Freely subscribe to our NEWSLETTER

“Something we haven’t seen discussed about the CDK Global ransomware attack is that after the initial incident, the company temporarily restored some systems before threat actors took them down—again.

During an incident, security teams are under heavy pressure to get systems back into service; however, great care needs to be taken during an incident. The series of events in this incident suggests that the ransomware actors were aware that CDK Global restored some systems. Unfortunately, it appears the criminals were still in CDK’s network, allowing them to compromise the systems a second time.

Victims restoring from backup threatens ransomware actors’ chances of receiving their demands. As a result, ransomware actors attempt to encrypt or delete backups to further force the hand of the victim organization to pay the ransom. Often ransomware actors will remain in the environment they’ve compromised and monitor communications from the victim. This gives the actor additional leverage and time to take preemptive action, should a victim attempt to find alternative solutions to paying the ransom.

Defending against ransomware requires preparedness and good cyber hygiene. This work should include readiness plans and table-top exercises, giving you a clear guide on how to communicate during an incident. Most organizations will use an Out-of-Band communication method, such as dedicated email addresses or phone numbers, to ensure they are not being monitored by an adversary. These plans should also include guidelines on when it is safe to restore systems and processes for doing so. Not having such plans can result in further issues like the attacker lurking within the network through a backdoor or returning through their original entry point.”