Uncover gaps in your Microsoft Identity Security.
Book an identity exposure gap analysis today.
Best Practices Guide

How to Stop Ransomware

Learn how to quickly identify the early signals of an active ransomware attack.
How to Stop Ransomware
How to Stop Ransomware
Select language to download
Instant free access
Thank you for downloading!
Please access your free offer below.
Download
Download
Download in French
Download in German
Download in Spanish
Download in Japanese
Download in Italian

Stop a hybrid attack

Take a self-guided tour to see how the Vectra AI Platform empowers you to stop hybrid attacks before any damage is done.

Take Self-Guided Tour

Read this paper and you will learn:

  • The importance of automated threat management in detecting and stopping ransomware attacks.
  • How enterprise operational efficiency can be enhanced by utilizing a cloud-native security solution.
  • The role of proactive monitoring and rapid response in preventing disastrous business disruption caused by ransomware attacks.

With Vectra AI, attackers don't stand a chance

Intellectual property. High-value data. Hybrid cloud infrastructure. It all adds up to a lot of vulnerabilities — and makes your company a prime target for nation-state cyberattacks. But with Attack Signal Intelligence from Vectra AI, your analysts easily keep data breaches at bay.

No items found.

Gain real-world insight into the anatomy of an attack.

Join our ensemble of security researchers, data scientists and analysts as we share over 11+ years of security-AI research and expertise with the global cybersecurity community. Through our webinars and hands-on labs, you’ll learn how to effectively leverage AI for threat detection and response and expose sophisticated attacks hiding in your environment.

Explore upcoming sessions

This ebook dives into everything from why detecting attacker activity and recon known as ransomOps is critical to stopping ransomware and many of the steps security professionals are taking to successfully slam the door on today’s ransomware tactics. We’ll share how customers utilizing Vectra MDR Services are able to detect active attacks almost immediately as well as some of the challenges, observations and recommendations that every organization should know.

One thing is for sure, the difference between success and failure when it comes to stopping ransomware comes down to response speed and quick action — let’s stop some ransomware!

First and Foremost, Ransomware is a Business

As distasteful as it may be, ransomware gangs and their affiliates are running a business, and just like any other business — they exist to make money. They have an ROI mindset and just happen to be cashing in on the ability to reach systems and data that they can steal as quickly as possible, while charging you a hefty sum for the return of your own property.

This mindset drives many of the observations discussed throughout this ebook, while understanding the motivation that drives attackers is a key piece to any security strategy. When you know what drives attackers and can clearly identify the systems and data in an environment that would cause disruption if compromised — your organization will be in a good position to make it as difficult as possible for an attack to unfold.

Let’s see why tabletops can help bring this into focus, and how red teams can give an objective evaluation of current readiness.

Start with the Basics

Of course, the best outcome is to keep the ransomware gangs from ever gaining access to your environment. And while prevention is never foolproof, the ROI mindset can work to your advantage. In fact, you can dramatically reduce your risk by getting the basics of authentication hygiene and patching right.

This is because initial access by attackers most commonly occurs via an unpatched and DMZ-exposed vulnerability, an account without MFA or similar low-hanging fruit. Basically, if organizations miss some of the basic prevention methods — there’s no need for attackers to use sophisticated and time-consuming tactics to gain access.

The best outcome is to keep the ransomware gangs from ever gaining access to your environment.

The good news is that by enabling MFA (multi-factor authentication) on your VPN, IDP and other points of entry, you’ll make life more difficult for attackers who may just decide to knock on someone else’s door instead. The same goes for patch management — making sure patch practices span across your DMZ will help in turning away attacks. While no prevention strategy is foolproof, sensible investments in prevention will make it harder for attackers to get in.

Be Ready to Respond at Speed…Day or Night

Dialing in the basics will improve, but not eliminate, risk. There are a lot of reasons for this, but the truth is that it only takes one mistake in account setup, one missed patch, one user clicking on a link they shouldn’t…or one new 0-day in your VPN of choice (funded by the gobs of money pouring into the ransomware ecosystem) to break through. We’ve seen it all.

