homepage
Menu
Open menu
  • Training
    Go one level top Back

    Training

    • Courses

      Build cyber prowess with training from renowned experts

    • Hands-On Simulations

      Hands-on learning exercises keep you at the top of your cyber game

    • Certifications

      Demonstrate cybersecurity expertise with GIAC certifications

    • Ways to Train

      Multiple training options to best fit your schedule and preferred learning style

    • Training Events & Summits

      Expert-led training at locations around the world

    • Free Training Events

      Upcoming workshops, webinars and local events

    • Security Awareness

      Harden enterprise security with end-user and role-based training

    Featured: Solutions for Emerging Risks

    Discover tailored resources that translate emerging threats into actionable strategies

    Risk-Based Solutions

    Can't find what you are looking for?

    Let us help.
    Contact us
  • Learning Paths
    Go one level top Back

    Learning Paths

    • By Focus Area

      Chart your path to job-specific training courses

    • By NICE Framework

      Navigate cybersecurity training through NICE framework roles

    • DoDD 8140 Work Roles

      US DoD 8140 Directive Frameworks

    • By European Skills Framework

      Align your enterprise cyber skills with ECSF profiles

    • By Skills Roadmap

      Find the right training path based on critical skills

    • New to Cyber

      Give your cybersecurity career the right foundation for success

    • Leadership

      Training designed to help security leaders reduce organizational risk

    • Degree and Certificate Programs

      Gain the skills, certifications, and confidence to launch or advance your cybersecurity career.

    Featured

    New to Cyber resources

    Start your career
  • Community Resources
    Go one level top Back

    Community Resources

    Watch & Listen

    • Webinars
    • Live Streams
    • Podcasts

    Read

    • Blog
    • Newsletters
    • White Papers
    • Internet Storm Center

    Download

    • Open Source Tools
    • Posters & Cheat Sheets
    • Policy Templates
    • Summit Presentations
    • SANS Community Benefits

      Connect, learn, and share with other cybersecurity professionals

    • CISO Network

      Engage, challenge, and network with fellow CISOs in this exclusive community of security leaders

  • For Organizations
    Go one level top Back

    For Organizations

    Team Development

    • Why Partner with SANS
    • Group Purchasing
    • Skills & Talent Assessments
    • Private & Custom Training

    Leadership Development

    • Leadership Courses & Accreditation
    • Executive Cybersecurity Exercises
    • CISO Network

    Security Awareness

    • End-User Training
    • Phishing Simulation
    • Specialized Role-Based Training
    • Risk Assessments
    • Public Sector Partnerships

      Explore industry-specific programming and customized training solutions

    • Sponsorship Opportunities

      Sponsor a SANS event or research paper

    Interested in developing a training plan to fit your organization’s needs?

    We're here to help.
    Contact us
  • Talk with an expert
  • Log In
  • Join - it's free
  • Account
    • Account Dashboard
    • Log Out
  1. Home >
  2. Blog >
  3. Ransomware: Every internet-connected network is at risk. Be prepared!
370x370_ryan-chapman.jpg
Ryan Chapman

Ransomware: Every internet-connected network is at risk. Be prepared!

As ransomware attacks increase in number and severity, even the most advanced security systems can be compromised. Here is what you can do to prepare.

May 4, 2023

Cyber criminals are targeting every type of organization, from small businesses to large enterprises. Many people tend to believe that ransomware actors only target large enterprises and/or critical systems; unfortunately, the opposite is true. If you have internet-connected devices, you are at risk of a ransomware attack.

Some ransomware actors target very specific victim environments, others focus on specific verticals and/or sectors, and yet others take a more opportunistic approach. These latter types of actors utilize a wide-net approaches, sometimes even purchasing access to victim environments from initial access brokers (IABs), whose role is to break into a wide variety of networks to later re-sell this access to threat actors such as ransomware actors.

Ransomware attacks in 2022: An overview

Tracking all ransomware incidents is impossible. No one on the planet knows exactly how many ransomware attacks have occurred over time or even within a given year. Some victims negotiate directly with the threat actor and provide a ransom payment before the rest of the world becomes aware of the situation. Many incidents are handled in private with non-disclosure agreements (NDAs) signed by all parties involved. In these situations, the consulting groups involved are barred from discussing specifics. 

Though even coming close to tracking all ransomware attacks is not possible, some groups release reports that contain statistics along with techniques, tactics, and procedures (TTPs) of the various groups involved. The reports you will find released to the public are often written through the lens of the firm or group writing the report. For the purposes of this article, we have opted to use statistics from ecrime.ch, a paid threat intelligence service that aggregates and reports on ransomware data leak sites (DLS). These sites are run by the ransomware operators themselves.

