How to protect against Modern Ransomware Attacks

In 2019, over half of businesses were the victims of ransomware attacks with an average cost of $761,106. In 2020, attacks grew even worse with an estimated total price tag of $20 billion. Successful ransomware attacks are growing increasingly common despite the dozens of solutions that claim to provide 100% protection against ransomware. So, what’s going wrong?

Ransomware “Solutions” Aren’t Working

Most companies are aware of the threat of ransomware and have taken steps to protect against it. However, the number of successful attacks demonstrates that these approaches aren’t working. Most common anti-ransomware solutions fail because they don’t address the real problem.

Anti-Phishing Training

Many organizations’ cybersecurity awareness training discusses the threat of ransomware and how to protect against it. They talk about the risks of phishing emails and why it’s important not to click on a link or open a suspicious attachment. They also push the benefits of antivirus. However, ransomware attacks are still occurring, and in fact, growing even more common. The reason is that most anti-ransomware training and strategies are not aligned with today’s real threat.

In 2020, the main ways in which organizations were infected by ransomware was not via email or other automated processes. Instead, it was by human actors manually targeting and penetrating organizations using various software and tolls such as the Remote Desktop Protocol (RDP) or Virtual Private Networks (VPNs) with credentials that were purchased on the darkweb. In cases where the credentials didn’t work the operators would leverage brute force attacks. These aren’t “fire and forget” phishing emails designed to drop ransomware on a target system. They’re human-driven campaigns where an attacker gains access to an organization’s network, explores it, exfiltrates sensitive data, and runs ransomware exactly where and when they want to.

Endpoint Protection

Ransomware is malware, so an anti-malware solution, aka endpoint protection solutions, seem like the perfect protection against ransomware. In theory, installing and frequently running an up-to-date endpoint protection solution should fix the problem, but does it?

While endpoint solutions can defeat most known variants of malware, they can be evaded with relative ease. To effectively detect malware these solutions must have intelligence about the malware in advance of a real-world encounter. When a new, never-before-seen variant of malware surfaces (zero-day malware) , the effectiveness of these solutions is marginal at best. Complicating things further is that the attackers often test their malware against endpoint security solutions in advance of deployment to ensure that it remains fully undetectable.

What’s more problematic is that it takes organizations an average of 280 days to detect a data breach and it takes attackers less than 30 minutes to establish what amounts to an irrevocable foothold. This means that the attackers can explore victim networks for an extended period of time, steal credentials, deploy additional malware, and more. Given this fact, breached organizations can not realistically guarantee the security or safety of their networks without a complete overhaul.


Backups can be an invaluable tool for recovering from a ransomware attack. The traditional ransomware model is based on denying access to data. Assuming that your backup is very recent and wasn’t encrypted as well, then it can be cheaper and easier to restore from it than to pay the ransom.

The problem is that ransomware gangs know this too and have adapted their tactics. In recent years, ransomware gangs have begun performing “double extortion” attacks, which involve data theft on top of the data encryption. If the victim refuses to pay the ransom, then their data is posted publicly or sold to the highest bidder.

These types of attacks mean that relying on backups is not an effective strategy. Regulators don’t care that you’ve restored your data if the exposed data is protected by law. On the bright side, if you don’t have backups, double extortion attacks mean that you can restore your data by downloading a copy, just like everybody else!

Paying the Ransom

Some companies take the approach of paying the ransom demand. In theory, this puts an end to the problem by allowing them to restore their data and making the cybercriminals go away. In reality, this approach does not always work. In some cases, ransomware gangs fail to hand over the decryption key when the ransom is paid. In others, the promised decryptor doesn’t work as well as advertised. This was the case in the recent Colonial Pipeline breach, where the company shelled out $4.4 million for a decryptor that was so slow that the company went back to restoring from backups.

Making the Colonial Pipeline breach even more interesting is that, for the first time ever, the FBI was able to recover most of the funds. To pay the ransom, Colonial needed to exchange ~$4.4 million into 63.7 Bitcoin (BTC) and then transfer the BTC to one of the DarkSide wallets. In a short time, the FBI was able to compromise the private key belonging to that specific wallet and recover all 63.7 BTC. This may sound like a victory but between the time the ransom was paid and recovered the value of BTC declined sharply. As a result, the value of the recovered 63.7 BTC ~$2.3 million resulting in a loss of $2.1 million dollars. Moreover, it’s very likely that any data that was stolen will be published.

Paying a ransom also doesn’t mean that the cybercriminals will go away. In fact, it labels a company as a mark that’s willing to pay up. We’ve witnessed this firsthand. Just recently, a new customer engaged Netragard because they had been the victim of ransom attacks three times by the same group over the span of 4 years. Our consulting team helped them to drastically improve their overall security posture and to try and prevent a fourth incident.

