Cybercriminals Do Not Necessarily Leave Your Network After a Ransomware Attack

It’s a common misconception that ransomware attackers quickly deploy and then retreat, so they remain anonymous. If you ask most victims of a ransomware attack, this is likely their assumption. On the contrary, ransomware attacks can range from only one day to up to multiple years—that is to say, attackers indeed do not flee the scene after their initial attack. If you were explicitly targeted, there have been cases where attackers laid dormant for over a year before activating their malicious payload and locking down the company’s data again. Talk about playing the long game!

Ransomware attackers typically gain remote access from an individual malware attack or by exploiting an unpatched vulnerability. After gaining access, they may gather login credentials, further exploit unpatched systems, gain privileged access, and then spread across the network using tools such as PowerShell, Mimikatz, and PSExec. 

The psychology behind this is interesting — for the more targeted ransomware attacks, attackers have likely spent a considerable amount of time and resources gaining control of your assets. They like to remain in control to benefit, per se, from the fruits of their labors. If an attacker has control of your systems, and they’ve done their research on you, what’s stopping them from uploading copies of data they’ve determined to be highly valuable to offsite servers that they control? Later, after you’ve paid the ransom or restored from backups, they could extort you or sell your information on the dark web. 

If a ransomware attack starts from an employee clicking on a malicious link, you’re likely dealing with an automated ransomware attack with minimal human attackers involved. In this scenario, attackers spent little to no time and minimal resources to gain access to your vulnerable systems. What’s stopping them from also automating the extraction of data that appears to be valuable for later extortion or sale on the dark web before they encrypt it?

Businesses tend to assume the best-case scenario and hope that after paying the ransom or restoring from a backup that the security event is over and they can move on. This is rarely the case, as attackers could still have remote access or copies of your data. However, we keep meeting businesses that have paid a ransom in the past and haven’t given a second thought to any residual effects. 

Here’s what PK Tech has to say on the topic: 

First and foremost: if you suspect or detect a ransomware attack, your company should immediately shut down your network and all of the computers running on it. This will deny further access for attackers and protect additional data from being encrypted. Read more about what you should do if you have a cryptolocker event here: What To Do If You Get CryptoLocker Ransomware Attacked.

Second: notify your insurance company ASAP. They’re steering the ship on what’s next — that’s why you have a cybersecurity insurance policy.

Third: let your IT Company know and connect them to the contact at the insurance company handling the event. Do not let your IT Company tamper with evidence, and this is beyond them now. They’re mainly helping the insurance company understand your setup and be their “smart hands” to move your claim forward. 

Fourth: If your insurance company is worth their salt, they’ll perform a full investigation of the attack. You should also expect a comprehensive internal and public-facing device audit, including the following red flags: 1) weak passwords and vulnerability checks, 2) malicious tools left behind by ransomware operators, 3) persistent infections.   

In summary, a ransomware attack is a long and stressful series of events with no clear end.  The more you know, the better prevention sounds. 

If you have questions regarding PK Tech’s approach to fending off ransomware attacks, if you’re curious about gaining cybersecurity insurance, or if you have general tech support questions, contact PK Tech here