An employee needed a common network monitoring tool. He did what everyone does: typed the name into a search engine and clicked what looked like the program's official site. He downloaded the installer and dropped it on a shared network folder. Soon after, a systems administrator opened it. Forty-four hours later, the company's systems were encrypted, starting with its own backup server, and more than 75 gigabytes of data were gone. Nobody opened a suspicious attachment or fell for a phishing email. It all started by searching for the name of a program they use every day.
The case, documented by the forensic investigation team at The DFIR Report, shows a shift that should worry any company: the trap left the inbox and moved to the search bar. And the lure was not built for the distracted intern. It was tailored to the most technical person in the building, impersonating one of the very tools they trust.
How a search turns into ransomware
The bait was a legitimate, well-known product, ManageEngine OpManager. The search result led to opmanager[.]pro, a lookalike domain with a copy of the official site, which redirected to a second address and delivered a tampered installer: ManageEngine-OpManager.msi. The file ended up on a shared network folder, and a systems administrator ran it on the initial machine.
That click set off no alarm. The sequence began, quietly. First a loader, Bumblebee, a program whose only job is to open the door to others, which disguised itself as a legitimate Windows component and immediately called the attackers' servers. Five hours later a remote-control tool came in, AdaptixC2. On the second and third days, the intruders were already hopping from machine to machine up to the domain controller, the server that holds the keys to the whole network. They stole credentials, created admin accounts with backup-like names so as not to raise suspicion, and copied out more than 75 gigabytes in two batches. Only then, at the 44-hour mark, did they launch the ransomware, the program that encrypts files and demands a ransom. They started, deliberately, with the backup server, and deleted the Windows shadow copies to shut the door on recovery.
The 44-hour chain, from the click on the fake installer to encryption and the destruction of the backups.
The group behind this, Akira, is no amateur. It runs as a rental business, in which recruited affiliates carry out the break-ins and split the ransom with whoever builds the tool. According to the joint alert from the FBI and CISA, the United States cybersecurity agency, Akira has collected more than 244 million dollars in ransoms since 2023, and tallies from the sites where these groups expose their victims point to more than fourteen hundred targets. In Portugal the problem is not abstract: the National Cybersecurity Centre ranks ransomware and infostealers, the programs that steal credentials, among the threats with the greatest impact on the country, and nine in ten organizations in critical sectors say they feel a growing risk of being attacked. The same body points to malicious ads and fake downloads, so-called malvertising, as one of the most common entry points for those programs, which often pave the way for attacks like this one.
Why it catches the careful ones
What grips me in this case is not the ransomware, it is the bait. Impersonating an administration tool was no accident. The people who install network monitoring are IT staff, who have privileged access and whose machine is the shortest path to the rest of the company. The attack exploited no exotic technical flaw, it exploited trust. A search result looks like a neutral recommendation, and a pixel-perfect copy of a site raises no alarm. The person who knows most about security was fooled because they were looking for exactly what they were handed.
But there is a part here that works in our favour, and it is the 44 hours. Between the click and the encryption, nearly two full days of noisy activity passed inside the network: new accounts, new remote access, huge data transfers. It was not a lightning strike, it was a slow occupation. Anyone watching what comes in and goes out, with backups beyond the network's reach, would have had time to break the chain before the ending.
How to protect yourself
The measures that stop this kind of attack are within reach of any organization:
- Always download from the vendor's official site. Type the address by hand or use a saved bookmark; do not rely on the order of search results or on ads.
- Be wary of lookalike domains.
opmanager[.]prois not the same as the vendor's domain; one swapped character is enough. - Keep offline, tested backups. Copies the network cannot reach are what separate a scare from a catastrophe; these attackers go for the backups first.
- Watch behaviour, not just the file. Admin accounts created out of nowhere, new remote access, and large data transfers are warning signs.
- Limit privileges. Even the administrator does not need full, permanent access to everything; the less each account can reach, the smaller the damage from a wrong click.
A search result is not a source of truth, it is a suggestion ranked by an algorithm that criminals have learned to manipulate. The question to ask before installing is no longer "is this file safe?" but "did I really come from the right place to download it?". The difference between those two questions can be the whole company.
Sources: The DFIR Report, FBI and CISA, National Cybersecurity Centre.
#StaySafe
🙏🖖
