To borrow a phrase from Oscar Wilde, to fall victim to a ransomware attack once may be regarded as a misfortune. To fall victim to a ransomware attack twice looks like carelessness.

And yet, that is exactly what happened to an organisation just this month. They paid the ransom, received the decryption key, restored systems, and returned to ‘normal’, without carrying out post event analysis, and thinking the story was over and done with. 

Until they were attacked by the same cyber criminals a second time, just two weeks later. They neglected to carry out a full post event analysis exercise to find out how the attack happened in the first place, and by doing that, let the attackers back in.

The lesson of this story is that without post event analysis which identifies compromised or vulnerable components of the network, and steps to remove or mitigate them, cyber criminals could take advantage, and successfully attack them again.

Why it’s important to understand the causes of a cyber attack

Cyber criminals are opportunistic attackers. Most victims are chosen simply because it is easy for them to make a profit from attacking them. Now that the attackers know that an organisation’s network is vulnerable to attack, they may try again.

In addition, most cyber attacks are not one and done. In some cases, the attackers may have been lurking inside a network for some time before they are detected. According to research, the dwell time, or time between the attackers first infiltrating a network, and the attack being identified, varies between 43 days and 56 days on average. Some ransomware attackers piggyback off other forms of software which lurk undetected in systems until ready to strike (see the example of the now defunct Emotet). 

They will not withdraw from a network just because the attack is over, they will wait for the next opportunity. Therefore it is up to the victim to analyse the causes of the attack, and investigate the tactics, techniques and procedures (TTPs) that allowed the attacker to insert malware into the network, and compromise the organisation. 

Once this post event analysis is done, the organisation needs to ensure that they have put the necessary control in place to both reduce the likelihood of another attack, and also to reduce the impact of an incident if it does happen again.

Post event analysis is a crucial step to recovery

For most organisations, a cyber attack is just the tip of the iceberg. Once the attack is over, they begin the long, arduous journey of rebuilding. Incident response and recovery requires the organisation to assess the damage, understand how their network security controls were compromised, rebuild systems, recover data, and more. This post event analysis can take weeks, disrupting operations and causing concern to customers. 

However while understandably, efforts are focussed on returning to operations, incident recovery must also work quickly to identify the cause of the attack to avoid the attackers coming back in before the organisation has had the opportunity to close the vulnerability.

Avoid becoming a victim once, let alone twice

Cyber criminals are opportunistic – they attack organisations that they feel have weak defences. Avoid falling victim to a ransomware attack by ensuring that the organisation’s network security posture is mature enough to keep cyber criminals out.

Just some of the elements of securing an organisation’s network security include:

  • Monitor the network perimeter at all times, and ensure alerting systems are in place to pick up and notify of attacks
  • Segment networks to ensure that an attacker can’t compromise the entire network in the event of a breach
  • Prevent malware being delivered through emails by setting filters that only allow permitted file types, and alert when suspicious files are received
  • Make sure security patches are up to date
  • Change default passwords across all access points
  • Apply multi factor authentication to all systems where applicable
  • Support employees to set strong passwords and recognise the signs of a social engineering attack (for example a phishing or smishing attack)
  • Require the use of a VPN to access the organisation’s network from a remote location

And if these defences fail, ensure that there are solid incident response and recovery plans in place.

Incident response – ensuring all is not lost

Sadly, not all ransomware attacks can be prevented, and that’s why it is recommended to have a comprehensive, fully documented and tested incident recovery plan in place. 

A complete, tested plan which includes requirements such as creating regular system backups will ensure that in the event of a ransomware attack the organisation is able to restore systems successfully, potentially avoiding the need to pay the ransom – avoiding a reputation hit, and the double costs of the ransom and post event analysis. 

Further damage can also be avoided by including the tasks, roles, and responsibilities for team members to carry out, and in which order. For example, assign team members to inform the public or authorities, identify IT team members who need to work quickly to carry out the post event analysis and recovery functions, and even identify any expert support needed to achieve this. 

And that circles back to the starting point. It’s not over until the post event analysis says so.

Stay safe