But what did the attacker want to do, by deploying the WannaCry ransomware at the end of November 2021 in the IT of this Parisian software publisher for finance professionals? Was it a reflection of his amateurism? Or was it the easiest way to destabilize the business with easily accessible malware? Definitely, the case judged on the evening of Thursday April 7 before the 23and correctional chamber of the Paris court dedicated to immediate appearances is quite surprising.
Because the attempt at extortion this fall was singularly botched. Unable to reach the hacker or pay him a ransom: the bitcoin payment addresses had not been personalized. As for the ransom demanded, it is anecdotal: barely 300 dollars in bitcoins, while cybercriminals today count in millions of euros.
But even obsolete, WannaCry, this self-replicating malware that appeared in May 2017 has however wreaked very serious havoc. They have been assessed here at a loss of 90,000 euros. Encrypting two company files prevented its customers from making financial transactions. The company has painfully succeeded in partially reconstructing part of the data, obviously failing to have been able to use the disinfection tool now available.
A suspect, a former employee
The only suspect in this case, Stéphane
is being prosecuted for hacking and attempted extortion. He’s a former employee of the victim company. He was responsible until mid-October for infrastructure and cybersecurity. According to the prosecution, he wanted revenge on his former employer, probably out of resentment. Leaving thanks to a contractual break, Stéphane was indeed pushed out because of communication problems and his confusing night work schedules. This 30-year-old who lives with his parents is now a work-study student.
According to investigators from the Central Office for Combating Crime Related to Information Technology, it was he who opened the service account on October 12 that caused the computer attack. After his departure, he logs on five times to this account, an intrusion proven by the recording of the family IP address. Investigators notice in some cases a connection coming from a virtual private network (VPN) following, to the nearest second, the disconnection of the suspect. For the prosecution, it is the same user who just switched to VPN, from which the destructive attack of the end of November will finally come.
The intrusion on the cloud server, where data backups will be deleted, was also made by an account whose identifier was in the name of the suspect. Also, the attacker obviously knew the company and the account passwords well, in the absence of the use of brute force techniques to crack the passwords. “Even if he is gifted in computers, he is not a professional hacker”, summarizes the substitute Charlotte Brée. And the magistrate to request a 10-month suspended prison sentence, a fine of 5,000 euros and a ban on practicing in the IT sector for two years.
“For nothing in what happened next”
At the helm, Stéphane, who only recognizes the computer intrusion, timidly searches for his words. “I connected well to the information system, but I had an oral agreement with the company,” he says. “I didn’t think it was illegal. I had nothing to do with what happened next. About the use of his identifier, he notes that his user account was shared within the team. He had also, explains the IT specialist, sent an Excel file before his departure mentioning his username/password pairs.
In his defence, Me Armando Frignati, his lawyer, also underlines the lack of investigation into two other IP addresses noted in the investigation. One way to suggest that the investigators missed the real perpetrators of the attack, who would have hidden behind a virtual private network. “If there is something you don’t understand, you shouldn’t retain it”, recalls the lawyer, who asks for the release, bound for a tired court. Magistrates who had not hidden their reluctance to judge this case in a room reserved for quick and simple procedures, such as theft of telephones or violence on the ascendant. “The investigation file is very constructed, the defense is trying to sow confusion,” immediately retorts the company’s lawyer, Anna Caresche, before taking her head in her hands. It’s almost midnight. The president announces that the deliberation will be rendered on May 12.
The first name of the defendant has been changed
Source link -97