New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


A Company Paid Millions to Get Their Data Back – Then Fell Victim to the Same Attack Again

An unnamed organization that fell victim to ransomware, failed to adequately investigate the root cause of the attack, and as a result, it fell victim to the exact same attack two weeks after the original incident. Even worse, the victim organization paid the ransom demand both times in order to restore their network. After the initial attack, the company paid in bitcoin worth roughly £6.5 million GBP or $8.9 million USD in order to recover their data. Less than two weeks later, the same threat actor attacked the victim’s network again, using the same mechanism as before, and re-deployed their ransomware. It is imperative that organizations that fall victim to ransomware concentrate on finding out how it happened before anything else. The cost of an incident response investigation from a top-tier security firm is far less expensive than paying another ransom.

Analyst Notes

Some believe that paying the ransom to criminals is the most cost effective and the fastest way to restore an organizations network, but that is not always the case. Additionally, paying a ransom lets threat actors know that an organization is willing to pay, therefore making them a likely target for additional for future attacks. Victims of ransomware must investigate and determine how malware was able to enter their network undetected. This investigation should be carried out before restoring networks. Before an attack takes place, organizations should have an incident response plan in place. A detailed plan should include response and notification procedures for a ransomware incident. Regularly patch software and operating systems to the latest available versions. Employ best practices for use of RDP and other remote desktop services by protecting them behind a strong VPN with Multi-Factor Authentication (MFA) and auditing any unusual login events from IP addresses or devices that are different from what the employee account normally uses. Threat actors commonly gain initial access through insecure Internet-facing remote services or phishing. When an attack makes it through the outer layers of defense, it is important to have a Security Operations Center or a managed security monitoring service with expert security analysts on duty, such as the Binary Defense Security Operations Task Force. The Task Force provides a 24/7 monitoring solution of SIEM and endpoint detection systems to detect and defend from intrusions on an organization’s network.