BlackCat/ALPHV Ransomware Gang Phished a Reddit Employee... And???

The BlackCat/ALPHV ransomware gang has claimed the February attack against social media platform Reddit, asserting that 80GB of data was exfiltrated.

‍

The attack, alleged to have begun with a phishing operation aimed at employees, resulted in the attackers getting access to documents, source code, employee’s personal data, and information about the company’s advertising customers.

‍

"After successfully obtaining a single employee's credentials, the attacker gained access to some internal docs, code, as well as some internal dashboards and business systems. We show no indications of breach of our primary production systems (the parts of our stack that run Reddit and store the majority of our data),” Bleeping Computer reports a company spokesperson as saying.

‍

“The threat actors say they attempted to contact Reddit twice, on April 13th and June 16th, demanding $4.5 million for the data to be deleted but did not receive a response. After not receiving a response, the threat actors now threaten to leak Reddit’s data if the company doesn’t pay the ransom and backtrack on their plans on charging for API access” Bleeping Computer continued.

‍

Takeaway: Phishing attacks are always going to be an issue, and they continue to be one of the main infection vectors for ransomware. And while many in the industry continue to throw end-users under the bus for data breaches, the fact is it’s not their responsibility to ensure systems are secure.

‍

Yes, employees need to exercise a reasonable level of discretion in their daily work to ensure they are not providing an easy avenue for attackers; that said, as an industry we need to abandon the “weakest link” excuse for the failure of our security operations up and down the stack.

‍

Yes, employees are going to click on malicious links and open tainted attachments. Why? Because they are busy and distracted doing their jobs.  

‍

And just as security staff are not overly concerned with things marketing budgets, customer acquisition and retention campaigns, facilities management and other critical business operations, corporate staff should not be expected to be the front lines for network defense.

‍

In the case of a ransomware attack that starts with a phishing expedition, sure, maybe the employee messed up by clicking a bad link in a moment of distraction. We can all pile on them for not noticing the spelling error or poor grammar in the email, or that the URL was a typo-squat, or that the email metadata did not match up with the contents of the email, etc.

‍

But where did security really fail?

‍

It failed when it did not block the malicious email for the same reasons we want to blame the errant employee. It failed when it allowed malicious code to execute on the network. It failed when it allowed command and control to be established and additional executables to be downloaded. It failed when lateral movement and credential theft was not detected. It failed when it did not block sequences leveraging native network tools when the behavior was outwardly malicious. It failed when it did not detect and block the data exfiltration. And it failed when it did not prevent critical data and systems from being encrypted.

‍

When you evaluate an attack like this and take all of the failures into consideration, blaming the failure of the entire security stack on one employee who mistakenly clicked a link is ridiculous. Millions of dollars of security that can be undone by one click is the problem, not the person who clicked.

‍

‍

‍Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more.