And when a ransomware actor gets into your environment — expect that they will move FAST. We have certainly responded to attacks that progressed slowly over several days, however; it’s not uncommon for the majority of an attack to occur in a single, after-hours evening. Remember, time is money for attackers with an ROI mindset. Whether giving defenders the least amount of time to respond or just playing the numbers game, we generally see few signs of attackers trying to stay below the radar. In fact, the global dwell time for ransomware attacks has dropped significantly over the last few years.

The good news for defenders is that speed makes the attack obvious with the right detection technology. As is the case with Vectra, we’ve seen critical hosts within two minutes of initial access. However, due to the speed of the attack progression, this also makes it crucial to be prepared to respond quickly and decisively in order to stop the threat prior to ransomware deployment.

Unfortunately, this ability to respond at speed isn’t limited to business hours. We’ve observed early-stage reconnaissance and lateral movement occurring at all hours, seemingly whenever the ransomware actor had some time. Sometimes it will be in the middle of the day, other times at night, on a weekend or even during a holiday. However, based on our observations, the final push to exfiltration and encryption is more likely to be in the middle of the night or on a weekend or holiday — when incident response capabilities are at their weakest.

Practically speaking, this means 24x7 monitoring is a must.

Have a Game Plan for Response

The first step in responding to a ransomware threat is to detect the adversary in your environment. It’s equally critical to know what you’ll do in various scenarios to stop the attack. How far are you willing to go? In one of our engagements, the attacker made it as far as the domain admin on the domain controller where the security team in play had to make a split-second decision to fully disconnect their systems from the internet in order to buy time for response. Fortunately, it worked for them.

As close as that team was to a ransomware attack unfolding, this scenario isn’t all that uncommon. It could be worth asking — if your organization were in the same situation, what would you do? Would this level of disruption be acceptable to the business? Would you be able to effectively respond without connectivity for your remote security staff? Are there other response options that you would have to buy?

We’ve seen rapid, decisive action under pressure be a key ingredient in successful response. Knowing and practicing your game plan before you need it could make all the difference.

To Stop Ransomware, Don’t Look for the Ransomware

Modern ransomware attacks (really ransomOps), don’t deploy the ransomware binary until the very end of the attack. This means that if you see the ransomware itself, you’ll most likely be too late.

This is a common misconception because to stop these attacks in progress, you’ll need to detect and respond to the steps that come BEFORE ransomware is deployed. The reality is that that you’ll almost certainly be operating without full knowledge of the adversary or their end game. In many cases, you’ll see a rapidly-progressing attack, and potentially some telltale signs in tooling or C2 infrastructure that allow you to make an educated guess about what’s happening.

Here, your response plans will need to focus on a more general class of intrusion and attack progression, then, understanding that the endgame is just a probability and not a certainty.

Accounts and Admin Tools are Key

We’ve observed exploits used to gain initial access, and occasionally for lateral movement. But, as with most modern attacks, the focus is on credentials — admin and service accounts. In combination with admin protocols, these are the favored tactics for virtually all ransomware affiliates.

The intent, as in many attacks, is to get to domain admin on the domain controller to launch the final phase of the attack. From this vantage point, it’s easy to get access to the most valuable data. It’s also possible to deploy ransomware blazingly fast, using admin tools including GPO.

Due to the focus on credentials, it’s absolutely key to carefully monitor the use of all privileged accounts as we’ve seen this reliably be one of the most valuable attack detection signals.

Common Ransomware Behavior

Vectra analysts compiled user, process and security challenges that were common across different customer engagements.

Prevent ransomware attacks

Initial Access

  • Attackers continue to scan for vulnerabilities on publicly available, internet facing services and systems.
  • Servers running RDP, FTP or VPN are popular targets, providing initial access into enterprises and cloud.
  • Lack of MFA is a gap commonly targeted.
  • Attack progression in some cases took hours from initial entry, and in other cases took days or even weeks. There is time for security teams to detect and respond early, but it does require 24x7 vigilance.

