The Hidden Cost of Ransomware: Wholesale Password Theft

2020-01-06 18:17

All too often, ransomware victims fail to grasp that the crooks behind these attacks can and frequently do siphon every single password stored on each infected endpoint.

On the morning of Dec. 4 I heard via email from someone claiming to be part of the criminal group that launched the Ryuk ransomware inside VCPI. That email was unsettling because its timing suggested that whoever sent it somehow knew I was going to speak with VCPI later that day.

In our Dec. 4 interview, VCPI's acting chief information security officer - Mark Schafer, CISO at Wisconsin-based SVA Consulting - confirmed that the company received a nearly identical message that same morning, and that the wording seemed "Very similar" to the original extortion demand the company received.

WHOLESALE PASSWORD THEFT. Just after receiving a tip from a reader about the ongoing Ryuk infestation at VCPI, KrebsOnSecurity contacted Milwaukee-based Hold Security to see if its owner Alex Holden had any more information about the attack.

According to Holden, after using Emotet to prime VCPI's servers and endpoints for the ransomware attack, the intruders deployed a module of Emotet called Trickbot, which is a banking trojan often used to download other malware and harvest passwords from infected systems.

News URL

https://krebsonsecurity.com/2020/01/the-hidden-cost-of-ransomware-wholesale-password-theft/

#ransomware