Jump to content

Student who installed pirated software rigged with Ryuk ransomware crippled a Covid-19 research facility for 10 days

Summary

A student unknowingly infected the Covid-19 research facility by installing a pirated copy of data visualization software that was unfortunately rigged with the Ryuk ransomware.

 

Quotes

Quote

It was a student, unfortunately, that proved to be the unwitting conduit for the Ryuk infection. 

 

The student was on the hunt for a free version of a data visualization software tool which would have cost them hundreds of dollars per year if licensed. After posting on a forum asking for a free alternative, the student eventually elected to find a cracked version instead.  As cracked software -- modified to remove elements such as trial expiration dates or the need for a license -- is deemed suspicious, antivirus software will usually flag and block its execution. 

 

In this case, Windows Defender triggered, and so the student disabled the software as well as their firewall.  However, instead of launching the software they wanted, the executable loaded a Trojan which was able to harvest the student's access credentials to the biomolecular institute's network.

 

In hindsight, in what was an unwise decision, the research institute allowed students to use their personal devices to access its network via remote Citrix sessions.  13 days after the student executed the 'cracked' software, a remote desktop protocol (RDP) connection was registered by the institute, using the student's credentials, under the name "Totoro," -- an anime character from a 1988 film. 

 

"A feature of RDP is that a connection also triggers the automatic installation of a printer driver, enabling users to print documents remotely," Sophos says. "This allowed the Rapid Response investigation team to see that the registered RDP connection involved a Russian language printer driver and was likely to be a rogue connection."It was 10 days after this connection was made that Ryuk was deployed on the network, costing the institute a week of research data as backups were not fully up-to-date. In addition, system and server files had to be "rebuilt from the ground up," according to the researchers, before the institute could resume normal working activity. 

My thoughts

It's quite disappointing to see how a large research institution focused on Covid-19 allows BYOD to access such critical files via RDP. It is also stupid for the student to ignore Windows Defender's warnings just to save some bucks. But this made me think, why would a well funded research institution not issue company owned laptops and devices? Windows 10 has Windows Autopilot, macOS has zero-touch deployment and provide a legit copy of the data virtualization software. They have backups but aren't up to date? Makes me wonder how frequent their backups are. I know that many in this forum have posted things like "How to get a lifetime Office 365 for free?" or "Keygen crack for Adobe CC" and it's nice that such posts are deleted.

 

Another question I have is how can a student have such clearance with the institution? Is he/she an undergrad intern? or a post-doc candidate? As far as I know, sensitive and confidential data is usually hands-off to students unless they are directly part of the research program.

 

Sources

Zdnet

Edited by captain_to_fire

There is more that meets the eye
I see the soul that is inside

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

5 minutes ago, captain_to_fire said:

t is also stupid for the student to ignore Windows Defender's warnings

Cracks always have a false positive, even on safe(er) piracy. So it's not really stupid as it's common for it to happen. The only thing he did stupidly was install risky software on something that wasn't his.

Proud owner of a custom water cooled Ryzen 1400. 5800x  

Link to comment
Share on other sites

Link to post
Share on other sites

Well, I've heard of ransomware just unlocking things once they found out they affected hospitals and what not, so maybe they'll do the same here?

 

Not to say they're any better for doing that, ransomware still sucks and piracy does carry risks like these

-sigh- feeling like I'm being too negative lately

Link to comment
Share on other sites

Link to post
Share on other sites

10 minutes ago, captain_to_fire said:

Another question I have is how can a student have such clearance with the institution?

this is my thought too.

 

Why can student install anything?

 

Every workplace and school i've ever seen, software can only be installed by the IT department or administrators.

🌲🌲🌲

 

 

 

◒ ◒ 

Link to comment
Share on other sites

Link to post
Share on other sites

2 minutes ago, Arika S said:

this is my thought too.

 

Why can student install anything?

 

Every workplace and school i've ever seen, software can only be installed by the IT department or administrators.

At my high school, people could install whatever they want to on their own laptop.

“Remember to look up at the stars and not down at your feet. Try to make sense of what you see and wonder about what makes the universe exist. Be curious. And however difficult life may seem, there is always something you can do and succeed at. 
It matters that you don't just give up.”

-Stephen Hawking

Link to comment
Share on other sites

Link to post
Share on other sites

6 minutes ago, Npiet1 said:

Cracks always have a false positive, even on safe(er) piracy.

