The main causes of ransomware reinfection

A few months ago, we wrote about a ransomware reinfection incident. Ransomware reinfection arguably could be even worse than being a first time victim. Unfortunately it happens more often than you may think.

Research shows that in 2022, more than a third (38%) of surveyed organizations fell victim to a repeat ransomware attack. This means that they were hit twice or more, either by the same or by different ransomware attackers.

Even paying the first time is not much help. A 2022 study found that 80% of companies that paid a ransom were hit again at a later time. Among those, 40% paid up a second time, with 70% of those companies paying a higher amount than they did after the first attack.

The most common reasons for reinfection are:

  • backdoors left behind by the criminals
  • credentials stolen in the course of the first attack
  • unpatched vulnerabilities
  • restoration of infected backups

In some ransomware attacks criminals have access to the target network for weeks or months, giving them ample opportunity to open a backdoor or otherwise retain the necessary controls and permissions to return and trigger another attack. Another likely option to consider is that exploitation of a vulnerable network device may provided criminals with login credentials they can use to come right back even if the vulnerability has been patched.

Every chain has a weakest link, but when one breaks it’s important to replace it with a stronger one. Vulnerable devices, services, and software either need to get patched or, when possible, should be stopped from being internet facing. If those are not viable options, it’s time to consider what’s cheaper. Replacing it by something more secure, or go through another ransomware attack. Other options are very strict access policies to limit the attackers’ options, network segmentation to limit the possible damage, and constant active monitoring to get an alert at the first sign of trouble. These options should not be treated as a “pick one” but should be fully deployed where possible.

Knowing the weakest link and figuring out what information the criminals may have obtained is why it’s important to conduct a full forensic examination after an incident. It is necessary to address the vulnerability that the criminals used to get in, any backdoors they may have left behind, and change credentials that may have been stolen.

Having recent actionable backups is important to limit the disruption caused by the incident. But recent backups do come with the risk of containing parts of the infection or backdoors, which is another reason why a forensic investigation is important. Once you have pinpointed the time of the initial breach, you can rule out restoring any files that were left behind by the attackers.

Not only does a thorough forensic investigation help you find the cause that might be remediated, it’s important to be able to follow the tracks the attacker left in your network, so you can reconstruct what access they may have gained and what they may have copied, left behind, changed, or deleted.

To be able to perform an effective forensic investigation you need reliable logs, and preferably ones that are easy to interpret. Something to keep in mind when you’re shopping for an EDR or SIEM solution.

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
  • Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.