Command and Control (C2)

  • Cobalt Strike seems to be the current favorite tool.
  • Popular remote access tools, irrespective of if they were sanctioned or unsanctioned, were also used to control systems. In one case, we detected Cisco AnyConnect software used to control machines on the inside, by a human on the outside.
Detect ransomware

Recon and Lateral Movement

  • In most cases scanning was aggressive, and included network mapping, rDNS queries, and share enumeration. The rapid scanning generally made the attacks visible within minutes of initial access.
  • Credential-related recon, including LDAP queries and RPC calls to map credential locations, were also common.
  • Lateral movement in the early stages included common exploits. Later stages relied mainly on credentials and admin protocols.

Exfiltration

  • Free fileshare sites were commonly used to upload reconnaissance information for analysis. These included Mega Upload (mega.com) and temp.sh.

Recommendations for Ransomware Prevention, Detection, and Response

Our teams work closely with security teams daily, responding to critical alerts generated by the Vectra AI-driven threat detection and response solutions. When we initially engage with customers, it is not obvious if a threat is ransomware. As alerts grow in severity, we’re able to gain additional clarity and context about the attack and determine if it is in fact ransomware. We have found an array of security tools and security practices that make it harder for adversaries to carry out successful ransomware campaigns and ultimately stop them with certainty. This includes.

Prevention

  • Regularly assess your external security posture and implement high-priority fixes. Focus especially on remote access infrastructure and commonly- vulnerable services like RDP and FTP, which have proven popular targets.
  • Enable MFA wherever possible on any identity providers or remote access infrastructure.
  • In general, strong preventative controls, rules and policies make it harder to escalate privileges even post-access, which buys more time for response.
  • A special area of focus is on privileged accounts. While operationally challenging, the more that can be done to focus use through jump servers and privileged account management systems, the harder the escalation path will be.

Detection

  • There is time to stop the attack after the ransomware actor has gained access and before data is exfiltrated or ransomware is deployed.
  • Invest in threat detection and response across your network, identity infrastructure, cloud and endpoint to maximize the odds of early detection.

Investigation and Response

  • Ransomware attacks can progress fast, any time of the day or night. Ensuring that you are monitoring critical alerts 24x7x365 is key, whether by augmenting internal teams or leveraging managed detection and response (MDR) or MSSP offerings.
  • Integrating telemetry from network, endpoint, and cloud logs provides the best context, clarity, and enrichment in investigating threats and arriving at a definite root cause.
  • Looking back for increased scanning activity of your DMZ prior to the initial access, in combination with OSINT, may provide an early assessment of the likely threat actor and provide more clarity in response.

Trusted by experts and enterprises worldwide

FAQs

Challenge

Solution

Customer benefits

How other organizations are partnering with Vectra AI

Key Findings from the Gartner Market Guide for Network Detection and Response

Gartner is a trusted resource and advisor to who we are and what we do at Vectra AI. We see eye to eye with Gartner on many things, but not always everything. In this report, we share where we align to Gartner and where our perspectives differ when it comes to Network Detection and Response (NDR).

Read case study
Using AI to Detect and Stop Lateral Movement in the Cloud

Vectra CDR for AWS enables modern SOC teams to reduce risks against advanced lateral movement attacks in your hybrid cloud.

Read case study
Stop Identity-based Attacks with Privilege Account Analytics (PAA) in Your SOC Arsenal

The Vectra AI Platform expands coverage for threats that bypass prevention with visibility into privilege identity behaviors to relieve your SOC team from the pains of privilege account sprawl.

Read case study
Vectra CDR for AWS with Amazon GuardDuty

Vectra CDR for AWS strengthens exisiting investments in Amazon GuardDuty by stopping sophisticated threats and deeply empowering modern SOC teams.

Read case study
Shifting from legacy PCAP to AI-driven threat detection

PCAP strengths primarily rely on network monitoring for on-premises environments, leaving huge gaps and vulnerabilities for bad actors to exploit.

