Ransomware reinfections on the rise from improper remediation

Attack. Remediate. Repeat?

Speak to any organization infiltrated by ransomware—the most dangerous malware in the world—and they’ll be blunt: They’d do anything to avoid getting hit twice. But ransomware attacks have been ramping up in 2023 and reinfections are occurring all over the globe, forcing lean IT teams to prepare.

Why are businesses getting hit with ransomware more than once? Those that pay the ransom and trust that cybercriminals will leave them alone afterwards (they don’t) represent a small portion. Most reinfections are an indication that the weaknesses that led to the initial breach still haven’t been addressed. In other words, multiple ransomware attacks are the result of improper remediation. And with fewer resources, smaller budgets, and lower levels of security maturity, remediation mistakes are far more common for smaller IT-constrained organizations than most enterprises.

While a single ransomware incident could cause serious financial and reputational problems, multiple attacks could close a company’s doors for good. Read on to learn how to avoid remediation mistakes, prevent multiple cyberattacks, and keep cyber enemy #1 out of your organization’s systems. And let me know if you’d like to connect about how our solutions can help your organization remain resilient against ransomware and reinfections.

Ransomware woes doubled by reinfection after improper remediation

In November 2022, a small trades contractor in Alberta, Canada, received an alert for an elevated account running unauthorized commands and dumping credentials. One day later, their company’s systems and data were encrypted with ransomware.

After cleaning all remnants of the attack from the network, security experts recommended password resets for all privileged, non-privileged, and service accounts, as well as two-factor authentication (2FA) for VPN and email access. The business followed most of the recommendations for password resets but failed to implement 2FA. By December 2022, they were encrypted with ransomware again. There were just 47 days between the initial and secondary attacks.

The Canadian contractor represents a problem that’s scaled into full-blown crisis for organizations around the world: Ransomware attacks are on an unprecedented upswing, with more gangs and affiliates launching more strikes against more businesses than ever before. A new report from the Malwarebytes Threat Intelligence team determined that between July 2022 and June 2023, US organizations were besieged by 1,460 ransomware attacks—43 percent of all reported ransomware events globally—as much as the next 22 countries combined.

To add insult to injury, the 2023 State of Ransomware Report found that the number of monthly ransomware attacks climbed 75 percent between the first and second halves of the year, with a total of 48 separate ransomware groups assailing US businesses. All in all, nearly three-quarters of all US organizations have been impacted by ransomware this year.

Although companies of all sizes are feeling the heat, small businesses—which often have resource-constrained IT teams—have become the choice target of threat actors. A Devolutions report on IT security for SMBs found 60 percent have experienced at least one cyberattack in the past year, while 18 percent have endured six or more. Meanwhile, 66 percent of SMBs testified to one or more ransomware attacks on their business this year—an increase of 44 percent over just three years.

While it’s easy to see how a ransomware attack can destroy a small business, remember that it isn’t just small businesses under threat. Any corporation that is lacking in IT staff, budget, resources, or time to investigate and prioritize cyberthreats could be at risk: A single ransomware attack can cause massive financial, logistical, and reputational damage—sometimes enough to shutter a business for good. Of the organizations that reported ransomware losses in 2022, more than two-thirds (67 percent) said their costs reached between $1 million and $10 million, while 4 percent estimated a staggering $25–$50 million.

But how and why are some organizations suffering multiple attacks? The answer lies in remediation.

How do ransomware reinfections happen?

Many ransomware attacks aren’t the start of an organization’s problem; they’re the result of a long unresolved network compromise. Threat actors gain initial access by stealing login credentials, deploying malware, or establishing a backdoor—a secret gateway into the network that can be exploited later. This is like leaving a hidden door unlocked for future visits.

Once cybercriminals gain entry, they’ll look to further infiltrate the organization by searching for vulnerabilities, escalating privileges, reconfiguring security controls, stealing additional credentials, and exfiltrating other sensitive data. If they still haven’t been discovered, they’ll launch ransomware, encrypting data and systems so employees can no longer access them. The 2023 Verizon DBIR confirms that ransomware is present in more than 62 percent of all incidents committed by organized crime actors, 59 percent of incidents with financial motivation, and 24 percent of data breaches—i.e., the majority of security incidents.

When ransomware actors attack businesses today, they leave behind artifacts and reconfigurations that many security programs can’t or won’t detect as suspicious. Even after mitigating a ransomware attack, hidden doors may remain unnoticed, enabling threat actors to reactivate dormant artifacts or use access that was previously attained through stolen credentials, backdoors, or reconfigurations. This is the essence of ransomware reinfection: It’s essentially a problem with remediation.

