According to a report by the National Cyber Security Centre (January 2021) in the UK, a company paid a ransom to a hacker group twice within two weeks. The company was the victim of a ransomware attack. In order to decrypt the data again, the organisation paid a sum equivalent to 7.4 million Euros.

Without investigating the cause of the hacker attack, finding and closing the vulnerability, business operations continued after the first ransom payment. After a short time, the same perpetrators attacked the company's network again and once more used an encryption malware. The company had no choice but to pay a ransom for the second time.

Lessons from the incident

For victim organisations, it is understandably a top priority to be able to use the data again and continue doing business. However, one should not only focus on the visible symptoms (encryption of data by the cyber extortionists), but also on the cause. How did the attack occur and is the attacker no longer able to gain access? It is also possible in principle that perpetrators carry out a ransomware attack to distract from another attack.

Recommendations

• Be absolutely suspicious towards the perpetrators, even if they seem to be very cooperative. We experience again and again that the actions of those affected are influenced by the hope of fairness by the perpetrator and driven by the desire to quickly return to "normal".
• Negotiations with extortionists also serve to gain time for the investigation of the incident by the IT forensic experts - and that takes time.
• Furthermore, it is important to demonstrate in negotiations with the cyber criminals that the company is an unattractive target for future extortion attempts. This often leads to a reduction in the ransom demand.
• Ensure through extensive forensic investigations that the perpetrator does not have access to the network through a backdoor. This also applies to backups used. Make sure that the attacker does not have administrator rights in the restored system.

SmartRiskSolutions is active, among other areas, in the crisis response of kidnapping and extortion cases - including cyber extortions. But also in crisis prevention and the establishing of crisis management structures. More information on cyber crisis management can be found here.