Getting Ready To Stop Ransomware Attacks

Uploaded on 2025-03-05 in TECHNOLOGY--Resilience, FREE TO VIEW

Ransomware It is a type of malware that prevents you from accessing your computer, or the data that is stored on it. The computer itself may become locked, or the data on it might be stolen, deleted or encrypted.

Ransomware attackers don’t attack in one single event. Instead, they gradually invade your defence systems in stages. But by the time the encryption of your files starts, it's often too late to stop the attack.  The problem is that many organisations aren't taking care to look for the early warning signs, allowing  hackers to disable backups, escalate privileges, and evade detection until encryption locks everything down. 

By the time the ransomware note appears, the opportunities to prevent it are long gone.

Stay one step ahead with comprehensive ransomware protection that integrates advanced prevention, behaviour-based real-time detection, thorough analysis, and efficient recovery to ensure your enterprise remains secure against evolving threats.

Should Your Organisation Pay the Ransom?

Law enforcement do not encourage, endorse, nor condone the payment of ransom demands. Issues to consider if you do pay the ransom include:

  • There is no guarantee that you will get access to your data or computer
  • Your computer will still be infected
  • You will be paying criminal groups
  • You're more likely to be targeted in the future

Attackers will also threaten to publish data if payment is not made. To counter this, organisations should take measures to minimise the impact of data exfiltration.

Develop Policies & Procedures

A vital precautionary measure is create a scalable and practical incident response plan so you and your staff understand their responsibilities and communication protocols both during and after a cyber incident. Teams to include in your incident response plan include (but aren't limited to) IT, legal, and administrative teams. You should also include a list of contacts such as any partners, insurance providers, or vendors that would need to be notified.

Three Stages of a Ransomware Attack & How to Detect It

Ransomware attacks don't happen instantly. Attackers follow a structured approach, carefully planning and executing their campaigns across three distinct stages:

1. Pre-Encryption: Laying the GroundworkBefore encryption begins, attackers take steps to maximise damage and evade detection. These include:

  • Delete shadow copies and backups to prevent recovery.
  • Inject malware into trusted processes to establish persistence.
  • Create mutexes to ensure the ransomware runs uninterrupted.

These early-stage activities are critical warning signs. If detected in time, security teams can disrupt the attack before encryption occurs.

2. Encryption: Locking You Out: Once attackers have control, they initiate the encryption process. Some ransomware variants work rapidly, locking systems within minutes, while others take a stealthier approach - remaining undetected until the encryption is complete.

By the time the encryption is discovered, it's often too late. Security tools must be able to detect and respond to ransomware activity before files are locked.

3. Post-Encryption: The Ransom Demand: With files encrypted, attackers deliver their ultimatum, often through ransom notes left on desktops or embedded within encrypted folders. They demand payment, usually in crypto-currency, and monitor victim responses via command-and-control (C2) channels.

At this stage, organisations face a difficult decision: pay the ransom or attempt recovery, often at great cost. If you're not proactively monitoring for Indications of Compromise (IOCs) across all three stages, you're leaving your organisation vulnerable.

By emulating a ransomware attack path, continuous ransomware validation helps security teams confirm that their detection and response systems are effectively detecting indicators before encryption can take hold.

IOCs: What to Look Out For

If you detect shadow copy deletions, process injections, or security service terminations, you may already be in the pre-encryption phase, but detecting these IOCs is a critical step to prevent the attack from unfolding.

The key IOCs to watch out for include:

1. Shadow Copy Deletion: Eliminating Recovery Options: Attackers erase Windows Volume Shadow Copies to prevent file restoration. These snapshots store previous file versions and enable recovery through tools like System Restore and Previous Versions.

By wiping these backups, attackers ensure total data lockdown, increasing pressure on victims to pay the ransom.

2. Mutex Creation: Preventing Multiple Infections: A mutex (mutual exclusion object) is a synchronisation mechanism that enables only one process or thread to access a shared resource at a time. In ransomware they can be used to:

  • Prevent multiple instances of the malware from running.
  • Evade detection by reducing redundant infections and reducing resource usage.

Some security tools pre-emptively create mutexes associated with known ransomware strains, tricking the malware into thinking it's already active - causing it to self-terminate. Your ransomware validation tool can be used to assess if this response is triggered, by incorporating a mutex within the ransomware attack chain.

3. Process Injection: Hiding Inside Trusted Applications: Ransomware often injects malicious code into legitimate system processes to avoid detection and bypass security controls. Common injection techniques are:

  • DLL Injection – Loads malicious code into a running process.
  • Reflective DLL Loading – Injects a DLL without writing to disk, bypassing antivirus scans.
  • APC Injection – Uses Asynchronous Procedure Calls to execute malicious payloads within a trusted process.

By running inside a trusted application, ransomware can operate undetected, encrypting files without triggering alarms.

4. Service Termination: Disabling Security Defences: To ensure uninterrupted encryption and prevent data recovery attempts during the attack, ransomware attempts to shut down security services such as:

  • Antivirus & EDR (Endpoint Detection and Response).
  • Backup agents.
  • Database systems.

