What You Should Do When Ransomware Hits Twice

Of late, the news cycle has been awash with reports about ransomware attacks. Hackers and cybercriminals never seem to rest and are always ready to take advantage of an organization’s vulnerabilities. Security researchers have sounded early warnings about new ransomware strains in the wild that can cripple enterprise networks, and even the most proven methods fail to prevent these ever-present dangers. When taken hostage, many businesses err on the side of caution and often fork out the ransom to avoid data leaks. However, the FBI advises this is not the best route for organizations to take.  

This is rarely a one-off case. There is a saying that lightning never strikes twice in the same place. However, when it comes to ransomware the chance of being struck again is greater than 50%. Per FBI’s 2019 Internet Crime ReportOpens a new window , there were 2,000+ ransomware complaints with adjusted losses of over $8.9 million. 

According to cybersecurity firm SentinelOneOpens a new window , ransomware attacks on critical infrastructure have surged exponentially in the last two years. Data collected by Temple University shows that over the last seven years, there were “700 ransomware attacks on critical infrastructure, an average of just under 100 per year, but in fact over half of those have occurred since 2019.” 

Meanwhile, a 2018 Sophos surveyOpens a new window found that ransomware is a repeat offender with 54% of organizations suffering more than one attack in the preceding 12 months.  

Before we dive into the various attack vectors and ransomware’s impact on organizations, let us define ransomware. 

Learn More: German IoT Vendor Software AG Hit by Clop Ransomware 

What Is Ransomware & How Does It Work?

In a nutshell, ransomware is a malicious program which, when deployed on a computer, will encrypt files that may prevent the computer from working. A message is often displayed requesting payment for a decryption key to recover the encrypted data. However, the ransomware program itself is only the tip of the iceberg. For the ransomware to be deployed, it means that the malicious entities had to have gained access to the computer first.

There are quite a few ways for ransomware to be introduced to a computer. They can be transmitted via malicious emails, infected files, or websites. There could be vulnerable public-facing services that provide entry into the computer system. Third-party service providers can also be the means of infecting a computer as well as people bringing in their own USB memory sticks. In other words, pretty much any vector for any form of malware infection is also used for ransomware. Like other forms of malware, ransomware can also install a backdoor. If the original infection is incompletely cleaned, the malicious entities can re-enter the system and attack again.

When Ransomware Strikes Twice 

I had experienced a ransomware attack last year when the company I worked with was using an improperly secured NoSQL database. Guess what happened? They got ransomed.  Security was tightened and I sat with the IT department and watched with glee as the attacker tried to get back in again on a custom RDP port. If the data backups had been infected as well then the outcome would have been catastrophic.

My company was lucky but other companies have not been so lucky. Last year, a school in Connecticut Opens a new window was hit twice by ransomware. The first time they were still trying to recover after four months and the second attack shut down the computer system again. Due to limited resources, educational systems are easy targets for ransomware. Just because a company is big doesn’t mean they are invulnerable.  Pitney BowesOpens a new window , a significant player in the e-commerce world has recently been hit twice in seven months by ransomware. 

Even if a company is not the actual target of a ransomware attack they can still be crippled. Managed Service Providers (MSPs) are the new targets for ransomware attackers as they provide services to thousands of businesses and if they go down, they are under huge pressure to get back online as soon as possible. 

One such company, TSM Consulting ServicesOpens a new window Inc. in Texas was attacked about a year ago and it crippled the operations of 22 Texas municipalities. One of those municipalities was attacked twice due to the usage of TSM.

Learn More: 3 Keys to Securing AWS Environments Against Ransomware Fallout 

How to Defend Against Ransomware Attacks?  

So how is it that companies can be hit multiple times by ransomware? It could be many reasons, and any company that has been hit once is extremely likely to be attacked again. After all, if you found a gold nugget out on a hiking trail, wouldn’t you go back again trying to find another one?  

Unfortunately, according to Sophos, Opens a new window more than a quarter of those hit by ransomware pay the ransom. The chances of being successfully attacked again also depend greatly on the companies’ response to the first ransomware attack, whether the same ransomware is used or a different method is used.

So what can be done to prevent the double ransomware attacks? Almost the exact same proven practices to prevent malware are just as effective at preventing or recovering from ransomware attacks. We aren’t talking about newer anti-exploit technologies here, but battle-tested, proven cyber practices such as server status and backup performance to avoid the shadow of ransomware.  

Check out the three key proven ransomware prevention techniques below:

1. Data Backups: From personal experience, the most important aspect of recovering from a ransomware attack is a good quality backup. If it wasn’t for the multiple levels of backup used at the company I worked for during its ransomware attack, then years of data would have been wiped out. Provided the company didn’t pay the ransom. However, the payment was being discussed as it would have been cheaper than the loss of data and time. Paying the ransom is the wrong thing to do as it only encourages hackers to continue attacking.

2. Ensure systems are up-to-date: Apart from ensuring that you have a good backup system, ensure that your security equipment, firewalls, antivirus, network intrusion systems, and deep packet inspection systems are all kept up to date. Minimize the number of publicly available services and remote login connections to the bare minimum and keep an extra tight watch on those services by monitoring the logs. Of course, it should go without saying that all operating systems must be kept up to date with the latest patches.

3. Ensure MSPs follow cyber hygiene: Also, any third party providers or MSP used should also operate under the same security levels as your company does. Often the weakest link is the actual employees themselves so educating them not to click on suspicious links is a good idea. What some IT departments do is create their own test malicious type emails and send them around. Those who click on the emails’ links are reported to the IT department and are flagged for extra training.

Learn More: One Out of Four Cyber Incidents a Ransomware Attack: IBM 

Key Priorities: When in Crisis, Monitor Major Threats  

As mentioned before, ransomware can also install a backdoor to enable the attacker’s future access to a compromised system. If you have been affected by a ransomware attack, it is imperative to investigate the whole computer system with a fine-toothed comb. Ransomware is by nature network-based and will look for multiple computers on a network to infect. Any computer can be acting as a host, even if the operating system on that computer does not support the ransomware program. It could still store the file for an infectable computer to download and be infected. 

It is often the case in enterprise-sized companies. The servers can be running Linux or Unix operating systems while the employee computers are most probably using the Windows operating system. Most ransomware programs target the Windows operating system, so the servers may not be affected. However, the Windows client computers use file storage on the servers to share files meaning that any infected files can be spread around by the Typhoid Mary servers.

Do you believe ransomware is the biggest threat to organizations today? Comment below or let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d love to hear from you!