Getting Ready To Stop Ransomware Attacks

Uploaded on 2025-03-05 in TECHNOLOGY--Resilience, FREE TO VIEW

Ransomware It is a type of malware that prevents you from accessing your computer, or the data that is stored on it. The computer itself may become locked, or the data on it might be stolen, deleted or encrypted.

Ransomware attackers don’t attack in one single event. Instead, they gradually invade your defence systems in stages. But by the time the encryption of your files starts, it's often too late to stop the attack.  The problem is that many organisations aren't taking care to look for the early warning signs, allowing  hackers to disable backups, escalate privileges, and evade detection until encryption locks everything down. 

By the time the ransomware note appears, the opportunities to prevent it are long gone.

Stay one step ahead with comprehensive ransomware protection that integrates advanced prevention, behaviour-based real-time detection, thorough analysis, and efficient recovery to ensure your enterprise remains secure against evolving threats.

Should Your Organisation Pay the Ransom?

Law enforcement do not encourage, endorse, nor condone the payment of ransom demands. Issues to consider if you do pay the ransom include:

  • There is no guarantee that you will get access to your data or computer
  • Your computer will still be infected
  • You will be paying criminal groups
  • You're more likely to be targeted in the future

Attackers will also threaten to publish data if payment is not made. To counter this, organisations should take measures to minimise the impact of data exfiltration.

Develop Policies & Procedures

A vital precautionary measure is create a scalable and practical incident response plan so you and your staff understand their responsibilities and communication protocols both during and after a cyber incident. Teams to include in your incident response plan include (but aren't limited to) IT, legal, and administrative teams. You should also include a list of contacts such as any partners, insurance providers, or vendors that would need to be notified.

Three Stages of a Ransomware Attack & How to Detect It

Ransomware attacks don't happen instantly. Attackers follow a structured approach, carefully planning and executing their campaigns across three distinct stages:

1. Pre-Encryption: Laying the GroundworkBefore encryption begins, attackers take steps to maximise damage and evade detection. These include:

  • Delete shadow copies and backups to prevent recovery.
  • Inject malware into trusted processes to establish persistence.
  • Create mutexes to ensure the ransomware runs uninterrupted.

These early-stage activities are critical warning signs. If detected in time, security teams can disrupt the attack before encryption occurs.

2. Encryption: Locking You Out: Once attackers have control, they initiate the encryption process. Some ransomware variants work rapidly, locking systems within minutes, while others take a stealthier approach - remaining undetected until the encryption is complete.

By the time the encryption is discovered, it's often too late. Security tools must be able to detect and respond to ransomware activity before files are locked.

3. Post-Encryption: The Ransom Demand: With files encrypted, attackers deliver their ultimatum, often through ransom notes left on desktops or embedded within encrypted folders. They demand payment, usually in crypto-currency, and monitor victim responses via command-and-control (C2) channels.

At this stage, organisations face a difficult decision: pay the ransom or attempt recovery, often at great cost. If you're not proactively monitoring for Indications of Compromise (IOCs) across all three stages, you're leaving your organisation vulnerable.

By emulating a ransomware attack path, continuous ransomware validation helps security teams confirm that their detection and response systems are effectively detecting indicators before encryption can take hold.

IOCs: What to Look Out For

If you detect shadow copy deletions, process injections, or security service terminations, you may already be in the pre-encryption phase, but detecting these IOCs is a critical step to prevent the attack from unfolding.

The key IOCs to watch out for include:

1. Shadow Copy Deletion: Eliminating Recovery Options: Attackers erase Windows Volume Shadow Copies to prevent file restoration. These snapshots store previous file versions and enable recovery through tools like System Restore and Previous Versions.

By wiping these backups, attackers ensure total data lockdown, increasing pressure on victims to pay the ransom.

2. Mutex Creation: Preventing Multiple Infections: A mutex (mutual exclusion object) is a synchronisation mechanism that enables only one process or thread to access a shared resource at a time. In ransomware they can be used to:

  • Prevent multiple instances of the malware from running.
  • Evade detection by reducing redundant infections and reducing resource usage.

Some security tools pre-emptively create mutexes associated with known ransomware strains, tricking the malware into thinking it's already active - causing it to self-terminate. Your ransomware validation tool can be used to assess if this response is triggered, by incorporating a mutex within the ransomware attack chain.

3. Process Injection: Hiding Inside Trusted Applications: Ransomware often injects malicious code into legitimate system processes to avoid detection and bypass security controls. Common injection techniques are:

  • DLL Injection – Loads malicious code into a running process.
  • Reflective DLL Loading – Injects a DLL without writing to disk, bypassing antivirus scans.
  • APC Injection – Uses Asynchronous Procedure Calls to execute malicious payloads within a trusted process.

By running inside a trusted application, ransomware can operate undetected, encrypting files without triggering alarms.

4. Service Termination: Disabling Security Defences: To ensure uninterrupted encryption and prevent data recovery attempts during the attack, ransomware attempts to shut down security services such as:

  • Antivirus & EDR (Endpoint Detection and Response).
  • Backup agents.
  • Database systems.