These breaches never go without at least some public notice, even if a victim pays up. Attackers often advertise their victims on the darkweb which entices other attackers to either buy access to their networks or to attack them as “soft” targets. Two screenshots of such sites are provided below just as an example.

Wall of Shame

The Modern Ransomware Attack

Cybercrime has become a business, and that business is maturing. A major part of this increased maturity is the emergence of role specialization on a macro scale. Not all cybercriminals are wunderkids who can do everything. Instead, cybercrime groups are specializing and forming their own “as a Service” economy.

The modern ransomware threat landscape is a perfect example of this. Today’s ransomware campaigns are broken up into two main stages: gaining access and achieving objectives.
Increasingly, groups like the DarkSide behind the recent Colonial Pipeline hack are offering “Ransomware as a Service”. They create the ransomware and other teams (specialized in gaining access to corporate networks) deliver it. Alternatively, a cybercrime group will gain a foothold in an enterprise network and sell it to someone else to use. This is likely what happened in the Equifax hack and is a common part of ransomware operations today.

This evolution of the ransomware campaign creates significant challenges for enterprise cybersecurity. A defense strategy built around antivirus and “don’t click on the link” training won’t deter a professional, well-researched attack campaign. Having a strong lock on the front door doesn’t help much if they come in through the back window.

Ransomware Attack Prevention

If traditional approaches to ransomware prevention are not effective, then what is?

Modern ransomware attacks are human driven. Sophisticated cybercriminals can gain entry to a network through a variety of different ways, including many that a vulnerability scanner, industry standard penetration test, or anti-phishing solutions, etc. will never catch.

Preventing these types of breaches requires forward-thinking intelligence about how today’s threat is most likely to align with an organization’s existing points of risk and exposure. The most effective way to gather this intelligence is to experience a real-world attack at the hands of a qualified team that you trust and control. This is where Realistic Threat Penetration Testing comes into play. Realistic Threat Penetration Tests are not provided by most penetration testing firms and are notably different than Red Team engagements. Some of the key characteristics include, but are not limited to:

  • The ability to match or exceed the level of threat being produced by today’s bad actors.
  • Utilizing human experience & expertise with little to no dependency on tools like automated vulnerability scanners or commercial off-the-shelf testing tools. Ideally the team should be comprised of professionals with demonstrable expertise in performing vulnerability research and zero-day exploit development.
  • The use of custom-built pseudo-malware to simulate ransomware or other malware. Pseudo-malware should deliver the same or better capabilities than what the real-world threat actors are using and must be fully undetectable (covert). The primary difference between malware and pseudo-malware is that pseudo-malware is built with safety in mind which includes automated clean removal capabilities at a pre-defined expiration date.
  • Leverage experts who understand the inner workings of various security technologies as to help ensure successful subversion and/or evasion. For example, EDR’s, Application Whitelisting, Antivirus, etc.
  • The ability to develop new exploits on-the-fly with minimal risk and minimal detection.
  • The ability to erect a doppelganger infrastructure including SSL certificates and services as to help facilitate advanced phishing.
  • And more…

The product of a Realistic Threat Penetration Test is a technically detailed report that contains the intelligence required to defend against bad actors. This intelligence generally includes information about what vulnerabilities exist, areas where lateral and/or horizontal movement are possible, misconfigurations, gaps in detection capabilities, suggestions for hardening and defending, and more. Of course, the report is the starting point for building a plan and a roadmap to remediate the weaknesses and make the job harder, if not impossible for the bad actors!

To learn more about Realistic Threat Penetration Testing, and how to render your environments more secure, please contact Netragard at [email protected] or [email protected]

Remote Attackers

Protecting Your Business From Your Remote Workforce

A significant portion of your workforce is currently moving to perform full- or part-time remote work as a result of COVID-19.  As you modify your business processes and workflows to accommodate this change, it’s important to understand how remote work affects your cybersecurity posture and what openings and opportunities exist for cybercriminals to take advantage of you.  We would like to take this opportunity to provide advice on how to orient your security posture to account for this increased threat vector and illustrate several common patterns of weakness.


Long touted as the safest and most-reliable way to enable remote work, Virtual Private Networks (VPNs) allow a user to access internal enterprise resources and applications from any internet connection.  VPN connections are encrypted, preventing untrusted network operators (such as your local coffee shop) from snooping on sensitive traffic, but they don’t solve every security problem.


