Two Ransoms, One Hack: A cautionary tale of Ransomware
A staple in almost any cyber security discussion is that of ransomware, and it is one of those itches that never seem to cease. It is not a new concept, and there are many procedures you can put in place to avoid falling victim to a ransomware attack that you should familiarise yourself with such as updating credentials regularly, 2FA, Third-party cloud services, and backups. However the vital preventative procedures can often be overlooked, and this is certainly the case of when you are experiencing such an attack.
For most victims of ransomware, naturally, the first priority is making sure they get the data back and ensuring their business can operate again. However, In a blog post from the UK's National Cyber Security Centre (NCSC) revealed that a ransomware attack more often than not simply sheds light on a more serious network intrusion that may have been persisting for any given length of time, sometimes days, but possibly longer.
Ransomware is a result of the invasion into the private data of any given individual or business, and for it to be installed successfully, the attacker may have been able to directly gain access to a backdoor into the network and likely has access to administrator credentials as well.
This can be for several reasons, but a high possibility is that this is due to the result of previous malware intrusion that has laid the foundations for a ransomware attack to be possible.
If the attacker has this, then redeploying another ransomware attack at a later date would be incredibly simple should they choose to do so - and this was the case for one unfortunate company outlined in the previously mentioned blog post by the NCSC.
The blog details how they heard of one organisation that paid a ransom and recovered their files using the supplied decryptor, without any effort to identify the root cause and secure their network. Less than two weeks later, the same attacker attacked the victim's network again, using the same mechanism as before, and re-deployed their ransomware. This meant that the company had to once again fork out the ransom fee to reclaim their data a second time.
It is because of this, that should you fall victim to such an event, a thorough examination of your network and security settings should be conducted immediately following or even before the reclamation of your data. It is important to identify how the malware was able to enter your network in the first place and how it managed to stay undetected for so long.
It is also often assumed that paying for the ransom is the best-case scenario during such an event, but often this is not the case. Paying the ransom is not only costly in a financial sense, but also time following such an event, and the rebuild of a damaged network in itself can cost large amounts.
We also emphasise along with the NCSC, that recovering from a ransomware attack is not a quick process. Identifying the cause, investigating, rebuilding the system and recovering the data can take weeks of work.
It is also important to remember hackers don’t differentiate. Whether it's your personal data or the data of your business, it is a potential target. If you have any concerns about your network security, what to do to avoid becoming a victim, or questions regarding anything IT-related, please get in touch with one of the team here at ACS, the IT crew that put you above all that we do.