Cybereason Blog | Cybersecurity News and Analysis

Targeted by Ransomware? Here are Three Things to Do Straight Away

Written by Anthony M. Freed | May 24, 2022 2:22:05 PM

Ransomware attacks more than doubled over the course of 2021. In a report shared by PRNewswire, researchers revealed that they had detected 623.3 million attacks globally—318.6 million more attacks than were observed in 2020—an increase of 105%. Looking back even further, ransomware attack volumes grew 232% between 2019 and 2021.

What’s Behind the Increase in Ransomware Attacks?

An essential factor is that what were typically nuisance ransomware attacks targeting individuals have evolved into highly complex ransomware operations, or RansomOps, supported by a burgeoning and highly specialized Ransomware Economy.

These incidents are different from the commodity ransomware attacks of yore, where malicious actors used “spray and pray” tactics against individual victims and demanded small ransoms. Those days are gone… with a few exceptions.

By contrast, RansomOps are highly targeted, complex attacks that are more akin to an APT operation where the attacker is determined to gain access to as much of the network as possible before detonating the ransomware payload. They do this to maximize the impact of their attacks so that they can demand ransoms in the tens of millions of dollars. 

Cybereason recently published a white paper on the subject, titled RansomOps: Inside Complex RansomOps and the Ransomware Economy, where we documented how ransomware operations have transformed dramatically over the last few years from a small cottage industry conducting primarily nuisance attacks to a highly complex business model that is highly efficient and specialized with an increasing level of innovation and technical sophistication. 

The paper examined how ransomware operators are moving away from high-volume attacks with low ransom demands in favor of more focused, custom attacks aimed at individual organizations selected for the ability to pay multi-million dollar ransom demands. 

Ransomware Response for Wary CISOs 

CISOs are taking notice of the increasing challenges involved in defending against these attacks. That explains why more of them believe that ransomware actors will likely target their organizations in 2022.

For example, in a study covered by ITPro, nearly seven in ten CISOs said that they expect to suffer a ransomware attack in the coming year. That’s significantly higher than the 53% of organizations that actually suffered an infection over the course of the previous year.

Last year, Cybereason published a study titled Ransomware Attacks and the True Cost to Business, revealing the various costs that organizations face after falling victim to a ransomware attack. The most significant findings that stood out include:

  • Two-thirds of ransomware victims said that they endured a significant loss of revenue following the attack
  • More than half of organizations suffered damage to their brand and reputation after a ransomware infection
  • A third of those who fell victim to ransomware lost C-level talent in the attack’s aftermath
  • Three in ten organizations had to lay off employees due to the financial pressures resulting from a ransomware attack
  • A quarter of ransomware victims said that they needed to suspend business operations

In preparation for the likelihood of facing a ransomware attack, CISOs need to know what to do when their organizations are targeted. The U.S. Cybersecurity & Infrastructure Security Agency (CISA) provides the following recommendations toward that end. Three of those stand out:

Determine the Affected Systems and Isolate Them

IT and security teams need to determine if a ransomware attack has affected several systems and/or any subsets of systems. If they determine this to be the case, they might consider taking the network offline at the switch level. Disconnecting individual systems during an incident might not be feasible for them, depending on the nature of the infection.

Taking the network offline might not be possible, either. If that’s the situation, teams can find the network cable and disconnect only the affected devices. Removing them from the Wi-Fi network will help enable IT and security teams to contain the infection. 

Moving forward in their response efforts, IT and security teams might consider using phone calls and other out-of-band communication methods to coordinate their response efforts. They must resist using email and other digital means that attackers may have “tapped” into during the infection process. Those threat actors could eavesdrop on defenders’ conversations to counter the response efforts or use that intelligence to target organizations’ systems again in the future.

Review Logs and Other Evidence to Investigate Earlier Stages of the Attack

Next, IT and security teams need to review their logs along with their detection and prevention systems to identify evidence of the attack’s early stages. This step can involve looking for Trickbot, Dridex, Emotet, and other malware strains that “dropped” the ransomware onto one of the organization’s devices, setting off the attack. 

By detecting those threats, IT and security teams can prevent ransomware actors from regaining access to their victims’ networks through an Initial Access Broker (IAB). As such, they can prevent ransomware attackers from encrypting their backups if/when team members attempt to restore their data.

Use Extended Analysis to Identify Persistence Mechanisms

Finally, IT and security teams must analyze persistence mechanisms employed by ransomware attackers—they need to look for outside-in persistence mechanisms such as backdoors on perimeter systems.

But they also need to keep an eye out for implants of Cobalt Strike and other malware strains that use living off the land techniques on the internal network. In doing so, team members can ensure that they have remediated a ransomware infection before they set about activating their data backs.

Defending Against Ransomware and RansomOps Attacks

The only way organizations can successfully defend against ransomware and RansomOps attacks is to be able to detect them early, and end them before any data exfiltration, or encryption of critical files and systems can take place. Clearly, there is a lot more to detect when it comes to ransomware attacks than just when the final malware payload displays its ransom note. 

The issue is that organizations can’t necessarily achieve visibility over the early stages of a highly-targeted RansomOps attack using backward-looking Indicators of Compromise (IOCs) derived from attacks in other environments as the tools and techniques are likely unique to the individual target environment. 

Hence the need for organizations to embrace an operation-centric approach that enables organizations to understand the attack from the root cause and across every affected device and account. It does so by drawing on both IOCs and Indicators of Behavior (IOBs).

IOBs are the most subtle signs of compromise that help to identify potential security incidents based upon chains of behaviors that produce circumstances that are either extremely rare or present a distinct advantage to an attacker–even when those behaviors in isolation are common or expected in the network environment. 

IOBs can thus provide insight into attack chains that are novel or have never been detected previously. Organizations need the visibility afforded by tracking both IOCs and IOBs if they are to defend against a RansomOps attack successfully.


Cybereason is dedicated to teaming with Defenders to end ransomware attacks on the endpoint, across the enterprise, to everywhere the battle is taking place. Learn more about Cybereason AI-driven XDR here, browse our ransomware defense resources, or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.