I'm pretty sure cracking a software to remove trial restrictions is by no means safe, not to mention in violation of the EULA.

There is more that meets the eye
I see the soul that is inside

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

Just now, Mihle said:

At my high school, people could install whatever they want to on their own laptop.

If it's your own laptop, you can definitely install whatever you want. The thing I'm curious is how can a measly student have such high clearance and stupidly use a cracked program rigged with ransomware.

There is more that meets the eye
I see the soul that is inside

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

13 minutes ago, captain_to_fire said:

I'm pretty sure cracking a software to remove trial restrictions is by no means safe, not to mention in violation of the EULA.

There is no reason to crack software that you can purchase. If you have to resort to it, it's likely because of some limitation preventing the activation to work (such as no internet access, optical disk failure, DRM OS incompatibility), and I've never run into this in a context where it was necessary for commercial software, always games have broken drm.

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

23 minutes ago, captain_to_fire said:

'm pretty sure cracking a software to remove trial restrictions is by no means safe, not to mention in violation of the EULA.

Lol if you are pirating software, you don't care about violating the EULA.

Also it's not 100% safe but safer than you think. No scene group wants virus,malware, worms etc in their cracked software. It's detrimental for rep. That's usually done by someone else.

 

There's rules people should follow when pirating software to prevent that, which experienced pirates follow.

Proud owner of a custom water cooled Ryzen 1400. 5800x  

Link to comment
Share on other sites

Link to post
Share on other sites

2 hours ago, captain_to_fire said:

It is also stupid for the student to ignore Windows Defender's warnings just to save some bucks. But this made me think, why would a well funded research institution not issue company owned laptops and devices? Windows 10 has Windows Autopilot, macOS has zero-touch deployment and provide a legit copy of the data virtualization software. They have backups but aren't up to date? Makes me wonder how frequent their backups are. I know that many in this forum have posted things like "How to get a lifetime Office 365 for free?" or "Keygen crack for Adobe CC" and it's nice that such posts are deleted.

This is probably a reason why we need FOSS software that isn't terrible but can be a legitimate alternative. If said student had found something that would've worked fo him, this may also have never happened

"A high ideal missed by a little, is far better than low ideal that is achievable, yet less effective"

 

If you think I'm wrong, correct me. If I've offended you in some way tell me what it is and how I can correct it. I want to learn, and along the way one can make mistakes; Being wrong helps you learn what's right.

Link to comment
Share on other sites

Link to post
Share on other sites

12 minutes ago, J-from-Nucleon said:

This is probably a reason why we need FOSS software that isn't terrible but can be a legitimate alternative. If said student had found something that would've worked fo him, this may also have never happened

This attack would've never happened if the authorities of the research institution didn't grant high clearances to mere students and issued their own devices with the licensed software installed instead of BYOD.

There is more that meets the eye
I see the soul that is inside

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

I love how the student thought that disabling the firewall would somehow help with the cracking process 🤣

Main Rig:-

Ryzen 7 3800X | Asus ROG Strix X570-F Gaming | 16GB Team Group Dark Pro 3600Mhz | Corsair MP600 1TB PCIe Gen 4 | Sapphire 5700 XT Pulse | Corsair H115i Platinum | WD Black 1TB | WD Green 4TB | EVGA SuperNOVA G3 650W | Asus TUF GT501 | Samsung C27HG70 1440p 144hz HDR FreeSync 2 | Ubuntu 20.04.2 LTS |

 

Server:-

Intel NUC running Server 2019 + Synology DSM218+ with 2 x 4TB Toshiba NAS Ready HDDs (RAID0)

Link to comment
Share on other sites

Link to post
Share on other sites

I would put partly the blame into the IT head. Citrix, RDP and BYOD are very commonplace and its ok, but just the fact that backups weren't at least up to a day old but a week? that's awful on something as important as research, not even counting its covid research.

 

Also since its a student, its most likely the institute is linked to his university, so he could get whatever his uni offers in their intranet, complete bonehead that he went for a cracked copy.