Read case study
Reduce Critical Infrastructure Risk with Integrated Signal for Your Hybrid Cloud

Reduce your exposure to critical infrastructure risk with integrated signal for your entire hybrid cloud infrastructure.

Read case study
Best Practices to Address Tool Sprawl for Your NDR and IDS solutions

Vectra Match for NDR consolidates behavior-based and signature-based detection correlation

Read case study
Meeting the challenges of the Cybersecurity Maturity Model Certification (CMMC v2) with Vectra AI

To meet the protections of Controlled Unclassified Information (CUI) and Covered Defense Information (CDI), federal contractors of all categories are now required to meet CMMC in order to participate in new contract pursuits, extensions, or modifications.

Read case study
Adapting to Changes in Securing the Cloud

The shift to cloud-native architectures, driven by the need for speed and agility in today's digital business landscape, has resulted in developers taking on security responsibilities, increasing the risk of introducing security issues alongside enhanced efficiency.

Read case study
A New Threat Detection Model That Closes the Cybersecurity Gap

The cybersecurity gap exists between the time an attacker successfully evades prevention security systems at the perimeter and the clean-up phase when an organization discovers that key assets have been stolen or destroyed.

Read case study
The Tradeoff Between Automatic and Manual Enforcement

Enforcement, as it relates to cyberattacks, are responses to attacker actions to bring an enterprise back in line with its stated security policy. Common examples of enforcement are blocking traffic to a specific IP, quarantining a device by restricting network access, reformatting a machine, or locking down account access.

Read case study
Extending beyond EDR with integrated signal at speed and scale

When it comes to stopping high-speed hybrid attackers, integrated signal at speed and scale is the only answer.

Read case study
How to Protect the Oil and Gas Sector from Cyberthreats

Energy companies are increasingly vulnerable to cyberthreats.

Read case study
How Financial Institutions Can Stop Cyberattacks in Their Tracks

Attackers are finding it more profitable to go straight for the money using sophisticated advanced persistent threats (APT), such as Carbanak, as well as ransomware.

Read case study
How Manufacturing Organizations Can Reduce Business Risk from Cyberattacks

Manufacturers have long used industrial control systems to increase the speed and efficiency of production. But these production control systems were largely kept separate from the administrative and enterprise systems.

Read case study
How Pharmaceutical Companies Can Protect Valuable IP

Intellectual property (IP) is the lifeblood of pharmaceutical companies. An analysis of the top 10 drug firms indicates that average R&D spend is over 20% of revenue and intangible assets.

Read case study
How Medical Device Manufacturers Can Safeguard Vital IP

Stolen IP represents a significant subsidy since the thieves don’t have to bear the costs of developing or licensing that technology or manufacturing process.

Read case study
Meaningful AI for Security

When done well, AI can arm your security team with more efficient and effective threat detection, however, not all AI is created equal.

Read case study
Incident Response Maturity: Time to Grow Up

When a cyberattack occurs, most aspects of the threat are not under the control of a targeted organization. These range from who is targeting them, what is the motivation, where and when the attack occurs, how well-equipped and skilled that attacker might be, and most critically, the persistence of the attacker to achieve the ultimate goal.

Read case study
Is Next-Generation IPS Masking an Old Problem?

Intrusion detection systems (IDS) like Cisco Firepower (formerly Sourcefire), Trend Micro Deep Discovery, and McAfee Network Threat Behavior Analysis are all traditional technologies with deep roots in signature-based detection and protection.

Read case study
What is Network Detection and Response (NDR)?

NDR goal: Empower security analysts to receive alerts quickly and be able to discern what is critical versus what is benign. It also focuses on lowering the time from compromise to incident detection and containment.

Read case study
NIS2 (Network and Information Security 2) – A Best Practices Guide

What is NIS2? Who should be involved and what steps can you take to achieve NIS2 compliance?

