A cybercrime group that managed to compromise the cloud-based resources of a cybersecurity vendor tried to extort the company by threatening family members, the company has revealed.
Operational technology (OT) security specialist Dragos said it was hit on May 8 after threat actors compromised the email account of a new sales employee prior to their start date.
Read more on ransomware: Time Taken to Deploy Ransomware Drops 94%.
They subsequently used the employee’s personal information to impersonate them and complete some basic onboarding, according to the vendor’s report on the incident. This got them as far as access to the company SharePoint account and contract management system, but no further.
However, after failing to deploy a ransomware payload or steal more sensitive information, the group apparently resorted to trying to extort Dragos executives to avoid public disclosure.
Although no Dragos contact responded, the group repeatedly tried to up the pressure, contacting multiple publicly known Dragos employees and trying to use knowledge of family members to force a response.
“The cyber-criminals’ texts demonstrated research into family details as they knew names of family members of Dragos executives, which is a known TTP. However, they referenced fictitious email addresses for these family members,” the report noted.
“In addition, during this time, the cyber-criminals contacted senior Dragos employees via personal email. Our decision was that the best response was to not engage with the criminals.”
Dragos co-founder and CEO, Robert Lee, shared more details via Twitter.
“The criminals obviously grew frustrated because we never attempted to contact them,” he tweeted. “Paying was never an option. They continued to call me, threaten my family, and the family of many of our employees by their names.”
In the end, the vendor’s multi-layered security approach appears to have prevented a more serious compromise.
The threat actors could not access the Dragos messaging system as they needed admin approval and were unable to compromise the IT helpdesk, customer support data, the employee recognition system, sales leads and more, due to role-based access controls.
Once the hackers were identified via the vendor’s security information and event management (SIEM) tool, it blocked the compromised account and activated third-party incident response and MDR. Security controls prevented any malicious actor lateral movement, privilege escalation, persistent access or changes to the firm’s infrastructure, Dragos said.
Unfortunately, not all ransomware victims have a similar experience. Sophos claimed in a report yesterday that 66% of organizations fell victim to ransomware in 2022, and a massive 76% of them had data encrypted.