Krebs On Security recently posted some details of the recover efforts of yet another company recovering from a devastating ransomeware attack.   @briankrebs points out that one of the under-appreciated vectors of these attacks is to deploy trojan software to steal passwords from all of the infected network endpoints.

The result of this oversight may offer attackers a way back into the affected organization, access to financial and healthcare accounts, or — worse yet — key tools for attacking the victim’s various business partners and clients.

In the case of Wisconsin-based Virtual Care Providers In (VCPI), the attackers “Unleased Trickbot to steal passwords from infected VCPI endpoints that the company used to log in at more than 300 Web sites and services, including:

-Identity and password management platforms Auth0 and LastPass
-Multiple personal and business banking portals;
-Microsoft Office365 accounts
-Direct deposit and Medicaid billing portals
-Cloud-based health insurance management portals
-Numerous online payment processing services
-Cloud-based payroll management services
-Prescription management services
-Commercial phone, Internet and power services
-Medical supply services
-State and local government competitive bidding portals
-Online content distribution networks
-Shipping and postage accounts
-Amazon, Facebook, LinkedIn, Microsoft, Twitter accounts

Krebs’ conclusion is that “Companies that experience a ransomware attack — or for that matter any type of equally invasive malware infestation — should assume that all credentials stored anywhere on the local network (including those saved inside Web browsers and password managers) are compromised and need to be changed.”

Our conclusion is that authentication is fundamental to securing IT systems and it is a bad idea for any individual, organization or business to store authentication credentials locally.