Read case study
Protecting Patient Health and Privacy from Cybercriminals

The healthcare industry today is one of the top targets of cyber attackers. This has been driven in large part by the digitization of healthcare delivery - IoT devices such as x-ray and MRI machines, drug infusion pumps, blood gas analyzers, medication dispensers and anesthesia machines - as well as medical information.

Read case study
Protecting Higher Education Networks from Cyberthreats

Thanks to their open, collaborative environments and a treasure trove of high-value assets, universities and colleges have become a top target of data breaches and cyber attacks.

Read case study
Recommendations When Evaluating NDR for IaaS

With nearly half of current infrastructure-as-a-service (IaaS) users running production applications on a public cloud infrastructure, organizations will increasingly look to capture the favorable business models, dynamic scaling, availability, and streamlined management that public clouds deliver.

Read case study
SecOps Practices that stop AWS Account Compromise accurately and early.

A Cloud Detection and Response Strategy for AWS

Read case study
Reduce Your SIEM Cost and Stop Attacks Faster

With the increasing number of cyber threats your SOC team faces, ask yourself one question: can we keep pace by relying exclusively on our SIEM to detect and respond to attacks?

Read case study
From DIY to AI: Removing SOC latency by shifting from build-your own SIEM rules to pre-built AI models

Why create and maintain your own detection rules when AI can do it for you?

Read case study
SOC Visibility Triad - The Ultimate in SOC Visibility

As evidenced by unprecedented cybercrime, traditional security defenses have lost their effectiveness. Threats are stealthy, acting over long periods of time, secreted within encrypted traffic or hidden in tunnels. With these increasingly sophisticated threats, security teams need quick threat visibility across their environments.

Read case study
Remote Work, Not Remote Control: Detection Guidance

Vectra is making the following recommendations for users of the Cognito platform to identify and manage the expected increase in behavioral detections related to certain remote worker conditions.

Read case study
5 Keys to Stopping Hybrid and Multicloud Cyberattacks on Critical Infrastructure

A playbook for defending Critical National Infrastructure (CNI) from cyberattacks and increasing SOC productivity by >2X.

Read case study
The Dark Side of Darktrace: Why Vectra AI beats the competition

Darktrace isn’t just guilty of bloated sales and marketing — it also fails to deliver on POC promises. Read the Darktrace vs Vectra brief to learn why.

Read case study
How to Stop Ransomware

Learn how to quickly identify the early signals of an active ransomware attack.

Read case study
Threat Hunting Guide

Threat hunting is an important part of any security program. Regardless of how well-designed a security tool is, we must assume these tools and defenses are imperfect.

Read case study
Modernize Your SOC — Set Your Pathway into the future without Network Traffic Decryption

An integrated threat signal enables your SOC to move away from network traffic decryption while reliably detecting the most urgent threats.

Read case study
How Cyberattackers Evade Threat Signatures

Signatures, reputation lists and blacklists only recognize threats that have been previously seen. This means someone needs to be the first victim, and everyone hopes it's not them.

Read case study
How Vectra AI enables DORA Compliance

Digital Operational Resilience Act (DORA) - 10 steps Best Practices Guide for Security & Compliance Leaders to understand the EU regulation.

Read case study
See all customer stories

When you eliminate the noise, you stop attacks faster.

Explore CDR for M365

Vectra Cloud Detection and Response (CDR) for M365 is the most advanced AI-driven attack defense for malicious threats to your Microsoft 365 apps and data.

Learn more
Get a demo

Request a 30-minute demo to see how the Vectra AI empowers SOC analysts to find and stop active cyberattacks in minutes.

Sign up
Use cases

Explore real-world applications of the Vectra AI platform — from identifying elusive threats to streamlining incident response.

See more
Blogs

The Vectra blog covers a wide range of cybersecurity topics, including exploits, vulnerabilities, malware, insider attacks, threat actors, artificial intelligence, and more.

See more
Customer stories

Vectra AI customer stories showcase how real organizations are using our cybersecurity solutions to protect their data and achieve their security goals.

See more