Cyber Security Center - How NOT to respond to ransomware attacks

March 5, 2020by Karol Suchocki

A finance and accounting department of a certain company also supports several external companies. Two independent financial and accounting systems are used: one for the main entity, the other for external bodies. The servers on which the systems are configurated are located in the local server room. The IT service is carried out by an external Administrators running a sole proprietorship and providing services to may entities.

What happened?

The hackers gained access to one of the servers, encrypted all the data and backups, and demanded a ransom. The Administrator decided to pay the ransom. The hackers sent the instructions and the decryption key. The Administrator recreated the encrypted files, then changed the passwords to the administrative accounts and the accounting system, and blocked remote desktop access to the server from the outside.

And that’s it. Virtually no loss, the problem solved, isn’t it?

Not exactly

Surprise no.  1

Very often, when the dust settles, similar attacks happen: the re-encryption of parts of the systems.

How is it possible? One of the reasons is that many criminals leave so called „bridgeheads” on the network that they have already accessed once and are then able to re-infect it. On the other hand, there may be other security vulnerabilities in the network that the administrators have not secured.

Surprise no 2

Criminals proceed to the next stage of blackmail: this time by threatening to reveal previously obtained confidential information.

This is more and more common scenario: criminals, before data encryption, analyze it in client’s systems and then download it. This allows them to increase their return-on-investment – because hackers are not hooded kids, but often efficient companies.

When companies that have received one or another additional surprise come to us, the situation is usually very difficult, and often even extremely difficult, also due to mistakes made in the response to the „original” incident.

Mistake no 1

Even though backups were encrypted as result of the attack, the company’s methods of creating and storing backups have not been improved. Very often, manual „offline” backup mechanism are used for a short time, but after a few weeks or months the process „stops working”…a renewed ransomware attack requires paying a ransom or data loss again.

Mistake no 2

Lack of reliable analysis/ network audit for the occurrence of security gaps. Firstly, as we mentioned, criminals like to leave „rotten eggs” in various places on the web that could be found before they burst, and secondly the infrastructure may have other security holes waiting for uninvited visitors. Here are some examples of an incorrect audit:

  • in one of the cases we analyzed, an IT employee scanned all computers with anti-virus software that DIDN’T DETECT malware on encrypted servers and concluded that the network was virus-free. Needless to say, it was otherwise;
  • in another case, the administrators forgot about the network drive, and it was there that a file „crafted” by criminals was waiting for use, pretending to be a regular document;
  • the worst, and surprisingly not rare, case, however, is the one where the administrators checked NOTHING.

And criminals treat it as an invitation for further actions.

Mistake no 3

No actions securing the traces of an attack, and often even removing these traces: e.g. cleaning systems logs. This is the least obvious mistake, the mistake about which the companies find out when they should discover what happened and who is responsible for it…or simply „who will pay for it”? How will we check and then prove that the attack was caused by errors of the IT provider and not the employee’s carelessness? How can we prove in court that the disclosure of protected confidential data has not been an intended action aimed at our contractors, but the result of a hacker attack?

Unfortunately, the removal of system log entries after an attack is a frequent situation- such actions make it practically impossible to trace the methods of criminals’ activities.

Mistake no 4 … or maybe not?

Is paying a ransom a mistake or not?

By paying the ransom, we give criminals two signals: we are under the gun and we have such financial capacities. Thus, we risk that, like any blackmailer, „our” criminal will not stop at one blackmail attempt.

Each situation should be analyzed independently, but if we are able to restore the data (even if it takes a long time), and the situation does not threaten health and life- do you want your company to support criminals?

Let’s go back to our example. This time, one of the external companies, whose accounting services were provided by the attacked entity, found out about the incident by accident. The company decided that it was not sure whether the actions taken were sufficient enough and commissioned specialized analyses of the data security carried out by our team. As it turned out, rightly so.

We performed a network and security audit, detected ( and removed) malware in several locations, designed and implemented backup security solutions, and recommended the implementation of significant security improvements. Unfortunately, we couldn’t do one thing: prevent the data from being stolen. Our client had to take the necessary steps in the event of confidential and personal data loss.

What can you do to be wise before the event?

  • Make sure that your data providers are contractually responsible for the security of your data and systems. Check if they have professional liability insurance policies covering „cyber” events- so you can be sure that in the event of their mistakes resulting in hacking attacks you will be entitled to receive compensation.
  • Check if your IT infrastructures is resistant to attack. Have an external audit and security tests. This has nothing to do with trust or questioning the competences of your IT employees: security specialists track hackers’ activities, they have seen attacks from outside and inside the organization many times, and will indicate the places that could surprisingly become a source of a problem.

First of all, make sure your backups are resistant to ransomware attacks , and check if they are really enough to restore systems and how long it will take.

  • Consider whether you should not take care of decent „cyber” insurance for your Company, which will protect you from the painful, financial costs of security incidents and provide you with the support of high-class specialists in case of of incidents and claims resulting from confidential or personal data leakage.


Feel free to contact our team: we will help you take care of your safety: we will check your infrastructure and help you prepare „for the worst”.

Karol Suchocki

Breach Response Manager and Team Leader. At CSC, responsible for preparing clients for cyber incidents and for helping companies that have been affected by such incidents.

Would you like to find out more about our services? How do we work? Please contact us.

Would you like to find out more about our services? How do we work? Please contact us.


If you want to be kept informed about cybersecurity and new CSC services, be kind to leave us your email address.


    Copyright 2020 Cyber Security Center Sp. z o.o.