What’s worse than suffering a ransomware attack? Suffering two ransomware attacks. According to data published by Cybereason earlier this year, four of five companies that pay ransom demands suffer another attack.
Figures from IBM indicate that 70% of victims do pay ransoms, which suggests that just over half of all victims experience a second attack. This frankly seems implausibly high, but it’s certainly true that if the security team doesn’t plug the hole the attacker used to get in or can’t figure out how they got in, there’s a realistic chance that another threat actor will identify the same weak spot.
However, second attacks are not inevitable if the right lessons are learned from the first. Let’s look at the top questions that ransomware victims should ask and answer in the aftermath of an attack:
- What was the initial access vector?
In other words, how did the threat actor gain access to the company’s systems? During engagements worked by our incident responders in 2021, one of the top initial access vectors (IAVs) was unpatched vulnerabilities in internet-facing devices. There’s a reason why we repeatedly urge organizations to patch their systems. Failure to patch a vulnerability that has already been exploited for access is like asking for a repeat visit. The other most used IAV was the use of purchased, stolen or guessed credentials.
- What was the overall dwell time?
To move from initial access to encryption of data can take a ransomware attacker anything from 24 hours to several months. An attack timeframe of just hours offers a significant challenge for detection, standing up incident response and evicting the threat actor. It's essential for companies to be fully instrumented with comprehensive extended detection and response (XDR) deployment, and robust, well-tested incident response plans and processes. However, because even the fastest-paced deployment passes through several stages, there are always opportunities to stop the attack.
- What opportunities were there to stop the attack before ransomware was deployed?
Every opportunity to detect the attacker serves as a potential win for network defenders and a potential loss for the attacker. In other words, to carry out an attack, the cybercriminal has to win multiple times. To foil an attack, the defender has to win just once.
Between initial access and ransomware deployment, a typical post-intrusion ransomware attack passes through: discovery, lateral movement, persistence, command and control, and data exfiltration. Each of those “precursor” activities presents opportunities for detection and defense. If security teams make attacks seem too much like hard work for an opportunistic attacker, they may decide to find easier pickings elsewhere.
Sadly, it’s not uncommon to discover that a ransomware victim was alerted to suspicious behavior during the “detection window” and failed to investigate the alert. XDR deployment, the ability to respond to alerts, and access to threat intelligence about the threat actor’s playbook will help.
- Did our incident response processes work for us?
Incident planning covers a multitude of policies and procedures around backups, business continuity, and recovery. These preparations should not overlook the obvious. After a ransomware attack takes place, it’s not unusual to hear the following: “We have a well-worked-out incident response plan. Unfortunately, it was on a machine that was encrypted.”
We also hear this: “We never got around to practicing the plan.”
- Are we certain that the threat actor has been evicted?
Companies need to empower incident responders, internal or external, to ensure that all intrusion activity has been identified, contained, and evicted in a controlled manner. And it’s equally important to monitor for ongoing activity that wasn't spotted as part of the containment effort, or for re-entry activity in the rare case that the adversary tries to regain a foothold.
For some organizations, it’s challenging to find the answers to these questions without external assistance. In fact, working with expert incident responders can make sure all the right questions get asked first time so that a second attack doesn’t succeed.
However, ultimately, by preventing the first attack in the first place, organizations can stop the second ransomware attack. This means keeping a constant and laser-like focus on security hygiene – patching, multi-factor authentication, and reducing and hardening the attack surface. Ransomware attackers will take any opportunity to attack, so security teams must ensure that those opportunities don’t arise.
Jane Adams, information security research consultant, Secureworks