Ransomware cyberattacks are particularly feared given their destructive effect on an organization. A cybersecurity company tells us from the inside about the attack on a local authority.
The French administration is a frequent target of hackers, and the damage caused must quickly be contained, given the potential consequences: citizen data online, essential services unavailable… ANSSI, the government’s cyber sentinel, identified in a report 187 incidents affecting local authorities between January 2022 and June 2023, i.e. an average of 10 incidents per month. For the year 2023, Numerama has produced a map of recorded attacks.
Nomios, a French company specializing in this environment, intervened to manage the situation most feared by IT services: the ransomware attack. When ransomware strikes, hundreds of computers become unusable in an instant, and all files are blocked. The attack took place as often at the end of the week, on a Thursday evening, when spirits relaxed. Hundreds of positions find themselves compromised on the 4,000 computers of the said administration. It is those responsible for the network who are primarily affected, with the risk that the ransomware spreads quickly.
Stop the proliferation of malware
It was on Friday morning that the Nomios security operations center (SOC) was urgently called to quickly stop the hackers. The company had to install firewall software for the community, but the context motivated those responsible to call on the company urgently. The local authority victim of the affair is responsible for nearly a million citizens.
First difficulty: intervention in a chaotic situation. “ A large part of the administration was not ready for crisis management. We arrive in this state of panic, where everyone is trying to understand and wants quick solutions. We waste time explaining the situation to each manager or elected official », Tells Numerama Pierre Haikal, security engineer at Nomios.
The roots of evil are also tracked down. The error likely comes from a network administrator’s VPN account being compromised. Since double authentication was not activated, cybercriminals were able to quietly infiltrate with the victim’s credentials. The antivirus had detected some signals, but they went unnoticed.
First act: install a console to remotely access all workstations and ensure that all access is blocked. The tools used are those of the global cybersecurity giant, Palo Alto Networks, which deploys specific functionalities accessible in forty minutes for these emergency cases.
“ The main mission is to find compromised machines in the park, isolate them from the network and block all possible access. The ‘firefighter’ part lasts two weeks from the outbreak of the ransomware », Comments the engineer. Experts noted voluminous data transfers to the outside during the first hours of the attack. Hackers not only take files hostage, they export files to disclose them on the web.
A group of hackers responsible for hundreds of attacks
The perpetrators of the attack are a group of cybercriminals that industry professionals already know: Play Ransomware. This collective already has more than 300 victims, including several French entities. Files blocked by their malware quickly become unusable. “ Data without an archive or a duplicate stored elsewhere is often lost. The priority is first to save as many positions as possible. Restoration work is possible later », explains Pierre Haikal.
Inevitably, as with every ransomware, a message is left by the hackers in the network, inviting the community to contact them to negotiate a ransom. Bad luck for the pirates since the French administration has a rule not to pay any sum. Some of the data – invoices, reports, contracts, conversations – will certainly be put online by hackers to put pressure on, but in vain.
Complete cleaning, installing new security filters and resetting all credentials takes response teams about a month. The Nomios SOC team is always active in the event of an alert for the community.
Could specific tools have countered this attack? “ EDR (Endpoint Detection and Response) technologies would have reported the infiltration to agents more quickly. A station can be blocked, but the spread of ransomware is contained more quickly. Having a SOC to quickly support security is an additional layer of defense », Develops Luis Delabarre, director of SOC at Nomios. “ Naturally, multi-factor authentication prevents hackers from infiltrating as easily » he adds. A simple maneuver that sometimes avoids losing significant amounts of money restoring systems.
Subscribe to Numerama on Google News so you don’t miss any news!