Key Takeaways
- Offline, tested backups are your best defense.
- Phishing and RDP are the top attack vectors.
- EDR and network segmentation limit spread.
- Have an incident response plan before you need it.
- Paying ransom doesn't guarantee data recovery.
- Modern ransomware also steals data for double extortion.
Table of Contents
1. Understanding Ransomware
Ransomware encrypts files and demands payment for decryption keys. Modern ransomware operations are sophisticated criminal enterprises, often operating as Ransomware-as-a-Service (RaaS) with affiliates conducting attacks and sharing profits with developers.
Double extortion is now standard: attackers steal data before encrypting and threaten to publish it. Triple extortion adds DDoS threats or contacting customers. These tactics increase pressure to pay even if backups exist.
1.1 Notable Ransomware Families
| Family | Model | Known For |
|---|---|---|
| LockBit | RaaS | Fast encryption, active affiliate program |
| BlackCat/ALPHV | RaaS | Cross-platform (Windows, Linux, VMware) |
| Cl0p | RaaS | Mass exploitation of vulnerabilities |
| Akira | RaaS | Targeting SMBs, VMware ESXi |
2. Attack Vectors
2.1 Common Entry Points
- Phishing Emails: Malicious attachments or links (still #1)
- Exposed RDP: Brute force or credential stuffing
- VPN Vulnerabilities: Unpatched VPN appliances
- Supply Chain: Compromised software updates
- Exploited Vulnerabilities: Unpatched public-facing systems
2.2 Attack Lifecycle
# Typical ransomware attack timeline:
1. Initial Access - Phishing, RDP, exploit
2. Execution - Malware deployment
3. Persistence - Backdoors, scheduled tasks
4. Privilege Escalation - Admin/domain admin access
5. Discovery - Network mapping, identifying targets
6. Lateral Movement - Spreading to other systems
7. Collection - Exfiltrating sensitive data
8. Impact - Encryption, ransom note deploymentDwell Time is Key
Attackers often spend days or weeks in networks before deploying ransomware. This is your window to detect and stop them. Focus detection on early stages (initial access, lateral movement) not just the final encryption.
3. Prevention Strategies
3.1 Technical Controls
- EDR/XDR: Endpoint detection and response on all systems
- Email Security: Filter malicious attachments and links
- MFA: On all remote access and admin accounts
- Patching: Especially internet-facing systems
- Network Segmentation: Limit lateral movement
- Least Privilege: Minimize admin rights
3.2 RDP Security
# RDP hardening:
- Never expose RDP directly to internet
- Use VPN or Zero Trust access
- Enable Network Level Authentication (NLA)
- Limit who can RDP (remove from Administrators group)
- Use strong, unique passwords
- Monitor for brute force attempts4. Backup Best Practices
4.1 3-2-1 Backup Rule
- 3 copies of your data
- 2 different storage types
- 1 copy offsite/offline
4.2 Ransomware-Resistant Backups
# Backup security essentials:
✅ Air-gapped or immutable storage
✅ Separate backup credentials (not domain joined)
✅ Regular restore testing
✅ Backup encryption with separate keys
✅ Include system state and configurations
❌ Don't rely solely on Volume Shadow Copies
❌ Don't use network-accessible backups onlyTest Your Restores
Backups that haven't been tested aren't backups—they're hopes. Regularly perform full restore tests to verify you can actually recover. Know how long recovery takes. Many organizations discover backup failures during an actual incident.
5. Detection & Response
5.1 Detection Indicators
- Mass file modifications (high volume, short time)
- File extension changes (.locked, .encrypted)
- Ransom notes appearing (readme.txt, how_to_decrypt)
- Shadow copy deletion commands
- Unusual process execution (wmic, vssadmin, bcedit)
- Lateral movement indicators
5.2 Immediate Response
- Isolate affected systems from network
- Preserve evidence (don't power off if possible)
- Identify the ransomware variant
- Check for available decryptors (nomoreransom.org)
- Assess scope of encryption and data theft
- Activate incident response plan
6. Recovery Process
6.1 Recovery Steps
- Eradicate attacker access (all backdoors, compromised accounts)
- Rebuild from clean sources (don't trust cleaning)
- Restore data from verified clean backups
- Validate restore integrity
- Implement additional security controls
- Monitor closely for re-infection
6.2 Post-Incident
- Conduct thorough root cause analysis
- Address how attackers got in
- Improve detection for initial access methods
- Update incident response plans
- Consider threat intelligence sharing
7. To Pay or Not to Pay
7.1 Reasons Not to Pay
- No guarantee of working decryption keys
- Funds criminal operations and future attacks
- May be targeted again as "known payer"
- Potential legal issues (OFAC sanctions)
- Data may still be leaked despite payment
7.2 When Organizations Consider Paying
- No viable backups exist
- Business continuity impact is catastrophic
- Lives at risk (healthcare systems)
- Decryption is faster than rebuild
Free Decryptors
Check nomoreransom.org and ID Ransomware before considering payment. Law enforcement and security researchers have cracked many ransomware families. Identify your variant and check for free decryptors first.
8. Frequently Asked Questions
Conclusion
Ransomware defense requires layered prevention, robust backups, and prepared response. Focus on stopping initial access (phishing, exposed RDP), limit spread through segmentation, maintain offline backups, and practice your response plan. The organizations that recover fastest are those that prepared before the attack.
Continue Learning:
Incident Response
Backup Strategies