Why are organizations suffering ransomware reinfections?

While the “how” of ransomware reinfection is almost entirely technical, the “why” is quite human.

Businesses with small IT teams that have fewer resources, lower budgets, and fatigued IT staff—or no IT or security staff at all—must often place their faith in an increasing number of complex security products. And while those products can help IT teams clean endpoints and restore systems after cyberattacks, and provide fully automated ransomware recovery processes in minutes, they often require robust, well-rested IT teams behind them.

Only 36 percent of SMBs have added security staff since the beginning of the pandemic and just 8 percent are now working with an external vendor like a managed service provider (MSP). Separately, security fatigue affects 42 percent of businesses overall, and it can impact a wide range of activities from authentication to notification.

These are the human problems of technical solutions. Small IT teams need something different.

Most common remediation fails

Now that you know the how and why of ransomware reinfections, it’s time to learn about the most common remediation mistakes that lead to reinfection. Often, the “mistake” is not a mistake at all, but an oversight or a stealthy artifact that remains undetected. The following sections demonstrate just how difficult remediation can be and why resource-constrained IT teams benefit from partnering with a third-party security firm or MSP for their cybersecurity needs.

Tough to detect or remove malware

After a cyberattack, remnants of malware and related artifacts can be left behind. Some artifacts are detected and quarantined by antivirus software, but the malware is still active on some level. If there’s a run key in the registry, all it takes for the infection to reassert itself is a reboot. Malware can also remain undetected while beaconing to a command and control (C2) server for weeks before finally receiving instructions.

Case in point: After recovering from a ransomware attack in December 2022, an SMB purchased Malwarebytes Managed Detection and Response (MDR) and EDR. Immediately after installing EDR, detections for additional ransomware were identified. Our MDR analyst also spotted files linked to the previous attack, attempted outbound communications to a known malicious C2 server, and remote inbound RDP connection attempts. Despite having completely rebuilt their systems from backup, the ransomware was never fully remediated.

Some malware and related artifacts have tricky persistence mechanisms that make them difficult to detect and remove, such as fileless malware, scripts, or droppers like QBot. Just a few days after the MDR analyst helped the new customer identify and remove additional ransomware, an unencountered persistent mechanism was discovered, triggering a threat hunt that revealed even more hidden gems: two compromised domain admin accounts, a domain controller, and an SQL server.

Sometimes legitimate software programs, including IT admin tools, can be leveraged against networks by cybercriminals. This happens most frequently when companies fail to patch in a timely manner. Even a threat scan wouldn’t quarantine the program because the software itself is safe. Exploits such as Log4j take advantage of vulnerabilities in networks and applications to download legitimate remote IT admin tools, which they then use to take control of servers, change access permissions, exfiltrate data, and ultimately hold organizations for ransom.

In some cases, cybercriminals can even compromise one legitimate program for access to another, abusing both for nefarious purpose. One customer had Office 365 compromised and worked with Microsoft to resolve the threat. But unbeknownst to them (and knownst to us), criminals had also reset login access to Malwarebytes Nebula using the compromised email.

Once access to the email was terminated in the initial remediation with Microsoft, the bad guys began using Nebula and audience response systems (ARS) to continue the attack, running commands, disabling protections, and changing policies. In fact, cybercriminal reconfigurations would never show up in security sweeps unless IT staff routinely audit controls and recognize unfamiliar changes.

Failure to act

Responding to and remediating ransomware is about more than identifying hidden malware and artifacts. It’s also about taking the proper precautions in the wake of an incident. The following is a shortlist of inaction that’s most likely to lead to repeated attacks.

Failing to patch: Among the companies who suffered one or more ransomware attacks in the last year, 36 percent were carried out via exploited vulnerabilities. Most of these could have been avoided if organizations practiced diligent patching. In over half of attacks where an exploited vulnerability was the root cause, either ProxyShell or Log4Shell vulnerabilities were present, despite having patches available in 2021.

Neglecting to reset credentials: Once systems have been recovered and cleaned, and it’s confirmed the network is secure, SMBs should reset all passwords for privileged, non-privileged, and third-party accounts. Compromised credentials were the root cause of 29 percent of ransomware attacks against businesses this year. Chances are cybercriminals have at least one employee’s password that could be used to infiltrate your company—especially if staff members reuse passwords across business and personal accounts.

