Skip to content
blackhawk logo
aristaflip
dataLoss

Detect and Contain Ransomware Before It Wreaks Havoc

The ransomware threat is growing. One group, Avaddon, is known for their success in cybercrime—the average cost to restore data after their attacks is $300,000. Like other cybercriminals, the groups most commonly target manufacturing, healthcare, education and government.

Pressure Tactics

Most cybercriminals use pressure tactics to force their victims to make quick decisions and pay the ransom. These tactics include threats to release sensitive data to competitors, threats to contact customers and denial-of-service attacks. 

We’ll walk you through the stages of a typical ransomware attack and give you tips to counteract them.

The Process

1. Initial Recon

recon

In this phase, the attacker will build a spear-phishing campaign that targets several users within the organization, to gain more information or account credentials. 

The best defense for recon is a well-trained employee base. Web filtering and email filters combined with a knowledgable employee can spot attempts and stop them.

2. Initial Compromise

emailphish

This stage could take place when an employee opens a file in a phishing email. Hackers can also target a vulnerable piece of infrastructure, like a compromised VPN.

At this stage, if the attacker is detected, you can attempt to isolate the host with EDR, kill the process via ATP or disable the infected account. 

3. Establishing a Foothold

broken-files

At this stage, the cybercriminals will work to connect to the organization’s servers and send encryptions keys to lock the victim’s files. 

Blocking outbound traffic or isolating the host with EDR will prevent cybercriminals from getting to the next stage.

4. Escalating Privileges

stealingData

The ransomware then begins to escalate privileges to access admin credentials. 

If you can identify the account, you can reset the user password to prevent the cybercriminals from gaining more access. Additionally, you can use EDR to hunt your registry for IOCs or to isolate the host.

5. Move Laterally

servervirus

If the cybercriminals get admin credentials, they will begin copying their executables to administrative shares. 

Configure your system to automatically block lateral movement or notify IT of attempts to move laterally.

6. Maintain Presence

hidden-virus

Once the ransomware is in place, it must remain there without being detected to complete its final task.

Daily monitoring and reporting are crucial to security. If a ransomware threat gets this far without detection, it is highly likely to complete its final mission. 

7. Complete Mission

thened

The final task of ransomware is to encrypt local files on each machine and delete and file backups. Then, it displays a screen to users demanding a ransom in exchange for the stolen files. At this stage, the best chances an organization has is to isolate the host, block its traffic, kill the process and disable infected user accounts.

Best Ransome Defense

Gartner’s SOC visibility triad is a three-pronged approach based on SIEM, network detection and response (NDR), and endpoint detection and response (EDR).

Questions to ask:

  • Most organizations have some level of EDR set up, but does your organization cover all devices?
  • Likewise, most organizations already use logging, but are you logging at the right level?
  • Most organizations leave 40% of their devices unmanaged. Are you monitoring everything?

BlackHawk Data Can Help You Stay Safe

If you’re worried about your ransomware defense capabilities, don’t hesitate to contact a certified security expert from BlackHawk Data. We can help you assess your vulnerabilities and we’ll provide consulting to help you determine what is the right solution for your needs. Don’t let your security wait—book a meeting today.