Ransomware: Effective Offensive Security Strategies to Prevent Attacks

Ransomware, a particularly vicious type of malware attack, in which firms are blackmailed and extorted out of huge sums of money, is a pervasive security challenge for organizations worldwide. And yet, some data suggests that the threat of such attacks is actually waning.

But is this really true?

Consider these numbers.

In Q4 2023, the proportion of ransomware victims that chose to pay ransoms dropped to a record low of 29%. Additionally, the average ransom payment decreased to $568,705 – a 33% drop from Q3 2023.¹

One reason for these drops is that increasingly companies are unwilling to believe that attackers will fulfill their promise to release the encrypted data once the ransom is paid. Ransomware gangs notoriously untrustworthy and are known to simply delete the company’s stolen data after receiving the ransom. A lack of trust translates to an unwillingness to blindly pay.

However, just because there seem to be fewer number of ransomware victims paying smaller ransomware payouts, doesn’t mean that the threat itself is waning. These numbers show why. In 2023, the number of companies that experienced ransomware attacks surged by over 27%.² Moreover, the number of reported attacks in the first four months of 2024 were higher than the number reported in the same period in 2023.³

There are many reasons why the risk of attack remains high for companies: Some attackers are adopting more sophisticated attack tactics, with some never seen before. This also includes social engineering tactics that continue to reach innocent victims who unknowingly release confidential usernames and passwords, or click on seemingly harmless links, so that attackers can infiltrate systems, and steal data to compel organizations to pay up. In addition, cyber criminals continue to seek large corporations in banking, healthcare, and critical infrastructure with the goal of securing the biggest possible payouts. Still others adopt the “we’ll take what we can get” approach by targeting the weakest victims – smaller companies with inadequate cybersecurity controls and limited security staff and resources.

In the end, the results are that no organization is safe, and all remain vulnerable to ransomware attacks. If an enterprise has business-critical systems whose potential loss can severely impact its operations, damage its reputation, cause data losses, or result in legal or regulatory problems, it is a target.

Knowing these facts, organizations need to be cognizant of the risks and possible consequences in order to protect their assets and maintain business continuity.

This starts by understanding:

• What is ransomware?
• How does ransomware work?
• What are the most strategies to prevent or mitigate ransomware attacks?

What is Ransomware and How Does it Work?

Ransomware is a type of malware with a specific purpose: to extort a ransom from a victim by encrypting the files and data on their computer system. When ransomware gets installed on a victim’s system, it locks the victim out so they can no longer access their files and/or data. The cybercriminal(s)l then attempt to extort money – often in untraceable cryptocurrencies – by displaying an on-screen alert notifying the victim of the attack with a request for ransom in return for providing a decryption key to unlock the files.

Attacked organizations can try to decrypt the encrypted files using one of many available decryptor tools instead of immediately paying the ransom. In fact, paying is far from the best option to a ransomware attack. Even government agencies like the FBI discourage the practice.⁴

This is because not all paying victims get their files back. In fact, one recent study cited that less than half of organizations infected in 2023 (47%) got their data back uncorrupted after making a payment. Furthermore, a staggering 78% who paid the ransom experienced a second ransomware attack, often by the same threat actor, and almost 63% were forced to pay more the second time.⁵

Ransomware Attack Vectors

There are many ways a computer could get infected with ransomware. The most common attack vector is phishing, a type of cyberattack in which a threat actor distributes ransomware to the target organization via email. The ransomware may be hidden inside an attachment, which will get installed on the victim’s computer once they open it. Or, the email may include a malicious link, which when clicked, downloads the ransomware to the victim’s computer.

Threat actors can also infect computers with ransomware via:

• Social engineering scams: They pose as tech support or authority figures to trick users into running ransomware on their computer.
• Vishing (Voice Phishing): Cyber criminals use phone calls to impersonate legitimate individuals or organizations to manipulate innocent targets into providing sensitive information or taking certain actions.
• Pretexting: Creating a fabricated scenario or pretext to elicit sensitive information from individuals, often over the phone.
• Baiting: Leaving infected USB drives or other physical media in areas where employees are likely to find and use them, thereby infecting their computers. This is usually an insider attack.
• Malvertisements: Malicious code is injected into fake online advertisements, which when clicked, redirects victims to a malicious website or directly downloads the ransomware to their system.
• Drive-by-downloads: A malicious script, hidden in a compromised website, downloads and executes ransomware on the user’s system without their knowledge or consent.
• Exploit Kits: Attackers use exploit kits to automatically find and exploit vulnerabilities in outdated or unpatched systems.
• Remote Desktop Protocol (RDP): Clever adversaries exploit weak or default RDP credentials to infect systems with ransomware.

