Answering burning questions from victims of cyber events
My organization was hacked, and ransomware encrypted our files. We have no interest in paying the ransom because we don’t want to encourage malicious activity. Do we have any reason to believe they will hack us again? – PARANOID PROGRAMMER
DEAR PARANOID PROGRAMMER:
That’s a great question — and one I’m often asked. The short answer is “Yes, you should be concerned that this group or another group will hack you again.” As long as your computers are connected to the internet and your business makes money and has sensitivity to reputational harm, you will continue to be a target for attack.
There is no question that the internet has simplified connectivity and enabled businesses to increase their reach to customers, prospects, and partners. Unfortunately, it has also given threat actors the same benefits, making it easy for them to identify and attack their targets.
With ransomware groups, the motivation is financial. Their operations are high-volume, high business — meaning, they likely didn’t single out and directly attack your organization. Rather, you were one of many that the threat actor attacked during a recent campaign because of a misconfiguration, inadequate security, or a user falling victim to a phishing email. These groups are scouring the internet to find as many entry points as possible. If they find a weakness, they will follow and execute on a procedure and then await payment. For example, they may steal and threaten to publicly reveal sensitive data, encrypt files, and demand money in exchange for the deletion or returned access to the stolen data.
Th bottom line: If they aren’t hacking and deploying ransomware, they aren’t making money. Similar to the ABC (Always Be Closing) rule of sales, ransomware threat groups must “Always Be Compromising” networks to encrypt files so they can make money.
So yes, you should prepare to be hit again — but in the meanwhile, also prepare for a better defense. As part of your recovery process, and after the forensic investigation concludes, consider performing a security assessment and documenting lessons learned. Both activities will reveal vital information that can help harden your security posture.
Most importantly, don’t think of this event as a snapshot in time. Cybersecurity and hacking have a cyclical relationship: Threat actors will continue to subvert security operations (SecOps) as you improve SecOps. By keeping a close eye on the threat landscape, including threat actor techniques and tools, your organization can evolve its SecOps program and deploy cyber defenses that keep safeguards in place and up to date to mitigate current attack trends.
Arete IR Director Stephen Ramey is here to answer burning questions from victims of cyber events. If you have a question, please don’t hesitate to reach out at [email protected]. Arete wants to help by sharing our insight and experience.