Malware & Ransomware Protection

Anatomy of a Ransomware Attack from the Data Level Perspective

rectangle Written by: Purandar Das rectangle 2 5 min read

Ransomware is a growing threat for organizations, especially in highly regulated industries such as finance, healthcare, and government services. These organizations are incredibly tempting targets due to the type of data they collect and its value on the dark web. Without taking steps to defend their data specifically, businesses are likely to fall out of compliance and suffer a devastating breach.

No organization, no matter how large or well funded, is safe from these attacks. Recent Colonial pipeline or SolarWinds attacks have highlighted that nobody is immune. These attacks can cause businesses to become non-compliant, from which they can lose $4 million from a single incident. However, the total cost of remediation can run upwards of $14 million to fines, productivity loss, remediation costs, and reputational damage.

Below we will explore the lifecycle of a ransomware attack and how businesses can protect themselves and avoid becoming the next major cybersecurity headline.


Ransomware On the Rise

The ransomware attack cycle is driven by the ransoms collected from victims. The more victims pay, attackers can shift the more money back into cybercriminal organizations. They use these funds to hire programmers and develop more advanced ransomware that is harder to detect and control. In the first half of 2021 alone, attackers collected $5.3 million.

With this much profit to be made, ransomware attacks in the first half of 2021 are up 64% year over year. With the increase in ransom rate, the cost has also risen by 32% in 2021. To protect yourself, your organization needs to understand how ransomware attacks happen, what to look out for, and how to protect your data.

The Attack Begins

Ransomware starts with attackers investigating an organization for weakness. They may run network vulnerability scans or send test phishing emails to see if they get any traction getting users to go to malicious sites or open attachments. Once they have discovered the path of least resistance, they will begin to attack it aggressively.

Unsuspecting users that open up phishing emails are a prime target for cybercriminals. The attack can begin by simply getting a user to go to a malicious site or open an infected file. It is especially dangerous if users are on endpoints that are not updated or running antivirus (AV) with old signatures. This opens up the organization to more potential paths of attack for cybercriminals to exploit and gain deeper privileged access on the endpoint.

The Infection Starts

This process aims to get some exploit to be successfully run behind the perimeter to set up an entry for a larger-scale attack. Before even starting to encrypt, attackers will reach out to see if they can compromise other systems and get their tendrils into as much of your infrastructure as possible. They will scour your organization for data in spreadsheets and databases and unstructured data such as text files, word docs, and pdfs. All of which may contain personally identifiable information (PII), financial information, or healthcare-related data.

Any data in this investigation that appears valuable is scooped up, copied, and sent off to the attacker to be ransomed later. At the point attackers have viewed your protected data, a breach has occurred, and your organization may be in violation of several compliance guidelines such as Sarbanes Oxley (SOX), Payment Card Industry (PCI), General Data Protection Regulation (GDPR), Gramm-Leach-Bliley Act (GLBA), and California Consumer Privacy Act (CCPA).

After the data is sent away, the ransomware is let loose to encrypt all infected systems rapidly. At this point, the only options organizations have are to recover from backup or pay the ransom and perpetuate the attack cycle. The damage is multiplied for those who had their data stolen as the attacks will also demand a ransom not to release the stolen data to the public and create a more significant breach.

Protecting Yourself

Fortunately, organizations are not without recourse in protecting themselves. Attacks that can be identified early on can be stopped. Some of the latest AV solutions include threat detection and can break the attack chain early. Also, using well-defined access control and encryption, attackers are prevented from stealing useful information to be used in an extortion attempt after the main attack.

Signs To Look For

Ransomware infections have some telltale signs that administrators can spot if they are being vigilant. Endpoints will experience increased hardware utilization, especially disk I/O, while the encryption is taking place. The network will also see a spike in traffic, especially to dark websites. Identifying either of these changes will alert administrators to a problem, allowing them to take steps to stop it.

Protecting Your Endpoints

Modern AV systems are another great way to stop ransomware attacks. While basic AV that uses known malware signatures will prevent existing known strains, newer antivirus solutions use artificial intelligence (AI) and machine learning (ML) to detect malware. Using AI and ML, these solutions can detect malware by its behavior, even if it has never been identified before. Some varieties even isolate unknown executables in virtual environments to test them for risky behavior before even allowing them to run on an endpoint.

In addition to AV, organizations need to take steps to protect the data on their endpoints. Using well-defined access controls and encryption, data is rendered inaccessible and unreadable to attackers. Modern encryption solutions that manage the key for endpoints and limit access based on permissions are crucial for protecting endpoint data, especially in databases or unstructured data.


Protecting The Data

While many security solutions may provide data encryption or access control services, Sotero bundles it all into a cohesive package. With an end-to-end data encryption solution, Sotero is the only solution that can keep data encrypted throughout its lifecycle and without needing to decrypt it even for analysis. It only gets decrypted if a user has the correct privileges to view data in its unencrypted state. Sotero is not just for protecting structured data such as databases or spreadsheets but can also safeguard unstructured data such as PDFs and word documents, ensuring that all of your data is safe.

If you are interested in learning more about unstructured data protection, schedule a call today.


data protection,

data regulations,

data security,


Subscribe to our Blog

Take a look at a truly encrypted future, with no data left unsecure.

Request a Live Demo.

Schedule a live one-on-one
demo of Sotero.

Book Demo