Consequences or Ransomware Attacks

Regardless of the attack vector used, ransomware attacks almost always have severe consequences for affected organizations. The most common consequence, particularly for ransom-paying organizations, is financial loss.

An attack can also cause other kinds of damage, including:

• Operational disruptions
• Data or intellectual property (IP) loss
• Reputational damage
• Loss of customer trust
• Drop in share prices (for public companies)
• Regulatory investigations and fines
• Lawsuits and associated financial payouts
• Incident investigation and remediation costs

Strategies to Prevent and Mitigate Ransomware Attacks

In 2023, the average ransom demand for US businesses went up to $1.4m.5 Despite this, one 2024 survey of 1,000 cybersecurity professionals found that the ransomware approaches of most organizations are “incomplete, either missing the documented plan or the people to execute it”.⁶

The following strategies can help to plug these gaps, enabling businesses to effectively prevent or mitigate ransomware attacks.

Take regular backups of files and data

Attacked organizations usually pay ransoms to retrieve the encrypted files because they don’t have a backup to fall back on. To avoid this cost, it’s crucial to take regular backups of all files and data and store the backups in a safe location. Furthermore, an updated disaster recovery plan can help with data restoration in the event of an attack.

Strengthen email and web security

Since phishing is a common attack vector for ransomware, it’s important to detect and block phishing emails and malicious attachments before they can reach users’ inboxes. Here’s where email filtering and scanning solutions, plus email authentication protocols like SPF, DKIM, and DMARC can be very useful. Additionally, blocking access to known malicious websites using web filtering solutions can prevent users from inadvertently downloading ransomware from those sites.

Strong access controls

Strong access controls restrict unauthorized and malicious users from accessing sensitive systems and data, reducing the risk of ransomware infections. Adopting the principle of least privilege (PoLP) can also help to control access and prevent inadvertent or deliberate infections.

Regularly patch all systems and software

Attackers often exploit vulnerabilities in outdated software, applications, or operating systems to deliver ransomware payloads. Regularly patching these assets eliminates many vulnerabilities and reduces the number of ransomware attack pathways.

User awareness

Employees that open emails from unknown senders or plug infected USB devices into their computers increase the risk of a successful ransomware attack. To reduce this risk, they must be made aware of the risks and consequences of ransomware. Ideally, awareness programs should train employees on how to recognize common attack vectors, the importance of not opening emails from unknown or suspicious sources, and what they should do if they suspect an attack.

Safeguard Your Organization from Ransomware with BreachLock

A proactive approach to defense will significantly reduce your organization’s risk of attack and minimize the impact if an attack does occur.

One of the best places to start is with BreachLock’s Red Teaming as a Service. For years now, customers have benefited from an offensive strategy using red team activities to thwart attacks before they happen. This includes:

Discover your Data Leaks: BreachLock will research publicly available open-source intelligence and capture instances that may leak vital information to hackers. This information is presented in a report that can be used by your executive team to formulate policies and awareness campaigns.

Execute Red Team Scenarios: BreachLock will carefully analyze the OSINT gathered in the first step and formulate a spear phishing scenario that is relevant to the target audience. The campaign is launched in a coordinated manner and each interaction with the user is captured minutely.

Recent Exposure and Compromise: BreachLock will investigate employees’ personal emails and passwords that may have been compromised in a recent hack. This may impact your organization as the same passwords may be used to access critical resources.

Comprehensive Reports: BreachLock reports contain visual evidence of exposures found during the OSINT assessment. This ensures that you get sufficient input for an effective security awareness campaign. The Phishing Exposure Assessment Report captures vital statistics such as emails sent, delivered, opened, clicked on, and includes Usernames and emails that resulted in a compromise.

Penetration Testing & Continuous Scanning: Another proactive ransomware prevention strategy is to penetration test your IT assets from the perspective of attackers. Harness BreachLock’s human-delivered and continuous scanning solution to identify and fix vulnerabilities across your entire attack surface before they can be exploited by a ruthless ransomware gang.

Discover how BreachLock’s solutions can strengthen your company’s ransomware resilience with a free discovery call.

About BreachLock

BreachLock is a global leader in Continuous Attack Surface Discovery and Penetration Testing. Continuously discover, prioritize, and mitigate exposures with evidence-backed Attack Surface Management, Penetration Testing and Red Teaming.

Elevate your defense strategy with an attacker’s view that goes beyond common vulnerabilities and exposures. Each risk we uncover is backed by validated evidence. We test your entire attack surface and help you mitigate your next cyber breach before it occurs.

Know your risk. Contact BreachLock today!