Declining to collect and preserve log data: Log data can be crucial to identifying how cybercriminals accessed and compromised your systems in the first place. If critical logs are not retained for a sufficient time, IT teams may not be able to determine key information about the incident, including which assets were affected and whether other threats were present.

Lack of planning: 44 percent of SMBs do not have a comprehensive, updated incident response plan. Without a blueprint for action during arguably the most stressful event an IT team might encounter, blunders are bound to occur. Incident response plans should highlight segregation of duties, key team members, top-level data assets, risk factors, and communications protocols during an attack.

Only fixing symptoms, not root cause: Playing “whack-a-mole” by blocking an IP address, without taking steps to determine the binary and how it got there, leaves threat actors an opportunity to change tactics and retain network access. One SMB customer discovered repeated blocked outbound connections from PowerShell and learned it was a command contacting a website and running a .log file. The customer deleted the .log file thinking it was the solution, but there were scheduled tasks and more still left in the system. Because they didn’t address the whole problem, the outbound blocks started again the next day.

Acting too fast

After determining that company systems are compromised, IT admins might be tempted to take immediate action. Although well intentioned to limit potential damage, some actions have the adverse effect of either modifying data that could help the investigation or tipping threat actors off that you’re aware of the compromise, forcing them to hide their tracks or launch more damaging attacks. To avoid this outcome, organizations should refrain from:

  • Mitigating affected systems before responders can protect and recover data. This can cause loss of volatile data, such as memory and other host-based artifacts, and let the adversary know you’re onto them.
  • Touching or preemptively blocking cybercriminal infrastructure (pinging, NSlookup, browsing, etc.). Network infrastructure is fairly inexpensive, so enemies can easily change to new command and control infrastructure, causing the target organization to lose sight of their activity.
  • Resetting credentials too soon. Threat actors likely have multiple credentials or, worse, access to your entire Active Directory. If you reset before confirming all systems are clear, criminals will simply use other credentials, create new credentials, or forge tickets.
  • Communicating over the same network as the incident response is being conducted. This is a surefire way to let the bad guys know exactly what you know. Ensure all communications are held out-of-band during response and remediation.
  • Paying the ransom. This could not only fail in restoring critical data, but it invites cybercriminals to attack again. In fact, a 2022 Cybereason report found 81 percent of ransomware victims that paid the ransom were hit a second time. More than two-thirds of businesses said the second attack came less than a month after the first, with an increased ransom demand to boot. If that situation isn’t desperate enough, consider that 40 percent paid the second ransom and 10 percent shelled out for a third.

Ways to avoid ransomware reinfection

While a numbered list could never replace our remediation experts, there are a few tried-and-true, high-level actions that resource-constrained IT teams can take to help protect against ransomware attacks, whether it’s the first or sixth time getting hit.

  1. Turn on real-time monitoring and logging to stay up-to-date on suspicious activity within your networks and devices. The alerts may be overwhelming, but it’s important to at least be aware of them. If a security incident does take place, retain critical log data for at least one year.
  2. Audit access privileges on a regular basis, especially for anyone with administrator permissions. Remove any unknown admins immediately.
  3. Deploy 2FA or MFA for everyone in the organization, especially remote workers using VPNs, to stop attackers from using stolen passwords or brute forcing their way in. In most cases, cybercriminals are stopped by the second authentication request.
  4. Update all software regularly and as soon as patches are released to plug any vulnerabilities. Turn on automatic updates, if possible.
  5. Do not rely solely on automated software to resolve security incidents and attacks. Ensure any access points, security configurations, and IT admin programs are clear before closing the case.
  6. Back up data: Once you’ve confirmed all systems are clean, backup copies of data from endpoints and preserve them offline in another physical location. According to Sophos’ 2023 ransomware report, 45 percent of businesses that used physical backups were able to fully recover from a ransomware attack in a week vs. one to six months.
  7. Take employees on a cybersecurity journey, showing them how important their role is to the safety of the organization. This can be done through training, shadowing, inviting staff to security meetings, and giving them the tools to help themselves, such as access to awareness resources or AV software for personal devices.
  8. If a particular threat is difficult to remove, bring in cybersecurity experts to look at your network traffic and logs and give a concise report on what’s happening.
  9. If possible, engage with a dedicated security organization or MSP to keep expert eyes on the glass 24/7 and stop cyberattacks before they get off the ground. However, if onboarding a security partner during incident response, they should provide subject matter expertise and technical support, ensure that the threat actors are eradicated from the network, and catch residual issues that could result in follow-up compromise once the incident is closed.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.