Last month, the UK’s National Cyber Security Centre reported that one organization paid nearly $9 million to attackers for a decryption key after falling victim to a ransomware attack. The organization recovered its files, but it did not identify the root cause of the attack.
Then the same attacker victimized the organization’s network again, using the same mechanism as before to re-deploy its ransomware. “The victim felt they had no other option but to pay the ransom again,” said the report’s authors.
Evading detection is a key strategy for attackers of all kinds. Cybercriminals who can survive a company’s incident response and stay in its systems after a successful attack can strike again or resell their access to other attackers. Corporate spies or nation-state attackers in particular have the resources and will to linger in corporate systems even after detection and remediation.
Here are some techniques attackers are using to evade incident response teams—and how to counter them.