International cyber gang attacks company using a simple Word file

A few weeks ago, a Vanbreda Risk & Benefits customer was the victim of a targeted cyber attack. All the international criminals needed in order to get inside the company in an attempt at extortion was a Word file containing a bit of executable code.

International cyber gang attacks company using a simple Word file

The gang went to work meticulously. They rented a fake PO box in the United Arab Emirates, they created a non-traceable email address on the Darknet and they registered a slew of .nl domain names relating to transport.

The tactic that they then applied was as smart as it was criminal. The criminals pretended to be a courier company, and they correctly identified which employees at our customer’s company were involved in the receipt of packages. This included management assistants and employees in the mailroom. These people then received an email – in excellent, error-free Dutch – from the fake email address saying that they had attempted to deliver a package to them, but that they had not been present to accept it. By clicking on a link in this email, they could set up a new delivery time.

The virus was hidden in executable code

This was an expertly set trap. As soon as the employees clicked on the link, it opened a Word file. In this file there was a piece of executable code, that in turn launched a .exe program. This all happened under the radar, so the employees were not aware of anything untoward going on, and they just closed the Word file again as usual. Even the sophisticated anti-virus programs used by our client did not notice anything suspicious.

Up to then, the cyber criminals’ plan was working perfectly. But it hit a snag when the gang tried using their .exe file to create an internet connection to external Russian servers. Their aim was to download damaging programs and keys from these servers. These would be used to encrypt a large number of our customer’s files, which could then only be decrypted if they paid a large ransom (the average is between EUR 15,000 and 20,000).

IT recovery costs of up to EUR 12,000

The plan failed because our customer’s firewall detected that the Russian servers were on a blacklist in time. As soon as this was detected, the whole system was shut down. This meant that a large amount of damage could be prevented, and they could avoid having to pay the large sum of ransom money.

But that did not mean that our customer was totally off the hook. As a result of this attack, the IT system was thoroughly screened, and where necessary rebuilt. This was carried out by both their own IT staff and by a specialised firm. These IT recovery costs totalled around EUR 12,000.

Sizable financial and reputational damage

Cases such as this show that cyber crime is often closer to home than many business executives believe. Because, of course, our customer was not the only target of this criminal gang and these kinds of ‘campaigns’ are carried out on a large scale, on dozens of companies at once.

What if the Russian servers had not been on a blacklist at one of the targeted companies? Or if a different type of virus was introduced, one that stole data, sent passwords or allowed hackers to access your network? The consequences can be severe.

For anyone who still has any doubts: this sort of story is unfortunately no longer something out of a good Hollywood script. International virtual gangs are becoming better organised at carrying out targeted cyber attacks on unsuspecting companies.

What is worrying about this phenomenon, is that even by using the best preventive measures you cannot keep all problems at bay. A good cyber policy is therefore not a luxury, but a necessity. Let’s be clear: the customer in the case we described was able to limit the damage to around 13,000, thanks to their insurance. If the attempt at extortion had been successful, then this amount could have sadly been a lot higher.