I have done a lot of research on ransomware. What you need to know BLUF is that targeted attacks have greatly increased this year, and the bad guys are not just locking up your systems but they are taking your data before they go. And then, they are sharing their ill-gotten goodies on “name and shame” sites to ensure you pay them. Because extortion is paying that ransom these days.

There are at least a dozen operators making money this way, with Maze and their newly formed cartel at the top of the list. Sodinokibi and RagnarLocker have been recently active too.

You want to understand how the attack chain works because ransomware is getting delivered in multi-stage attacks, with initial infections coming via phishing or exploitation via exposed remote desktop protocol RDP. You want to be monitoring for TrickBot and Emotet especially. As for mitigations, have multiple backups and ideally one off the network. Test them. Keep them clean. The attackers are looking for and deleting any online backups or shadow volumes they find.

Here’s the thing: once the ransomware is launched, it’s pretty much game over. You need to be hunting for these guys in your network while they are doing recon and mapping your systems, looking for what is valuable and what to shut down. Catch them when they are going low and slow, stealing legitimate Windows processes to make their own and evade detection.

That said, I’ll share this piece by my friends at TripWire so you can get a more detailed sense of the current ransomware landscape:

Ransomware is a type of malware that prevents users from accessing their system or personal files and demands a “ransom payment” in order to regain access.
— Read on www.tripwire.com/state-of-security/featured/ransomware-characteristics-attack-chains-recent-campaigns/