I can absolutely tell you that it does not need someone to be phished to gain access. We bought a company not long ago and discovered that at some point they'd been ransomwared (they got hit by CrySis). For some reason they'd left the encrypted files on the server under the assumption they'd be able to decrypt them at some future point. They restored from their backups, so I'm not sure what benefit keeping the encrypted files would have. Once we got their hardware setup at our head office we decided to keep the servers separate from ours, turns out that was a wise decision as they then got hit by Phobos. What's interesting though is that both ransomeware attacks use the same attack vector, by brute forcing their way through the firewall using an RDP vuln. After the first attack they'd failed to patch the firewall, leaving the attack vector wide open for a later attack. Also turns out they'd failed to patch the servers, which meant the RDP settings weren't secure either. Hindsight is wonderful, but looking back I'm so glad I took the decision to ensure the 2 domains were on separate networks.
Biting the hand that feeds IT
