How to detect a ransomware attack early - and successfully fend it off


Reading time: minutes ( words)
Ransomware: Detect cyberattacks early and successfully defend against them

Extortion Trojans in the form of ransomware have become a serious and permanent threat. At the end of October 2022, for example, the hacker group Black Basta gained access to around 1,500 employee records after a successful ransomware attack on the IT service provider of the Deutsche Presse-Agentur (DPA), 20% of which were published on the darknet. The reason for the successful access to sensitive data, such as social security numbers or bank details: poorly protected FTP servers for storing documents. Ransomware attacks thus remain a relatively easy and extremely lucrative attack method, especially if the attacked systems are poorly protected. In this article, you will learn how to detect ransomware attacks on your company at an early stage and successfully fend them off.

Ransomware - one of the most dangerous threats.

The goal of attackers who use ransomware is to blackmail the data owner. In this process, sensitive data is encrypted or access to it is prevented in order to demand a ransom (mostly in Bitcoins) for decryption or release. However, and this is particularly perfidious, the release of the data depends on the "good will" of the cybercriminals. In many cases, the data remains encrypted despite the ransom being paid. Every ransom payment thus makes an extortion a success for the extortionists and motivates them (and other potential attackers!) to continue. Therefore, do not respond to the demand for money under any circumstances, as you will only open the gate for further attacks and provide the associated funding for further sophisticated attack technologies such as the latest zero-day exploits that need to be repeatedly settled with a ransom. The cybercriminals behind the ransomware are also very well organized and equipped. In many cases, ransomware is also offered on crimeware marketplaces or in darknet forums as "Ransomware as a Service (RaaS)".

Sophos's latest Ransomware Report, which was preceded by a survey of 5,600 IT decision-makers from medium-sized companies in 31 countries, reveals the current extent of the threat:

  • 66% of the companies surveyed were victims of a ransomware attack in 2021. Compared to 2020, this represents an increase of 78%!
  • 65% of ransomware attacks resulted in data encryption.
  • 46% of affected companies paid the demanded ransom.
  • 99% got back some of the encrypted data, 61% of the encrypted data was recovered after the ransom was paid.
  • Only 4% of companies were able to access all data after payment.The average ransom payment - adjusted for extreme values - is $812,360.
  • Manufacturing and utilities companies paid the highest ransoms: $2 million was a common amount here.
  • 90% of companies had their ability to operate impaired, and 86% experienced lost business and revenue. The average cost to remediate a ransomware attack is $1.4 million.
  • It takes an average of one month to fully restore business operations after an attack.

What exactly makes ransomware so dangerous? Unlike other forms of malware, ransomware is optimized for maximum invisibility. As with any cyberattack, the earlier an ongoing attack on a network is detected, the less potential damage is done, especially with ransomware. Cybercriminals are pros at adapting their attack mechanisms to (supposedly) well-functioning IT security measures. New tools and iterative changes to existing malware are used to continuously detect and exploit new security vulnerabilities, as demonstrated by the relatively new ransomware LockFile. LockFile relies on so-called intermittent encryption. The advantage: the more effective obfuscation and the very high speed in the encryption process also leverage extremely reliably functioning security solutions.

Weeks of downtime for business operations or payment of ransom: After a ransomware attack, many companies are willing to pay the sometimes astronomical sums to the extortion gangs, because sometimes the cost of complete business downtime is simply higher and than the ransom demand. This does not make the problem any smaller, on the contrary: although on the one hand the actual data recovery has become more reliable if payment is made, at the moment of encryption the threat of confidential data being made public takes place. Even with unencrypted backups, this increases the pressure to pay after all.

12 tips to detect a ransomware attack early on

To successfully execute a ransomware attack, hackers move laterally through infiltrated networks along the kill chain model. At each of their steps, such as in privilege escalation or evasion of defenses, these activities leave traces on the network. Enterprises can detect ransomware at the network level by monitoring network traffic for suspicious activity or anomalies. All cycles of the kill chain must be traversed for a successful attack. The undetected passage through the full attack chain can range from days to weeks to months. If the chain breaks at any point, the attack fails.

