The UK’s National Cyber Security Center (NCSC) warned of rising cases of ransomware attacks, including victims hit by repeat attacks shortly after paying a ransom.
NCSC detailed a case involving an organization that paid millions in ransom for a decryption key after it was hit by ransomware.
However, the same ransomware gang struck again within two weeks, demanding another payment.
NSCS’s precautionary tale highlights some organizations’ lack of robust cybersecurity strategy, leaving them extremely vulnerable to ransomware attacks.
Company failed to address an exploited vulnerability leading to a repeat attack
NCSC says that the affected company parted with $6.5 million worth of Bitcoins to obtain the decryption key. However, it failed to investigate the cause of the ransomware attack and continued to operate normally.
When the same ransomware operator struck again, the unnamed company was forced to pay a ransom for the second time.
“Less than two weeks later, the same attacker attacked the victim’s network again, using the same mechanism as before, and re-deployed their ransomware,” the UK agency wrote in a blog post. “The victim felt they had no other option but to pay the ransom again.”
The NCSC noted that companies prioritized recovering their files to resume normal operations without addressing the real problem. This makes it easier for repeat ransomware attacks to succeed.
“However, the real problem is that ransomware is often just a visible symptom of a more serious network intrusion that may have persisted for days, and possibly longer,” the agency wrote.
Consequently, the attackers maintain persistence that they could use to launch future ransomware attacks.
NCSC says that companies should investigate how the attackers managed to compromise the network before restoring their data.
While paying the ransom could be the quickest method of resuming operations, total recovery from a ransomware attack is a long process and could take weeks, according to the agency.
Ransomware operators have diversified monetization and attack methods
NCSC pointed out that the ransomware threat landscape has evolved and that cybercriminals have adopted “hybrid business models for monetization.”
Initially, they depended on encrypting data and locking users away from their computers. Most recently, they adopted the double extortion method where the attackers encrypt victims’ files and demand a ransom. The threat actors later threaten to publish the exfiltrated data online unless the victim pays a ransom. Additionally, they have employed “increasingly sophisticated and targeted methods of deployment.”
Preventing ransomware attacks and mitigating their effects
Preventing ransomware attacks and reducing their impact is the most effective way to prevent disruptions, according to NCSC.
Organizations could achieve this by patching vulnerable systems and keeping operating systems updated.
Similarly, enabling multi-factor authentication on VPN and RDP services reduces ransomware incidents. This is because the two exploit methods have become the traditional initial compromise vectors.
Proper backing up of data could save an organization from spending millions in exchange for a decryption key. It would also allow the speedy resumption of operations after a ransomware attack.
Having endpoint security solutions could also prevent ransomware operators from exploiting common penetration techniques.
NCSC notes that WannaCry and NotPetya ransomware attacks “alerted the public to the potential impact of ransomware attacks” in 2017. During the same year, the median total cost of a ransomware attack was $133,000.
“Unfortunately, this is a hard lesson to learn, and as the NCSC commented, the response to ransomware really must start with ‘how did it get there?'” Says Andrew Hollister, Senior Director at LogRhythm Labs. “When an organization falls victim to ransomware, the pressure to get back to normal business operations is huge and the ability to do so in a timely manner may be pivotal to the company’s ability to continue operating at all.”
However, he warns that “regaining access to the encrypted files is only one part of the story.” Determining the compromise method, remediating it, and assessing whether the threat actors have established persistence to provide future access was crucial.
“An appropriately configured security monitoring solution that has full visibility into the environment could provide the opportunity to thwart bad actors prior to the ransomware taking hold. A framework such as MITRE ATT&CK can help organizations to prioritize detection of those tactics and techniques leveraged by the actors that are carrying out these attacks,” Hollister concluded.