In a post about the rise of ransomware, the United Kingdom’s National Cyber Security Centre (NCSC) has shared a cautionary tale about an unnamed company being hit with the same ransomware a second time, just weeks after paying the ransom demands from the first attack.
“For most victims that reach out to the NCSC, their first priority is – understandably – getting their data back and ensuring their business can operate again. However, the real problem is that ransomware is often just a visible symptom of a more serious network intrusion that may have persisted for days, and possibly longer.”
As alluded to here, not all attention should be solely focused on recovery efforts – investigating to find the root cause of the unauthorized access is critically important. A thorough investigation is needed to determine the method of intrusion, the length of the breach, if the actors created any new accounts for later access, etc.
“We’ve heard of one organisation that paid a ransom (a little under £6.5million with today’s exchange rates) and recovered their files (using the supplied decryptor), without any effort to identify the root cause and secure their network. Less than two weeks later, the same attacker attacked the victim’s network again, using the same mechanism as before, and re-deployed their ransomware. The victim felt they had no other option but to pay the ransom again.”
Ransomware actors often spend as much time as they can inside the network stealing credentials, moving around the network and exfiltrating files before encrypting the files. There is no guarantee that the victim will get their files back when paying the ransom or that the actors will actually delete the stolen data.