RSAC, Ransomware

Most organizations that paid a ransom were hit with a second ransomware attack

More than three-quarters of organizations that paid a ransom suffered a second ransomware attack within a month. (“Cash Money” by athrasher is marked with CC0 1.0.)

Cybereason on Tuesday released a report that found some 80% of organizations that paid a ransom were hit by ransomware a second time — and 68% said the second attack came less than one month later and the threat actors demanded a higher ransom amount.

The study, based on responses from more than 1,400 cybersecurity pros, also found that 73% of organizations suffered at least one ransomware attack in 2022, compared with just 55% in the 2021 study.

Cybereason found that it’s not possible for companies to pay their way out of a ransomware attack, said Sam Curry, chief security officer at Cybereason. Curry said the ransomware gang members are “soulless” and after organizations decide to pay a ransom and begin the long recovery process, within days and weeks they are hit again and again — and the ransom demands get higher.

Click here for all the coverage coming out of RSAC.

“In life and death situations, organizations may need to pay, and in those situations decisions might be made to save lives or ensure critical infrastructure networks continue to function,” Curry said. “For all organizations, prepare for inevitable in peacetime, improve your resiliency, and reduce risks associated with ransomware. And strongly consider deploying EDR solutions on your endpoints, which the U.S. government mandated in 2021 for all government agencies."

Ransomware attackers have sometimes promised that they won’t attack a victim again if they just pay the ransom and some organizations have made the mistake of believing them, said Mike Parkin, senior technical engineer at Vulcan Cyber. Parkin said even if the attacker keeps their promise, which they occasionally do, there’s no guarantee a different threat actor wouldn’t also attack. 

“The bottom line being that once an organization suffers a successful ransomware attack, they need to up their game so it doesn’t happen again,” Parkin said. “Because it will happen again. While they may not admit to the public that they paid a ransom, you can bet the attacker told their peers about it, which just makes the victim more of a target.”

Nicole Hoffman, senior cyber threat intelligence analyst at Digital Shadows, said it’s not uncommon for organizations and their customers to experience secondary attacks in the months following a ransomware attack. Hoffman said it’s also not uncommon for organizations to get attacked by a second ransomware group during an ongoing attack by another ransomware group.

“This can lead to double encryption and organizations then have to deal with two ransomware groups instead of one, which can be a big headache,” Hoffman said. "With any type of cyberattack, companies need to determine the attack vectors used to gain access into the enterprise environment so mitigations can be put in place to prevent them from being exploited a second time. This is not always as easy as it sounds because cybercriminals often cover their tracks and use several evasive techniques. Additionally, security pros need to identify all infected systems so they can remove any existing malware, such as a backdoor that would provide an attacker persistent access.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.