Ransomware attacks have become the norm for many businesses, and the attacks do not cease even after a victim company pays the ransom or halts the attacks after a business has recovered its operating systems. There is a reason this is common and not an accident. Attackers often possess and conceal vulnerabilities, install backdoors, or acquire a victim company’s credentials, then use this information to resurge and attack the victim company once more. Sophos has reported that, on average, more than 80% of victims of ransomware attacks will be attacked again within a single year.
This trend is concerning and illustrates the stark reality that ransomware is an ever-present, ongoing risk. The risk is even more significant for businesses operating in Australia and New Zealand, where strict data protection regulations and reputational damage from further data breaches or ransomware attacks are enforced. This blog will discuss the methods employed to reattack victims of ransomware, the vulnerabilities that attackers exploit to reattack victims of ransomware, and the recommended best practices to implement to continue the protection of your business from further ransomware attacks.
Ransomware attacks have evolved over the years and continually become more sophisticated for attackers. Cybercriminals are no longer seeking a single payout. They are now looking to monetise their victim company repeatedly. This has shifted the tactics employed, and as a result, ransomware attacks could become a continual or recurring threat once the attack has been successfully executed on the victim company.
The growing complexity of ransomware campaigns is a major contributory factor to this pattern. The Australian Cyber Security Centre (ACSC) reports a rise in ransomware attacks in Australia of 15% a year, as criminals successfully employ new methods to ensure that they will be able to re-enter systems, even after the initial attack has been addressed. For example, they may set up covert backdoors, capture user credentials, or leave a patching gap. Such methods enable them to bypass standard security protocols to facilitate additional attacks.
For companies in Australia and New Zealand, the extreme ramifications of infection from ransomware are well understood. Organisations may have to deal with financial ramifications as well as non-financial ones such as regulatory sanctions, diminished reputation, and loss of customers. This underscores the importance of companies understanding the methods used by threat actors and securing their environments.
For truly effective prevention of ransomware reinfection, understanding how attackers regain access is key. Below are some common examples.
As part of the typical attack cycle, the attackers will install what are called backdoors and deploy malware that is hidden and dormant in the breach. Decommissioning ransomware does not impede the attacker’s ability to access the breach via the backdoors implanted as part of the breach. What makes these backdoors particularly alarming is the design to be undetected by most commercially available antivirus applications.
Attacks involving ransomware commonly include stealing user credentials (“usernames” and “passwords”), which are then sold on the dark web and used by other attackers to gain access to the breach. Stolen credentials are the primary cause of ransomware attacks, as measured in accordance with Verizon’s Data Breach Investigations Report, in more than 61% of the documented attacks.
The most apparent reason for ransomware reinfection is not addressing the reasons for the attack in the first instance. If they are left unaddressed, the attackers can exploit hardware or software vulnerabilities. This is particularly true for organisations that rely on legacy systems or those that do not have a practice of implementing necessary patches.
Cybercriminals are practical and do not stop at the first ransomware attack. They will initiate targeted phishing campaigns following the first ransomware attack, in order to regain access. A phishing attack aimed at employees can reveal sensitive information, whether that be usernames and passwords or access codes. Exploiting human fallibility can undermine the most sophisticated cybersecurity protection.
Failing to act or address the root cause of a ransomware attack can have catastrophic consequences for businesses. The financial losses associated with an organisation becoming reinfected are immediate and obvious; however, long-term losses can be equally damaging or potentially even more harmful to the organisation’s reputation and customer trust. The risk of regulatory fines appears most pronounced for businesses located in Australia and New Zealand, where they are legally obligated to protect their customers’ information, and the laws differ from those in most other countries.
An example of a ransomware attack in Australia is a mid-sized business that incurred damages of two million dollars multiple times over due to attack-related downtime, recovery, compliance costs, etc. The event also caused a greater loss of customer confidence than that of the company.
Unfortunate occurrences lead to loss of compliance, but the risk of such events can be significantly reduced with the right controls, protection, and employee training.
Preventing ransomware reinfection requires a comprehensive and proactive approach. Below is a roadmap to secure your systems and reduce the risk of reinfection:
| Step | Action |
| Conduct Forensic Analysis | Identify backdoors, malware, and stolen credentials left behind. |
| Patch Vulnerabilities | Regularly update software, hardware, and operating systems. |
| Implement Zero Trust | Restrict access to critical systems and enforce strict authentication. |
| Monitor Systems Continuously | Use SIEM tools to detect unusual activity and respond in real-time. |
| Train Employees | Conduct regular phishing simulations and cybersecurity awareness training. |
By following these steps, businesses can significantly reduce the risk of reinfection and build long-term resilience.
Cyber risk can be contained, and there are several strategies that can be implemented to control the risks to cyber systems. This includes fulfilling due diligence in response to cyber incidents, including a cyber forensic approach, timely compliance with patch management, the establishment of Zero Trust, and employee awareness.
Protection from cyber incidents through the elimination of security gaps, compliance gaps, vulnerability gaps, and residual recursive gaps is the business of Risk Associates. Protection against emerging risks through cyber forensics, employee awareness, and training gap closure is an integrated aspect of our business sophistication to sustain increased protection.
Table of Content