3 minutes ago, Master Disaster said:

I love how the student thought that disabling the firewall would somehow help with the cracking process 🤣

Funny enough most cracks tell you to do the opposite to avoid the cracked app to call home.

this is one of the greatest thing that has happened to me recently, and it happened on this forum, those involved have my eternal gratitude http://linustechtips.com/main/topic/198850-update-alex-got-his-moto-g2-lets-get-a-moto-g-for-alexgoeshigh-unofficial/ :')

i use to have the second best link in the world here, but it died ;_; its a 404 now but it will always be here

 

Link to comment
Share on other sites

Link to post
Share on other sites

51 minutes ago, J-from-Nucleon said:

This is probably a reason why we need FOSS software that isn't terrible but can be a legitimate alternative. If said student had found something that would've worked fo him, this may also have never happened

 

Quote

The student was on the hunt for a free version of a data visualization software tool which would have cost them hundreds of dollars per year if licensed. After posting on a forum asking for a free alternative, the student eventually elected to find a cracked version instead. 

Sounds familiar.

 

It should probably be pointed out that sometimes people here, and in other places post troll responses. Given that the first link for "free software visualization" on google just goes to a list of open source software, I wonder if they were told something unhelpful.

 

Link to comment
Share on other sites

Link to post
Share on other sites

 

4 hours ago, captain_to_fire said:

I'm pretty sure cracking a software to remove trial restrictions is by no means safe, not to mention in violation of the EULA.

Well, when you are pirating stuff, you don't care about violating eula. You are more concerned about the virus installing a trojan

Link to comment
Share on other sites

Link to post
Share on other sites

I'm not sure how some of y'all think this was the kids fault. Look if he wants to install malware on his own laptop whatever. However the IT department head and Cyber security people should be fired for the incompetency of allowing so many vulnerability points in their systems and not having backups. Also for not giving out devices to use at work or at the very least providing the software needed to do the job and restricting access appropriately.

Link to comment
Share on other sites

Link to post
Share on other sites

26 minutes ago, SlidewaysZ said:

I'm not sure how some of y'all think this was the kids fault. Look if he wants to install malware on his own laptop whatever.

The student can be blamed because instead of using a legit copy of the said software, he resorted to dodgy forums that lead him to a cracked version rigged with ransomware, not to mention he/she ignored the warnings from the antivirus installed and decided to disable it.

26 minutes ago, SlidewaysZ said:

However the IT department head and Cyber security people should be fired for the incompetency of allowing so many vulnerability points in their systems and not having backups.

They have backups, but it wasn't up to date. But yes, the IT staff is the one largely to blame for introducing vulnerabilities and high clearance to mere students.

26 minutes ago, SlidewaysZ said:

Also for not giving out devices to use at work or at the very least providing the software needed to do the job and restricting access appropriately.

Makes me wonder why can a simple blacklisting cannot be implemented by the IT. I for one managed to setup a blacklist on all of the 10 computers for our small business.

There is more that meets the eye
I see the soul that is inside

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

That's a real bummer. It reminds me of the "Swiss cheese model" often used in a security/safety context, where sometimes the holes of multiple layers can overlap such that incidents/accidents happen despite several lines of defense being in place.

If the student was actually an employee of that university,. he/she should have been able to get that software through the university without having to pay anything him/herself. This should just be a matter of having to explain why you need the software and that there is no suitable free/less expensive alternative.
If the student was not an employee, he/she should be able to get at least most of the software at a very large discount through some software deal offered by the university. If that particular software is not included in that, then the project's supervisor should still make sure his/her students get access to it at a reasonable cost.

The network admins very likely messed up too. At my university, only verified devices of employees were authorised to access the intranet, guests had their own network (which was heavily restricted). It also seems that their backup policy could use some improvement. 

Link to comment
Share on other sites

Link to post
Share on other sites

This is a good lesson in what happens when you don't gaf about your security or backups. 

 

No daily backup?  What kind of amateur "institute" is this?  I backup my work daily in case of random failure, merely to save myself hassle and its not sensitive or even valuable data. 

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

This dude must have SHIT A BRICK when he realized what he did. My condolences, sir.

QUOTE ME IF YOU WANT A REPLY!

