If Ransomware Post-Actions Are Inadequate, Re-Attacks... Need for Preventive Training and Data Backup [Rising Fear of Ransomware (Part 2)]

[Financial News] As ransomware attacks spread indiscriminately across companies and institutions, domestic security awareness is rising. Experts emphasize the need to move away from relying solely on security solutions and to establish a comprehensive response system that includes preventive education and regular data recovery.
■ 1 in 4 Companies Lack Backup Systems
According to the Korea Internet & Security Agency (KISA) on the 31st, the number of ransomware reports from companies in the second quarter increased by about 10% compared to the first quarter. Recently, major online bookstore Yes24 suffered consecutive attacks, and even SGI Seoul Guarantee experienced ransomware, raising concerns about chain damage in areas closely related to public life.
In particular, the Yes24 case is evaluated as clearly demonstrating the importance of post-action measures. In the case of Yes24, after being attacked by ransomware in June, they recovered the data but were exposed to another attack in less than two months.
The security industry pointed to the possibility of using an outdated operating system or the presence of malware in backup data as causes. As significant cyber attacks continue domestically, the need for strengthening response systems and establishing backup systems is also raised. The Ministry of Science and ICT and KISA pointed out in their first-half cyber threat trend report that 1 in 4 companies that reported ransomware attacks did not have a backup system capable of quick recovery in case of hacking.
■ "Backup Should Be Stored in a Separate Repository"... "Security as an Investment, Not a Cost"
KISA proposed four security guidelines to prevent ransomware damage: △Restrict remote ports and external access △Strengthen account management by frequently changing default administrator passwords △Set complex passwords when using in-house shared network storage (NAS) and avoid internet connections △Backup important data in a separate repository and conduct regular recovery training. KISA particularly pointed out that most victim companies stored backup data on the same network, increasing the severity of the damage. There are not few cases where both the work network and the backup network were infected, making recovery impossible.
Kim Hyung-jong, a professor at Seoul Women's University in the Department of Intelligent Information Protection, stated, “Backup data can also be included in the range of ransomware infection, so it must be stored in a separate repository and periodically checked.” He added, “If post-actions are inadequate, the same vulnerabilities can lead to repeated attacks, so a response system must be established, and security education and simulation training for employees should be conducted to frequently check security habits.”
Lee Myung-soo, team leader of AhnLab Security Intelligence Center (ASEC) A-FIRST, said, “Recently, it is common to hack personal computers using email attachments as bait, infiltrate the company’s internal network, encrypt all data, and demand a ransom.” He emphasized, “Suspicious emails should be reported to the in-house security team as a habit.”
There is also a growing opinion that security investments by companies and institutions should accompany efforts to prevent such ransomware damage. Kim Myung-soo, director of the Artificial Intelligence Safety Research Institute, emphasized, “Fundamental prevention is possible only by eliminating system vulnerabilities in a timely manner, and after being infected with ransomware, backups should be conducted after resolving vulnerabilities, storing backup data in a separate network.” He further stated, “Now, a change in perspective is essential to view security as an investment rather than a cost.”
psh@fnnews.com Park Sung-hyun Reporter