In a post about the rise of ransomware, the United Kingdom’s National Cyber Security Centre (NCSC) has shared a cautionary tale about an unnamed company being hit with the same ransomware a second time, just weeks after paying the ransom demands from the first attack.
“For most victims that reach out to the NCSC, their first priority is – understandably – getting their data back and ensuring their business can operate again. However, the real problem is that ransomware is often just a visible symptom of a more serious network intrusion that may have persisted for days, and possibly longer.”
As alluded to here, not all attention should be solely focused on recovery efforts – investigating to find the root cause of the unauthorized access is critically important. A thorough investigation is needed to determine the method of intrusion, the length of the breach, if the actors created any new accounts for later access, etc.
“We’ve heard of one organisation that paid a ransom (a little under £6.5million with today’s exchange rates) and recovered their files (using the supplied decryptor), without any effort to identify the root cause and secure their network. Less than two weeks later, the same attacker attacked the victim’s network again, using the same mechanism as before, and re-deployed their ransomware. The victim felt they had no other option but to pay the ransom again.”
Ransomware actors often spend as much time as they can inside the network stealing credentials, moving around the network and exfiltrating files before encrypting the files. There is no guarantee that the victim will get their files back when paying the ransom or that the actors will actually delete the stolen data.
A solid backup plan will ensure that victim organizations can recover in the event a ransomware attack. Backups should be created and tested on a regular basis to ensure a smooth and up-to-date recovery effort. It is also important to maintain “offline” backups that are not connected to the network. Many ransomware variants search for connected network or USB drives and will attempt to encrypt those as well as local file systems. Organizations should also have an incident response plan in place. A detailed plan should include steps for determining impacted systems, isolating them, triage to determine the nature and scale of the attack and the recovery effort. Both the NCSC and Cybersecurity & Infrastructure Security Agency (CISA) provide excellent guides on how to prevent and deal with ransomware infections.