Based on warning from the EMR-ISAC and from experience of LIFARS security professionals, the threat actors operating ransomware do not always leave the organization computers and networks after they hold the data hostage until the ransom is paid. Instead, the adversary still lurks in the infrastructure, to reinfect the systems and ask for additional ransom or to steal data that will be leveraged for blackmail. Perhaps it will be sold on the Dark Web as well. This behavior was observed throughout several instances of various ransomware incidents by the Ryuk, Revil and Maze operators.
This means that once ransomware has been removed from the network, a second “race” starts: making sure that the threat actor has been completely rooted out of the network, and that there is no backdoor still communicating back to the Command and Control servers.
|Request FREE Consultation From LIFARS|