At the individual stations in the attack chain, it is therefore important to pay particular attention to those activities that could indicate an attack - with the aim of detecting ransomware attacks so early that the attackers cannot cause any damage. In the following, we present some tips for detecting ransomware in time.

1. Gateway mails

Compromised e-mails are a popular gateway for phishing attacks by cybercriminals to gain initial access to a network.

Solution: Regular awareness training for all employees sensitizes them to the dangers of dealing with e-mails.

2. Remote desktop connections

Remote Desktop Protocol (RDP) connections are convenient for information flow - open RDPs a welcome point of attack for cybercriminals!

Solution: Use appropriate software to detect installed RDP tools to log and stop incoming connections early.

3. Suspicious tasks

After successful compromise, hackers secure their stay on the system via tasks, for example in Windows PowerShell.

Solution: Target your monitoring to Windows Event IDs 4698 and 4700.

4. Unauthorized use of remote access software (RAS).

Does your organization not use third-party remote access tools? Then be careful if an alert shows such a tool in use.

Solution: Continuously check the network for RAS activity.

5. Administrator rights

Cybercriminals often use the Windows Local Security Subsystem (LSASS) to secure administrative rights on the compromised system.

Solution: Microsoft Attack Surface Reduction (ASR) provides a rule to close the vulnerability. In addition, many EDR tools have appropriate alert settings to protect against LSASS abuse.

6. Antivirus and security software still active?

Hackers can disable security software relatively easily during their attacks.

Solution: Use remote monitoring and management (RMM) solutions to continuously check the health of your security software.

7. Network scanning tools

Hackers find their way around compromised systems using network and port scanning tools. Windows proprietary solutions such as ipconfig or nltest.exe are often used for this purpose.

Solution: Continuously monitor the use of scan tools or block them completely if they are not needed.

8. Detect Cobalt Strike

Cobalt Strike was originally developed for simulating cyberattacks. However, the tool also has many uses for cybercriminals through automation capabilities.

Solution: Deploy EDR tools that detect and stop the use of Cobalt Strike.

9. Suspicious network activity.

Remotely executed, suspicious lateral movement on networks indicates an acute attack.

Solution: Many of the most noticeable lateral network movements are listed on MITRE. Update here regularly!

10. Windows tool under suspicion

The Windows tool PsExec can be used to execute scripts or commands remotely - a popular "toy" for hackers.

Solution: The use of the tool can be detected by searching for changes in the registry or for certain Windows events.

11. Increased traffic

Active leakage of records shows up in increased network traffic, possibly to public IP addresses, in unusual port activity and much more.

Solution: Use continuous network monitoring and keep your firewall rules up to date.

12. Beware of data upload tools

On-board tools or open source software like MS BITS, Mega or Rclone are often used by cybercriminals to transfer stolen files.

Solution: Block file transfer tools directly or monitor their use closely.


Comprehensive IT security measures based on several security pillars are essential for every company: backups with low time intervals, network security through segmentation and DNS authentication, social engineering training for employees. The best solution is holistic and addresses all areas. The enormous increase in successful attacks with ransomware illustrates above all the urgency of early defense against attack attempts. Companies that want to be informed about a successful cyber attack in a timely manner have recognized the importance of early attack detection with the help of a "Managed Detection and Response solution" (MDR). With Allgeier secion's 24/7 Active Cyber Defense (ACD) service, you receive such a fully managed service.

ACD is particularly worthwhile for medium-sized companies that do not have the necessary internal human and financial resources to monitor their systems themselves around the clock. In view of the acute shortage of specialists, one of the greatest advantages is that by commissioning a complete team of experts is permanently on hand, including effective tools and proven detection methods - and bookable at an attractive monthly service fee.

Need help upgrading your IT security for 2022? Contact us!

By clicking on the "Submit" button, you confirm that you have read our privacy policy. You give your consent to the use of your personal data for the purpose of contacting you by Allgeier secion, Zweigniederlassung der Allgeier CyRis GmbH.

* Mandatory field

Go back