In this scenario, attackers use administrative commands or APIs to disable services like Windows Defender and backup solutions. This allows ransomware to encrypt files freely while amplifying the damage by making it harder to recover their data. Leaving victims with fewer options besides paying the ransom.

IOCs like shadow copy deletion or process injection can be invisible to traditional security tools, but a SOC equipped with reliable detection can spot these red flags before encryption begins.

Use Ransomware Validation To Stay One Step Ahead

With the nature of IOCs being subtle and intentionally difficult to detect, how do you know that your XDR is effectively stopping them? To be certain of security,  continuous ransomware validation is the only way to make sure.

By safely emulating the full ransomware kill chain, from initial access and privilege escalation to encryption attempts, tools like Pentera validate whether security controls, including EDR and XDR solutions, triggering the necessary alerts and responses.

If key IOCs like shadow copy deletion, and process injection go undetected, then that's a crucial flag to prompt security teams to fine-tune detection rules and response workflows. 

Instead of hoping your defences will work as they should, continuous ransomware validation enables you to see if and how these attack indicators were used and stop the attacks before they eventuate.

Annual Testing Is Not Enough

Testing your defences once a year leaves you exposed the other 364 days. Ransomware is constantly evolving, and so are the IOCs used in attacks. Can you say with certainty that your EDR is detecting every IOC it should?

The last thing you need to stress about is how threats are constantly changing into something your security tools will fail to recognise and aren't prepared to handle. That's why continuous ransomware validation is essential. With an automated process, you can continuously test your defences to ensure they stand up against the latest threats.

Some believe that continuous ransomware validation is too costly or time-consuming, but automated security testing can integrate seamlessly into your security workflow, without adding unnecessary overhead. This not only reduces the burden on IT teams but also ensures that your defences are always aligned with the latest attack techniques.

Strong Ransomware Defences

A well-equipped detection and response system is your first line of defence. But without regular validation, even the best XDR can struggle to detect and respond to ransomware in time. 

Ongoing security validation strengthens detection capabilities, helps to upskill the SOC team, and ensures that security controls are effectively responding to and blocking threats.

The result of taking robust precautionary measures is a more resilient security team that has the right tools and s prepared to handle a ransomware attack before it turns into a crisis.

National Cyber Security Centre   |    The Hacker News     |     Centre for Internet Security     |     Manage Engine    |

Crowdstrike     |   Stamus Networks     |     Zscaler

Image: Ideogram

You Might Also Read: 

Preparing For A Cyber Crisis:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Alibaba Intends To Spend $53bn On Developing AI
GhostSocks Malware Can Slip Past Detection Systems »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Charlton Networks

Charlton Networks

Charlton Networks provide a complete range of IT infrastructure, network and security solutions aimed at SME companies.

DataSunrise

DataSunrise

DataSunrise Data-Centric high-performance security software protects the sensitive data in real-time in cloud or on premises, and helps organizations to stay compliant.

idappcom

idappcom

idappcom provides unique industry approved software solutions for auditing and enhancing the threat recognition and response capabilities of your corporate security defences.

Sqreen

Sqreen

Sqreen is a web application security monitoring and protection solution helping companies protect their apps and users from attacks.

Seculert

Seculert

The Seculert Attack Detection & Analytics Platform combines machine-learning based analytics and threat intelligence to automatically detect cyber attacks inside the network.

Dreamlab Technologies

Dreamlab Technologies

Over the last 20 years, Dreamlab Technologies has established itself as a source of constant innovation within the information security landscape.

Rippleshot

Rippleshot

Rippleshot is a fraud analytics firm that detects mass card compromises faster, allowing issuers to execute more proactive fraud detection strategies.

ThirdWatch

ThirdWatch

ThirdWatch is a Data Science company with real-time automated fraud prevention solutions.

GB Group (GBG)

GB Group (GBG)

GBG is a global technology specialist in fraud, location and identity data intelligence.

Future Technology Systems Company (FutureTEC)

Future Technology Systems Company (FutureTEC)

FutureTEC is a leading Information Technology Solutions Provider, delivering world-class Information Security, Information Management, and Business Solutions.

Digital Beachhead

Digital Beachhead

Digital Beachhead has the expertise to provide a range of Cyber Risk Management and other Professional Services with specifically tailored solutions at competitive prices.

r00tz Asylum

r00tz Asylum

r00tz Asylum is a nonprofit dedicated to teaching kids around the world how to love being white-hat hackers.

Kennedys

Kennedys

Kennedys is a global law firm with expertise in litigation/dispute resolution and advisory services, particularly in the insurance/reinsurance and liability sectors, including cyber risk.

Labaton Sucharow

Labaton Sucharow

Standing on the horizon of law and technology, our Cybersecurity and Data Privacy Practice helps to protect consumers who have been harmed by businesses’ failures to safeguard their customers' data.

Canadian Cyber Threat Exchange (CCTX)

Canadian Cyber Threat Exchange (CCTX)

The CCTX is Canada’s not-for-profit, private-sector cyber threat sharing hub and collaboration centre.

appNovi

appNovi

appNovi inventories everything to map the attack surface, identify missing security agents, and prioritize vulnerabilities based on exposure.