In May 2021, an Australian building materials manufacturer and distributor called Langs Building Supplies was able to beat a ransomware attack by relying on their MFA-protected backups to secure their data and decline the hackers’ demands. Even when the preparators (suspected to be the Lorenz gang) began threatening their employees individually, the company held firm against the extortion attempts by ensuring that none of their information had been exposed.
Discover how Langs was hacked, how they solved it and what this could mean for your business by continuing to read below:
What Happened to Langs Building Supplies
Langs’ Chief Information Officer (CIO), Matthew Day, described to interviewers that on the day he was notified of the attack, he was getting ready for his first vacation in a long while. His plans were interrupted when, on May 20, 2021, he received a 4:00 AM call from the office alerting him that the company’s seemed to be shut down. After confirming that he could not access the company’s network either, he proceeded directly to the company’s facility in the dead of the night and discovered a digital ransom note in the system.
Where the Attack Came From
Matt and his team were able to traceback the infection to its origin – a compromised email from an upstream partner, which stood out as it was from the legitimate account but contained a malicious hyperlink. The supplier had been compromised and the attackers infiltrated their network, spying on their communications with Langs Building Supply long enough to craft the message that would allow them to infect an unwitting employee’s computer. Within two weeks, they used the victim’s credentials to log into Langs’ system and waited long enough to uncover a vulnerability to exploit that would grant administrator access.
After later contacting the authorities and working through the infected files, Matt and his team confirmed that the malware came from the Lorenz ransomware gang supposedly operating out of the Netherlands.
What is Lorenz Ransomware?
Suspected to have ties to the makers of ThunderCrypt ransomware, the Lorenz group began establishing a name for themselves in the same period that they hit Langs Building Supplies, and have continued to create headlines into 2022. One such incident was the hack of a large German-based defense contractor with clients in multiple countries, including an agreement with the US government that provides access to sensitive military information. The stolen data was published online in password-protected archives in December 2021.
Double Extortion Strategy
Lorenz is one of many gangs that have taken advantage of the double extortion strategy, wherein they threaten the release of stolen files as can be seen as in the case above. However, they have stood out for the extra steps made to reinforce the severity of their blackmail, such as offering to sell it to other ransomware groups along with the internal access credentials they obtained. The good news is that security researchers have already released a free decryption tool for Lorenz ransomware, propelled by the fact a bug in the malware can corrupt data past recovery.
Many cybercriminals specifically target victims in other countries because of the difficulty in both tracking and prosecuting across national borders. Others still mask their IP addresses to make it even harder for law enforcement to figure out who they are, and quite a few operate in nations that have a history of turning a blind eye to their activities. There are several governments highly suspected of funding of hackers or even employing them directly, with their own espionage agencies taking part.
How Langs’ IT Team & Backup Solved the Attack
Having been targeted by a similar attack five years prior, Langs Building Supplies has a strict policy of not paying cyber extortion demands – which potentially saved them from the fate of other victims who relied on the faulty decryptor keys provided by preparators. Instead, Matt Day and his internal IT team made sure that their external backups hosted by their BCDR (business continuity and disaster recovery) provider remained secure, then went to work on isolating the infection.
After ensuring that the malware was limited to the original infection point, they simply had to wipe the affected machines and restore their data. From there, it became a waiting game – along with an exercise in employee cybersecurity awareness training.
How the Lorenz Gang Responded
The Lorenz gang was continuing to watch Langs’ efforts the entire time, and after Matt’s team managed to recover all of their original data, the hackers sent another message. They informed Langs that they knew they had recovered their files, that they knew they had been hacked before and which BCDR solution they had been using in the five years since. They ended the email with a threat to leak the data they had stolen by a certain date if no ransom was paid.
The warning did not phase the IT team, who could confirm that the infection never reached the location where that data was stored, but they were worried about its impact on the rest of the staff. The message had been sent to every employee and implied that their personal information was included in their cache, so Matt Day and his department had to quickly communicate to the rest of company that this was a bluff. By being able to show evidence that the data was secure, however, they were able to get everyone else on board and the deadline came and went without incident.
Why Langs May Have Been Targeted
Matt Day speculated that Langs Building Supplies was targeted for its integral place in their tenuous supply chain, Langs being one of the biggest material suppliers in northeastern Australia. The Queensland state government even had to take steps to keep the regional construction industry operating during the pandemic, and the sector has remained hard pressed. If a business like Langs was shut down for an extended period of time, it would have a ripple effect on the economy.
How Ransomware Fits into Cyber Warfare
Nation-state hackers have been responsible for a lot of recent activity in a growing cyber–Cold War, including the infamous Kaseya attack that targeted the systems of several US federal agencies. Given Lorenz’s other victims (including the aforementioned), it is possible that they have or had a secondary political agenda, although one likely superseded by the monetary gain they make from ransoms. However, these goals can be achieved hand-in-hand quite easily, and research indicates that at least a few countries do in fact leverage their cyberspace capabilities to steal money as well as valuable data.
There are still many more benefits beyond the immediate financial ones, though, from a ransomware infection, including providing a cover for stealing intellectual property or even military secrets. The very act of disrupting a business’s operation alone can help a rival nation achieve their objectives if the victim occupies a vital part in their supply chain, such as with Colonial Pipeline or SolarWinds. Considering Australia’s relations with some of the usual suspects, it is certainly not far-fetched to imagine Langs Building Supply was targeted to cause political damage as well as economic.
The Part MFA & Backups Played
Langs’ backup solution certainly helped win the fight against their ransomware attack, but what is truly interesting is the role MFA (multifactor authentication) played in the entire affair. Matt Day and his team knew that their backups were uncompromised because of the added authentication, but ironically Langs’ CIO had fought with the other executives to implement MFA across the company. He believes that if it had been in place, the initial infection would have been prevented in the first place.
“I should have stuck to my guns more about external access and MFA,” said Matt. “Because we’ve been talking about it for quite a while and I was pushing for it, but the company pushed back because it was seen as an onerous burden on the users; one more thing that they have to learn and deal with. If I’d had MFA, we could have stopped this particular attack in its tracks and I’m happy to say we can now have MFA on those external desktops.”
Living with the Modern Ransomware Ecosystem
Langs Building Supplies is something of an ideal story, more so because they are actually willing to tell it, but also because so many factors fell into place at the right time. They retained their firsthand experience from their previous attack and used it to narrow down the right solution for the next, they handled the incident professionally and did not give into intimidation, and the attackers underestimated their resolve. Most importantly, there was enough trust between the IT team and the rest of the company – and between Langs and their BCDR provider – to assure everyone everything was working as intended.
Ransomware gangs represent one of the most robust parts of a growing cybercrime economy, one that always has participants and victims to choose from. One team develops the malware and another disperses it around between targets, knowing that there will always be an organization out there where someone will be exposed, and someone at the top will give into their demands. The most consistent defense is to keep your data secure, isolated, and backed up as often as possible so that it can be recovered without a follow-up infection.
Learn More About MFA, Backups & More Ransomware Solutions
There may be no magic bullet to solve ransomware instantly, but SWK Technologies will help you uncover where you are most vulnerable to infiltration and narrow down the right solution to plug these gaps. Reach out to us today and let our network security experts assist you in developing the right approach to defend your systems against hackers.
Contact SWK here to learn more about how MFA, backups and other solutions can protect you against ransomware.
Discover How the Right MFA & Backups Beat Ransomware