 

PC #1

Ryzen 7 3700x@4.4ghz (All core) | MSI X470 Gaming Pro Carbon | Crucial Ballistix 2x16gb (OC 3600mhz)

MSI GTX 1080 8gb | SoundBlaster ZXR | Corsair HX850

Samsung 960 256gb | Samsung 860 1gb | Samsung 850 500gb

HGST 4tb, HGST 2tb | Seagate 2tb | Seagate 2tb

Custom CPU/GPU water loop

 

PC #2

Ryzen 7 1700@3.8ghz (All core) | Aorus AX370 Gaming K5 | Vengeance LED 3200mhz 2x8gb

Sapphire R9 290x 4gb | Asus Xonar DS | Corsair RM650

Samsung 850 128gb | Intel 240gb | Seagate 2tb

Corsair H80iGT AIO

 

Laptop

Core i7 6700HQ | Samsung 2400mhz 2x8gb DDR4

GTX 1060M 3gb | FiiO E10k DAC

Samsung 950 256gb | Sandisk Ultra 2tb SSD

Link to comment
Share on other sites

Link to post
Share on other sites

10 hours ago, captain_to_fire said:

They have backups but aren't up to date?

The datasets can be huge so the cost of not backing them up versus the computation time to reprocess from the raw data can often be less. Not everything needs backing up, even if it results in lost work.

 

10 hours ago, captain_to_fire said:

It's quite disappointing to see how a large research institution focused on Covid-19 allows BYOD to access such critical files via RDP

RDP is fine, the access via RDP is entirely a tangent to the actual issue and is what allowed them to pick up on the issue in the first place as well. RDS Full Sessions and RDS Published Apps is extremely common and not a security risk in of itself. Most of our business critical/core applications are delivered only via RDS Published Apps as it allows DR/HA setup across datacenters with a seamless and single way to use the application on the network and off the network (if off network access is allowed for that application).

 

10 hours ago, captain_to_fire said:

Another question I have is how can a student have such clearance with the institution? Is he/she an undergrad intern? or a post-doc candidate? As far as I know, sensitive and confidential data is usually hands-off to students unless they are directly part of the research program.

Not at all uncommon. Was only a couple of years ago Post-Grad students doing institute research projects had staff accounts, they sign an employment agreement like anyone else does. These are adults we are talking about that are not any different to any other person they just happen to be undertaking higher education courses and research.

 

A 50 year old is quite capable, and has, of making the same mistake a 20-30 year old is. Literally refer to my profile picture.

Link to comment
Share on other sites

Link to post
Share on other sites

Really, no up-to-date backup and no two factor authentication for remote logins? Especially the second one really baffles me, I get why you allow BYOD (even though I don't condone it) but allowing remote connects from BYOD devices without a two factor authentication is pure madness.

Link to comment
Share on other sites

Link to post
Share on other sites

8 hours ago, leadeater said:

Not at all uncommon. Was only a couple of years ago Post-Grad students doing institute research projects had staff accounts, they sign an employment agreement like anyone else does. These are adults we are talking about that are not any different to any other person they just happen to be undertaking higher education courses and research.

 

A 50 year old is quite capable, and has, of making the same mistake a 20-30 year old is. Literally refer to my profile picture.

That doesn't excuse them for having shitty security practices just because many are doing it. Also, since when should a measly student have such high clearance and stupidly install a pirated program rigged whit god knows what that eventually spread laterally to the entire network. And considering that Ryuk ransomware isn't something new, none of their systems have endpoint agents to protect them or did their IT allowed so many ports open?

 

8 hours ago, leadeater said:

Not everything needs backing up, even if it results in lost work.

That would be applicable if you're not a Covid-19 research facility. Remember that they've lost 10 days worth of work, that would translate to several man-hours. Just imagine if a hospital didn't have backups and got hit by a ransomware.

There is more that meets the eye
I see the soul that is inside

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

19 hours ago, Arika S said:

school i've ever seen, software can only be installed by the IT department or administrators

Only if its owned by them, for instance my school allows private devices onto the network after logging in with our user+pass combo (wpa enterprise i presume). The only irritating thing it does for some reason if i query google.com the machine will ask for google.com.<school domain>.tld ....

Link to comment
Share on other sites

Link to post
Share on other sites

8 minutes ago, jagdtigger said:

Only if its owned by them, for instance my school allows private devices onto the network after logging in with our user+pass combo (wpa enterprise i presume). The only irritating thing it does for some reason if i query google.com the machine will ask for google.com.<school domain>.tld ....

right. I'm old. Back when i was in school, no one was allowed to bring laptops or anything to school, phones had to be kept in lockers. we had text-books and the only PCs were in the Library and the IT lab

🌲🌲🌲

 

 

 

◒ ◒ 

Link to comment
Share on other sites

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×