  • VPNs weaken the network boundary by allowing additional devices into the most vulnerable part of a company’s IT infrastructure – its internal network
  • Compromised user accounts can give attackers direct access to many internal resources
  • Granting VPN access to untrusted devices is equivalent to plugging that device directly into your network, along with any infections it might have

The more users which utilize your VPN, the more likely it is that you are giving an attacker access to your internal network by way of a compromised user device.  When VPN is allowed on non-corporate provisioned machines, this risk is even greater.  If an attacker does gain this access, it can be devastating because frequently internal enterprise networks are the most vulnerable parts of an enterprise network.


  • Create a separate User Account specifically for VPN access for each user
  • Place VPN user accounts into a restricted Organizational Unit with as few privileges as possible. For example, if you run Citrix, only allow VPN user accounts to sign onto Citrix desktops.
  • Set up Two-Factor Authentication (2FA) for all users and VPN user accounts to increase difficulty for attackers
  • Install a Honeypot on your internal network to help identify suspicious network activity coming from one remotely connected device

The Vexing VPN - in a split tunnel, security solutions only see traffic destined for the enterprise.
A Note on VPN Configurations:

VPNs also have the option to perform Full or “Split” tunneling.  Full tunneling forces all network traffic to go over the VPN connection including traffic unrelated to the corporate network such as YouTube or Skype.   In a split tunnel VPN, only traffic destined for internal corporate services directly would travel over the VPN connection.

Split tunnel is therefore less secure than a full tunnel configuration because in a full tunnel your remote users will still be protected by your existing network security appliances such as content filters and/or next-gen firewalls.  This comes with an expensive tradeoff, though – you must have enough bandwidth to serve all your users browsing habits!

Two Factor Authentication (2FA)

It’s extremely important that you have 2FA deployed within your organization.  It helps prevent compromise when user credentials are leaked as a part of a breach and makes it more difficult to obtain user credentials through phishing attacks.  With that said, you should be aware that 2FA is not a silver bullet for protecting user credentials on all services because 2FA can be bypassed when user devices have been compromised.

Two Factor Hangover


  • Compromised devices which are used to prompt the user for a 2FA token may relay the token to an attacker
  • Compromised devices may allow an attacker to steal session information and impersonate affected users

As an example, by stealing/intercepting a session cookie for a service to which the user has already authenticated, an attacker may gain direct access to the application without needing to authenticate. Many applications (e.g. Cloud-Based email, Collaboration tools) do not tie their session cookie to a single device/source IP/location because if they did, roaming mobile users would have to reauthenticate as their device switches from WIFI to 4G or 5G connections. As a result, it is usually possible for an attacker to reuse the same session as a legitimate user.


  • Monitor your application logs for access from suspicious geographical locations unrelated to your typical user or business locations
  • Do not share sensitive information such as passwords in email or chat
  • Train your employees to report suspicious activity such as disappearing incoming email, email switching from read to unread without explanation, or password reset emails

EndPoint Security

When your users work from home, they have a greater exposure to cybersecurity threats because inevitably they will be using their devices for both business and pleasure.  This increased usage is even more dangerous when paired with a split-tunnel VPN which does not force browser traffic to flow through enterprise security appliances and controls.


  • Antivirus/Antimalware solutions can be bypassed more easily as users are outside of the protections of enterprise networks
  • Traffic visibility may be significantly reduced
  • Users will use their devices for personal browsing/activities which increases their exposure

Since your users will be using their devices more (regardless of it they are corporate or personal) they will be more likely to encounter more threats, making patching and antivirus updates critical but potentially unreliable if you do not use a VPN or allow personal devices on the network.


  • Provide up-to-date devices configured with more aggressive security profiles to high-risk individuals such as Executives and Executive Assistant staff
  • Closely monitor inbound and outbound connections on your remote devices
  • Step up social engineering defense training to help combat COVID-19 related scams
  • Educate your employees not to store or share credentials outside of password safe solutions such as 1Password, Keepass, Lastpass, or Dashlane.

Final Words:

Even when lockdowns and restrictions around the coronavirus are lifted, the volume of remote workers is likely to increase.  As we’ve shown, remote users are under an increased risk because they are outside of enterprise security appliances, encountering more threats by utilizing the same devices for both business and pleasure, and aren’t necessarily covered by existing security controls.  With this in mind, it’s important to be proactive and set up increased logging, provide updated and secured devices to high-risk individuals within your organization, and limit the access that users have through VPN connections.

We hope that you stay safe, both online and off, and that you keep us in mind if you’re seeking to audit your remote worker security solutions.  In the coming week, we will be providing pricing packages specifically designed around auditing remote work solutions.