If an organization can keep their systems fully patched, limit the ability of ransomware groups to conduct credential stuffing/reuse attacks, and prevent a phishing email from getting to an employee, the ransomware attack is over before it started.
The phases of the attack outlined throughout this website—reconnaissance, exfiltration, and ransomware deployment—are progressively more difficult to detect and stop in a timely fashion. That doesn’t mean that it’s impossible to stop such attacks—organizations do it all the time—but it is harder and often involves significant investment in tools, training, and personnel to succeed. These investments, as many security teams and CISOs know all too well, can be hard to come by until after a ransomware attack occurs.
On another page the importance of Initial Access Brokers (IABs) to the ransomware market is discussed. Other pages focus on how IABs conduct their scanning and gain access to exposed or vulnerable systems. This page focuses on the handoff between the IAB and the ransomware group.
People tend to assume that the cybercriminals who gain initial access are the same group carrying out the attack. That's not normally the case with ransomware attacks. There are some exceptions to this, but for the most part it's safe to assume that a ransomware incident involves at least two different threat actors.
Why does that make a difference? Two different actors means two different toolsets, so finding and removing one toolset doesn’t remove the second toolset. An organization may successfully stop a ransomware attack, but if the intrusion response team misses the IAB toolset, the same ransomware actor or a different one will likely be back in a couple of weeks to launch a new attack.
It’s the ransomware resource you can’t afford to be without. 437 Pages of ransomware know-how. Stay ahead of the cybercriminals: get your copy now!