Select Language

Contact

Company

Service

Product

Media Center

Contact

Company

Service

Product

Media Center

Select Language

Contact

Company

Service

Product

Media Center

Go to Top

Ransomware Attack: Even Basics Can Defend It Thumbnail

Security Insights

Ransomware Attacks Can Be Stopped by Keeping 'Basic'

Kim In-soon

Nov 13, 2025

Content

Recently, a string of domestic companies has been targeted by ransomware.

In June of this year, the online bookstore YES24 was hit by a ransomware infection, leading to a week-long service interruption. Although they barely recovered, two months later, YES24 faced another service shutdown. The incident with YES24 not only caused immediate customer inconvenience but also resulted in a decline in company credibility. Besides YES24, there has been an increase in companies, though not publicly disclosed, where internal systems or production lines have halted due to ransomware attacks.

Many companies have been hit by ransomware attacks multiple times, not just once. This fact signifies a lack of structural security management rather than mere misfortune.

YES24 was attacked again just two months after the ransomware infection in June. Notification from YES24 posted on X

The truth proven by data: "Do not pay the ransom"

The cybersecurity industry has long warned, 'Do not pay the ransom.' Now, this is not just a mere assertion but a fact proven with clear data.

The cybersecurity firm Cybereason's "The Report Ransomware: The True Cost to Business 2024" presents shocking statistics.

The report revealed that only 47% of organizations that paid the ransom to regain their encrypted systems successfully restored their data and systems intact. More than half of the companies failed to make a proper recovery despite paying the ransom.

Additionally, reattacks were almost inevitable.

Cybereason stated that 56% of the organizations they investigated over the past 24 months suffered ransomware attacks more than twice. About 80% of the organizations that paid the ransom were attacked a second time.

As seen with companies like YES24, the time to reattack is very short. Among the victimized companies, 82% were attacked again within a year. Of these, 63% received another ransom demand. It has become a structure where ransomware attackers continue to extort businesses.

The message from this data is clear.

'Paying the ransom is not beneficial.'

The expectation that paying the ransom will resolve the issue is merely an illusion. Instead, once the ransom is paid, it becomes known among hackers as a 'place that pays,' making a reattack inevitable.

An attack started from a known vulnerability, basic security is the answer

When analyzing recent major ransomware incidents both domestically and internationally, there are common features. Most of the attacks were initiated through known vulnerabilities. Attackers precisely targeted areas where 'basics' were not adhered to, such as VPN devices without proper security updates, exposed remote access services, and weak authentication frameworks.

Companies are operating VPNs that are exposed to known vulnerabilities without patch updates. Since VPNs are gateways connecting the internal network from the outside, applying the latest security patches and continuous monitoring is essential.

There are many cases where some administrator accounts within companies have unnecessary permissions. The administrator privileges of certain servers become a pathway to access other systems. The principle of least privilege needs to be reassessed.

Operating backup servers in isolated environments is failing. In Active Directory (AD) environments, backup servers are often connected to the network in real-time, allowing attackers to access them. This makes it impossible for attackers to access the backup and prevent restoration. Backups should be managed in an independently isolated environment both physically and logically, but these foundational principles are not being followed.

The operation of security monitoring services is insufficient. There are many instances where external log collection and monitoring systems in companies do not function properly. Even when attackers engage in multiple suspicious activities after initial penetration, they go undetected. This allows attackers to continue lateral movement within the company.

Once you're targeted, it keeps happening; prevention is key

There is an important fact about ransomware attacks that many organizations overlook. Once an organization is attacked, it becomes a 'regular target' for attackers.

Attackers carefully document the successful infiltration routes, weaknesses in the organization's security systems, and response levels. This information is traded on the dark web within hacker communities and shared with other attack groups. If the organization paid the ransom, it is classified as one that is 'willing to pay,' making it a more attractive target.

The more serious issue is that Korean companies are perceived as 'easy targets' and 'reliable sources of repeat revenue.' If after paying the ransom, they only perform straightforward recovery without fundamental security improvements, attackers can infiltrate again via the same route and encrypt the files once more.

Pay ransom → Recover → Insufficient security improvements → Re-attack → Pay ransom again.

As this cycle repeats, the 'repeat visit value' of Korean companies increases among hackers. Once you pay to decrypt the files, being attacked again becomes an inevitable sequence.

Essentials of Security: Continuous Management is the Best Defense

Ransomware is no longer an 'exceptional incident'. It is a 'routine threat' that all organizations face. Ransomware does not discriminate by company size or industry anymore. Anyone can be exposed, and once the basics falter, the attack becomes a reality.

Most attacks stem not from sophisticated technology or advanced hacking, but from the absence of the 'basics', such as equipment with known vulnerabilities that aren't patched, neglected accounts and permissions, and unsegregated backups.

This is why the truly important aspect is a company's systematic security policies and investments. The answer lies in consistent budgeting for basic security measures like patch management and access control, securing skilled security personnel and establishing an internal security culture, and utilizing appropriate solutions that can identify and manage threats early.

It’s essential to build a system that thoroughly analyzes root causes and prevents recurrence, rather than temporarily resolving issues with post-incident recovery.

Security does not end with a 'one-time inspection'. In an ever-changing attack environment, sustainable defense is created when companies continually inspect their systems and harmonize people, technology, and processes.

This is the time to create a reputation of 'Korean companies are thorough in security', rather than the rumor among hackers that 'Korean companies will fall victim again'. Above all, it is crucial to remember that investing in security, rather than paying ransom, is the true solution.

Kim In-soon

Start-up College Adjunct Professor at Gachon University

Former desk member of the Electronic Newspaper ICT Convergence Department, active as a cyber security journalist and communication expert for 20 years.