Comprehensive Ransomware Protection: Detection, Response, and Recovery

  • Home
  • Blog
  • Comprehensive Ransomware Protection: Detection, Response, and Recovery

Comprehensive Ransomware Protection: Detection, Response, and Recovery

Ransomware is a type of malware that encrypts files and folders and demands payment from victims to decrypt them. It's easily spread and has proven highly effective for cyber attackers targeting businesses for a number of reasons. For one, ransomware strains are constantly modified to avoid detection by antivirus software. Worse, ransomware is spread using social engineering tactics that can skirt antivirus protection entirely. As a result, ransomware attacks have skyrocketed over the past few years.

Many types of ransomware have incorporated worms that allow them to spread across networks to infect devices beyond the initial source. Ransomware isn't limited to on premises systems only. It can easily spread to software as a service (SaaS) applications as well.

Ransomware attacks can have serious financial implications for businesses, and the ransom payment is just the beginning. The business downtime associated with an attack can cripple revenue generation.

How Ransomware Attacks Occur

To better understand how to protect against ransomware attacks, let's first look at an example of how ransomware might spread across a business' local systems and SaaS accounts.


Ransomware is typically distributed via a phishing email that dupes the user into clicking a link or downloading an attachment, which installs malware on their system. In the early days of the ransomware boom, these attacks were generic and carried out on a wide scale. However, today's social engineering attacks are more targeted and customized for the intended victim.


An employee receives a phishing email and unknowingly clicks on a file that installs a "cryptoworm" variant of ransomware on their laptop, which begins searching for files on the device to encrypt. At the same time, ransomware spreads across the network, infecting additional PCs and servers. Encryption does not begin immediately, instead the malware first spreads to as many systems as possible. This occurs in the background, so the business remains unaware of the infection.


The command and control server operated by the cybercriminals generates a cryptographic key that will be used to encrypt the infected systems. Depending on the type of attack, this server may also be used to collect business information from infected systems. When the attackers are satisfied that the ransomware has been thoroughly distributed, the encryption process is triggered.

Spreading to SaaS:

If employees have file synchronization turned on, encrypted files on a users device are automatically copied to the domain on the SaaS providers cloud. Phishing attacks in the cloud can be more sinister, as they often trick users into sharing administrative access to their account.

Ransom Demanded:

When encryption is complete, the attackers issue a ransom demand (in bitcoin or another cryptocurrency) and threaten to destroy data if the ransom is not paid, often within a specific time frame to deliver a sense of urgency.

Ransom demands can vary depending on the nature of the attack. For example, the ransom to unlock a single laptop will likely be much lower than the ransom demands of an attacker that has managed to lock down business completely. However, the business downtime associated with a ransomware attack can be the real killer - especially for SMBs that may be less resilient to revenue fluctuations. Finally, paying ransom doesn't guarantee that businesses are in the clear. If ransomware remains dormant on infected systems, attackers may reactivate it any time.

Ransomware Protection:

Ransomware protection begins with end user education, perimeter protection, an antivirus software. However, if a victim falls prey to a social engineering attack, they're essentially opening the door for ransomware to enter a network.

Ransomware easily finds its way onto PCs, mobile devices, servers and SaaS accounts. That's why businesses need a backup strategy that enables them to recover quickly.

Many modern server backup solutions offer a capability known as "instant recovery." Here's how it works: The backup server takes snapshots of physical and virtual servers, which are stored locally and replicated to the cloud. If a ransomware attack takes down a primary server, a clean backup "image" is mounted as a virtual machine on the backup device or in the cloud. This allows normal business operations to continue while the primary server is being restored, reducing costly downtime to minutes rather than hours or even days.

As a full suite IT and cybersecurity firm, Restech can help with your security strategy and technology needs. Contact us to learn more.

New call-to-action


Source: Datto


Recent Posts