Ransomware: A company paid millions to get their data back, but forgot to do one thing. So the hackers came back again

A cautionary tale shows how organisations that fall foul of ransomware should concentrate on finding how it happened before anything else - or they could fall victim again.
Written by Danny Palmer, Senior Writer

A company that fell victim to a ransomware attack and paid cyber criminals millions for the decryption key to restore their network fell victim to the exact same ransomware gang under two weeks later after failing to examine why the attack was able to happen in the first place.

The cautionary tale is detailed by the UK's National Cyber Security Centre (NCSC) in a blog post about the rise of ransomware.

The unnamed company fell victim to a ransomware attack and paid millions in bitcoin in order to restore the network and retrieve the files.

SEE: Network security policy (TechRepublic Premium)

However, the company just left it at that, failing to analyse how cyber criminals infiltrated the network – something that came back to haunt them when the same ransomware gang infected the network with the same ransomware less than two weeks later. The company ended up paying a ransom a second time.

"We've heard of one organisation that paid a ransom (a little under £6.5million with today's exchange rates) and recovered their files (using the supplied decryptor), without any effort to identify the root cause and secure their network. Less than two weeks later, the same attacker attacked the victim's network again, using the same mechanism as before, and re-deployed their ransomware. The victim felt they had no other option but to pay the ransom again," the NCSC blog said.

The NCSC has detailed the incident as a lesson for other organisations – and the lesson is that if you fall victim to a ransomware attack, find out how it was possible for cyber criminals to embed themselves on the network undetected before the ransomware payload was unleashed.

"For most victims that reach out to the NCSC, their first priority is – understandably – getting their data back and ensuring their business can operate again. However, the real problem is that ransomware is often just a visible symptom of a more serious network intrusion that may have persisted for days, and possibly longer," said the blog post by an NCSC technical lead for incident management.

In order to install ransomware, cyber criminals may have been able to gain backdoor access to the network – potentially via a previous malware intrusion – as well as having administrator privileges or other login credentials.

If the attackers have that, they could easily deploy another attack if they wanted to – and did, in the example detailed above, as the victim hadn't examined how their network was compromised.

Examining the network following a ransomware incident and determining how the malware was able to enter the network as well as staying undetected for so long is, therefore, something all organisations that fall victim to ransomware should be considering alongside restoring the network – or preferably, before they even think about restoring the network.

Some might believe that paying the ransom to criminals is going to be the quickest and most cost-effective means of restoring the network – but that's also rarely the case. Because not only is the ransom paid, potentially at a cost of millions, but the post-event analysis and rebuilding of a damaged network also costs large amounts.

SEE: Ransomware victims aren't reporting attacks to police. That's causing a big problem

And as the NCSC notes, falling victim to a ransomware attack will often lead to an extended period of disruption before operations resemble anything normal.

"Recovering from a ransomware incident is rarely a speedy process. The investigation, system rebuild and data recovery often involves weeks of work," said the post.

The best way to avoid any of this is to ensure your network is secure against cyberattacks in the first place by doing things like making sure operating systems and security patches are up to date and applying multi-factor authentication across the network.

It's also recommended that organisations regularly backup their networks – and store those backups offline – so in the event of a successful ransomware attack, the network can be restored with the least disruption possible.


Editorial standards