In this scenario, attackers use administrative commands or APIs to disable services like Windows Defender and backup solutions. This allows ransomware to encrypt files freely while amplifying the damage by making it harder to recover their data. Leaving victims with fewer options besides paying the ransom.

IOCs like shadow copy deletion or process injection can be invisible to traditional security tools, but a SOC equipped with reliable detection can spot these red flags before encryption begins.

Use Ransomware Validation To Stay One Step Ahead

With the nature of IOCs being subtle and intentionally difficult to detect, how do you know that your XDR is effectively stopping them? To be certain of security,  continuous ransomware validation is the only way to make sure.

By safely emulating the full ransomware kill chain, from initial access and privilege escalation to encryption attempts, tools like Pentera validate whether security controls, including EDR and XDR solutions, triggering the necessary alerts and responses.

If key IOCs like shadow copy deletion, and process injection go undetected, then that's a crucial flag to prompt security teams to fine-tune detection rules and response workflows. 

Instead of hoping your defences will work as they should, continuous ransomware validation enables you to see if and how these attack indicators were used and stop the attacks before they eventuate.

Annual Testing Is Not Enough

Testing your defences once a year leaves you exposed the other 364 days. Ransomware is constantly evolving, and so are the IOCs used in attacks. Can you say with certainty that your EDR is detecting every IOC it should?

The last thing you need to stress about is how threats are constantly changing into something your security tools will fail to recognise and aren't prepared to handle. That's why continuous ransomware validation is essential. With an automated process, you can continuously test your defences to ensure they stand up against the latest threats.

Some believe that continuous ransomware validation is too costly or time-consuming, but automated security testing can integrate seamlessly into your security workflow, without adding unnecessary overhead. This not only reduces the burden on IT teams but also ensures that your defences are always aligned with the latest attack techniques.

Strong Ransomware Defences

A well-equipped detection and response system is your first line of defence. But without regular validation, even the best XDR can struggle to detect and respond to ransomware in time. 

Ongoing security validation strengthens detection capabilities, helps to upskill the SOC team, and ensures that security controls are effectively responding to and blocking threats.

The result of taking robust precautionary measures is a more resilient security team that has the right tools and s prepared to handle a ransomware attack before it turns into a crisis.

National Cyber Security Centre   |    The Hacker News     |     Centre for Internet Security     |     Manage Engine    |

Crowdstrike     |   Stamus Networks     |     Zscaler

Image: Ideogram

You Might Also Read: 

Preparing For A Cyber Crisis:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Alibaba Intends To Spend $53bn On Developing AI
GhostSocks Malware Can Slip Past Detection Systems »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Itaccel

Itaccel

IT Accel began a decade ago as a band of technical recruiters who wanted to bring our experience and depth of knowledge to solving complex human resou

Mako Group

Mako Group

The Mako Group specializes in protection - providing security through auditing, testing, and assessments. And, we do it all with the highest quality standards possible.

Onapsis

Onapsis

Onapsis is a pioneer in cybersecurity and compliance solutions for cloud and on-premise ERP and business-critical applications.

Clavister

Clavister

Clavister is a network security vendor delivering a full range of network security solutions for both physical and virtualized environments.

National Cyber Security Centre (NCSC) - Switzerland

National Cyber Security Centre (NCSC) - Switzerland

The National Cyber Security Centre is Swizerland's competence centre for cybersecurity and the first contact point for businesses, public administrations, and the public for cyber issues.

DigitalXRaid

DigitalXRaid

DigitalXRAID is driven and motivated to ensure the bad guys don’t win. We’re dedicated to providing our clients with state-of-the-art cyber security solutions.

BeyondTrust

BeyondTrust

BeyondTrust is a leader in Privileged Access Management, offering a seamless approach to preventing data breaches related to stolen credentials, misused privileges, and compromised remote access.

BullGuard

BullGuard

BullGuard is an award-winning cybersecurity company focused on providing the consumer and small business markets with the confidence to use the internet in absolute safety.

PA Consulting

PA Consulting

PA Consulting Group is a consultancy that specialises in strategy, technology and innovation. Our cyber security experts work with you to spot digital and technology security risks and reduce them.

MailChannels

MailChannels

MailChannels protects companies against malicious email threats. Used by 750+ hosting providers around the world.

Rimini Street

Rimini Street

Rimini Street is a global provider of enterprise software support products and services, and the leading third-party support provider for Oracle and SAP software products.

Orpheus Cyber

Orpheus Cyber

Orpheus Cyber provides predictive and actionable intelligence to our clients - enabling them to anticipate, prepare for and respond to the cyber threats they face.

MetaWeb Ventures

MetaWeb Ventures

MetaWeb Ventures is a global venture capital firm focused on pre-seed and seed investments in crypto start-ups.

Segra

Segra

Segra owns and operates one of the nation’s largest fiber networks and provides best-in-class broadband and data security solutions throughout the Southeast and Mid-Atlantic.

CyAmast

CyAmast

CyAmast is an IoT Network security and analytics company that is changing the way enterprise and governments detect and protect networks from the pervasive threat of cyber attacks.

DataProof Communications

DataProof Communications

DataProof Communications is Cybersecurity Company specialising in cybersecurity operations, incident management and response best practices and technologies.