutions available