A company that fell victim to a ransomware attack and paid millions of cybercriminals for the decryption key to restore its files fell victim to the same ransomware operators less than two weeks later after failing to examine why the attack may have happened in the first place.
The WannaCry attacks in spring 2017, followed by NotPetya a few months later, alerted the public to the potential impact of ransomware attacks. Both attacks have been attributed by the NCSC as the work of state-sponsored actors. The ransomware has spread independently and virulently across networks, affecting almost every device it has touched.
Today, ransomware is quite different. Not in terms of impact (which continues to have devastating operational ramifications for victims), but rather in terms of the techniques employed.
Ransomware activities can flourish because organizations struggle to function without modern data; thus, even a brief stoppage of the most mundane administrative functions can cripple an entire business.
Until recently, ransomware focused only on the availability of information element by preventing users from accessing their data. This was done either by encryption or by changing user accounts and passwords. But as the prevalence of backups and system redundancy increased to alleviate the disruption in availability, attackers breached confidentiality by threatening to post stolen material online.
Rather than simply ignoring the ranon request when restoring their systems from backups, victims now fear that their sensitive data will be exposed to the world and, with it, run the risk of damage to their reputation. There will also be additional considerations on the impact of sanctions by a data protection authority (such as the CNIL in France).
The company that does not carry out the analysis
In a blog post, the UK’s National Cyber Security Center (NCSC) urges organizations to be careful. She spoke about a company that fell victim to a ransomware attack and paid millions in bitcoins to restore the network and recover files.
However, the company stayed there, failing to analyze how cybercriminals infiltrated the network. This backfired as the same operators infiltrated the network through the same breaches with the same ransomware less than two weeks later. The company ended up paying a ransom a second time.
We heard about an organization that paid a ransom (just under £ 6.5million at current exchange rates) and recovered its files (using the decryptor provided), with no effort to identify the root cause and secure your network. Less than two weeks later, the same attacker again attacked the victim’s network, using the same mechanism as before, and redeployed his ransomware. The victim felt she had no choice but to pay the ransom again, the NCSC blog post noted.
Treat the causes, not the symptoms
The NCSC felt that the incident should serve as a lesson for other organizations, as long as if you are the victim of a ransomware attack, it is critical to find out what hole cybercriminals have made to integrate into the network. without being detected before the ransomware payload is triggered.
For most victims who contact the NCSC, their first priority is – naturally – to recover their data and ensure that their business can function again. The real problem, however, is that ransomware is often just a visible symptom of a more serious network intrusion that may have lingered for days or even longer. Even with the ransomware removed and the system restored from backups, the attackers:
- can have backdoor access to the network
- probably have administrator privileges
- could just as easily redeploy the ransomware if they wanted to
Examining the network following a ransomware incident and determining how the malware may have entered the network while remaining undetected for such a long time is therefore something that all organizations experiencing ransomware should consider in parallel with network restoration (or preferably, before they even think about restoring the network).
Some might think that paying the criminals the ransom will be the fastest and most cost-effective way to restore the network, but this is also rarely the case. Because not only is the ranon paid, potentially very dirty, but post-event analysis and rebuilding a damaged network are also expensive.
And as the NCSC notes, falling victim to a ransomware attack will often result in a long period of disruption before operations look anything like normal.
Recovering from a ransomware incident is rarely a quick process. Investigating, rebuilding the system and recovering data often involve weeks of work, the organization says on its note.
The agency advises to ensure that operating systems and security patches are up to date and to apply multi-factor authentication on the network.
She also recommends doing regular updates:
- Make regular backups of your most important files – this will be different for each organization – make sure you know how to restore files from backup and periodically test that it works as expected.
- Be sure to create offline backups that are separate, in a different location (ideally offsite), from your network and systems, or in a cloud service designed for this purpose, as the ransomware actively targets the backups to increase the backups. chances of payment.
- Make multiple copies of files using different backup solutions and vaults. You should not rely on two copies on a single removable drive, nor on multiple copies in a single cloud service.
- Make sure that the devices containing your backup (such as external hard drives and USB keys) are not permanently connected to your network. Attackers will target connected backup devices and solutions to make recovery more difficult.
- You should make sure that your cloud service protects previous versions of the backup from immediate deletion and allows you to restore them. This will prevent both your live data and your backup data from becoming inaccessible – cloud services often sync automatically immediately after your files have been replaced with encrypted copies.
- Make sure that the backups are only connected to known clean devices before starting the restore.
- Scan backups for malware before restoring files. Ransomware may have infiltrated your network over a period of time and replicated in backups before it is discovered.
- Regularly apply patches to products used for backup, so that attackers cannot exploit known vulnerabilities they might contain.
Source : NCSC
And you ?
What do you think of the advice provided by the NCSC?
–
