There’s a sting in the tail for organizations that fall victim to a ransomware attack. Evidence suggests that lightning could very well strike twice – or even three times.
Recent research into ransomware incidents worldwide showed that while nearly 73% of the organizations surveyed were hit with at least one successful ransomware attack in 2022, this often wasn’t the end of the story. Almost 38% of the organizations also fell victim to a repeat attack.
A single successful ransomware breach can be enough to cripple an organization. A repeat attack can exacerbate the original impact, adding further disruption, costs and damage to brand reputation, customer relationships and more.
What factors make some organizations particularly vulnerable to multiple attacks, and what can they do to address them?
The Accessibility of Ransomware
The ransomware threat has become pervasive partly because the entry bar for cyber-criminals has been considerably lowered. It’s now a commodity, and the ‘as-a-service’ business model makes ransomware accessible to attackers regardless of their resources or skill level.
There’s an entire ecosystem of cyber-criminals whose sole purpose is facilitating ransomware attacks for other groups. This includes operators who create, maintain and lease the code and tools to power ransomware activities, initial access brokers (IABs) who establish and sell access to high-value victims, and underground marketplaces where attackers can buy stolen credentials and more.
These and other factors are making it easier for cyber-criminals to launch attacks – so it follows that the threat of being targeted more than once also increases. However, that doesn’t have to mean those attacks should necessarily succeed.
The Risk Factors of Repeat Attacks
The first and most obvious risk factor is failing to identify and address the security weaknesses that enabled the initial attack. The reasons for such an oversight could include insufficient security controls or visibility of the entire estate, lack of a strong incident response plan or limited investigation capabilities.
For example, compromised credentials, unidentified network vulnerabilities and using legitimate IT tools for malicious purposes make identifying and removing backdoors or persistence tools difficult, leaving access points open and stolen credentials vulnerable to re-use.
Emails are the most common starting point for a ransomware attack, and around 69% of the victims in our research were compromised initially through a malicious email. Increasingly sophisticated social engineering approaches can be hard for recipients and more traditional email security tools to detect on their own.
Paying the ransom is another risk factor that can lead to repeated attacks. Once it is known that an organization is willing to pay to recover its data, other attackers may choose to target the same victim. Our research found that 42% of those affected three times or more paid the ransom, compared to 34% of those hit twice and 31% hit just once. In some cases, the repeat attacker is the same group returning for a second helping.
Closing the Security Gaps
The best defense against ransomware attacks is to have a multi-layered approach to protection that combines advanced security technologies with user education and awareness.
As most attacks start with malicious emails, it’s important to implement email protection technology that uses AI to identify social engineering attacks. This will help organizations stay one step ahead of cyber-criminals, who are constantly evolving their tactics. Creating a culture of awareness among employees is also part of a layered defense through tools such as phishing simulations and by investing in training so that staff can recognize and report suspicious emails.
Securing access to every user account, application and network is also essential in preventing ransomware attacks. Multifactor authentication should be implemented as standard, but an approach involving zero trust access is even better. Zero trust measures continuously verify users and devices, only allowing the right users to access the right resources.
In addition, organizations should consider implementing security for API-based applications as well as next-generation web application firewalls to protect their systems further. These security measures will help block advanced threats, including zero-day attacks, and prevent lateral movement within the network.
Finally, having a reliable data protection and backup system in place means you’re not forced to pay the ransom and can recover quickly and effectively if you’re hit. This should include regular tests of backup recovery processes to ensure they are fully operational and up to date.
Part of the recovery process from any kind of attack should be trying to establish and mitigate what made the organization a target in the first place. In this way, companies can defend themselves against the damaging and disruptive impact of ransomware, no matter how many times it comes knocking on the door.