Based on intelligence from ecrime.ch, ransomware actors made over 2,600 posts in 2022 related to their victims. These posts included victim identification, while some even provided sample files and/or notes concerning full data dumps (typically as a result of non-payment). Within this data set, the following were the top 10 sectors in terms of compromise, in order:

  • Construction
  • Hospital and Health Care
  • Government Administration
  • IT Services and IT Consulting
  • Law Practice
  • Automotive
  • Financial Services
  • Higher Education
  • Insurance
  • Real Estate

According to Coveware’s April 28th article concerning ransomware attacks in Q1 2023, the two most common company sizes impacted by ransomware were those with:

  • 101 to 1,000 (34%) employees, and
  • 11 to 100 (25.2%) employees

However, companies with employee counts between 1 to 10 served as 6.3% of impacted companies. That number is not insignificant and should serve as a warning to organizations who think to themselves, “Ransomware only hits enterprises… so we should be safe.”

Consulting firms, insurance agencies, and law firms alike see small businesses, such as dentist offices and small accounting agencies to name a few, being hit with ransomware. The threat is not only relegated to larger companies. If you have network infrastructure on the internet, you are a viable target. 

----

Should you be interested in free sites similar to ecrime, we recommend the following resources:

Ransom Watch provides a group index, recent DLS posts, group profiles, and statistic/graph pages: https://for528.com/ransomwatch.

Ransom Look provides a group index, forum and market links, a listing of data leaks, telegram messages, and statistic/graph pages: https://for528.com/ransomlook. The team also maintains a GitHub repo that you can review: https://for528.com/ransomlook-gh.

Ransom.Wiki focuses more on allowing users to search for recent victims and/or ransomware groups by name: https://for528.com/rwiki.

DarkFeed provides several resources for identifying ransomware DLS and blog information: https://for528.com/darkfeed.

How serious is the threat of a potential ransomware attack?

During the development of our SANS Forensics “FOR28: Ransomware for Incident Responders” course, we experienced a real-world, eye-opening attack. To generate the data for our labs and capture the flag (CTF) event, we created multiple network ranges. One night, I left one of our ranges in a vulnerable state, purposefully. The servers in the range had Remote Desktop Protocol (RDP) open with insecure passwords for no more than 8 hours while I slept.

I joked that I wanted to give a real threat actor a chance to brute-force one of the Administrator account passwords. When I awoke, I found that not only had the range been breached, but the entire environment was ransomed! We could not have asked for a better, real-world example of just how serious the threat is… we’re up against a monster!

Figure 1. One of our network ranges after being ransomed after being vulnerable for no more than 8 hours. 

IInitial Access – How the Ransomware Actors Are Getting In

The top three methods used to obtain access to victim networks in ransomware attacks, along with some prevention/mitigation-related questions, follow:

  • Phishing
    • Are you training your users to spot and report potential phishing emails?
    • Do you have an email security gateway that allows you to pull potentially malicious email from your user inboxes?
    • Are you blocking potentially malicious file attachments? To learn about which files to block, see https://for528.com/filesec.
  • RDP
    • Do you have RDP exposed to the Internet?
    • Are externally-facing RDP services using Multi-Factor Authentication (MFA)?
    • Are you using your firewall(s) to allow access only to IP subnets that truly need external > internal RDP access?
    • Are the accounts enabled for remote access standard, non-privileged accounts only?
  • Software vulnerability exploitation
    • Do you have proper asset management?
    • Are you patching:
      • Externally-facing services?
      • Network equipment such as firewalls and VPN concentrators?
      • Internal software?
      • Your operating systems?

Some ransomware groups carry out their own attacks (e.g., Vice Society), while some use affiliate groups as part of their Ransomware-as-a-Service (RaaS) model (e.g., Lockbit 3.0). Regardless, entry into victim networks often comes by way of the three above methods. Initial entry may not be direct via the operator or affiliate group. Rather, access may be purchased and/or leased via an Initial Access Broker, or IAB, as noted earlier.

The IAB’s role is literally in its name: to broker initial access to victim networks. Such groups work around the clock, literally, to breach victim environments using the above three methods. Once in, they sell, auction, or trade access to other threat actors, including ransomware actors. That’s the threat we’re up against: Entire teams of humans are using well-known, tried-and-true attack methods constantly – And they work all too often.

To learn more about the IAB landscape, see https://for528.com/iab.

Protecting Your Organization

What is the best way to protect me and my organization from ransomware?

The only way to stay safe from ransomware is to be prepared. As ransomware attacks increase in number and severity, even the most advanced security systems can be compromised. However, there is one thing that can help you fight back: train your team!

One of the most important things you can do as an organization is to train your cyber team on how to recognize the signs of a possible attack, what steps they should take, and how they can help prevent it from happening in the first place. A well-trained team will be able to identify what ransomware attacks look like, and thus will be able to help you work out a plan for responding if it's detected on your network.

For example, how might you determine that an identified actor within your environment may be a ransomware affiliate? What signs do you look for? Should you make this determination, what steps would then be appropriate? You do not respond to a potential ransomware attack the same as you do an Advanced Persistent Threat (APT). Do you know the difference? If not, it’s time to prepare you and your organization.

A recent study found that organizations that have trained their IT or cybersecurity teams are 28% less likely to experience a breach than those who haven't. This makes sense: when you know what you're doing, you can act quickly and efficiently when the time comes.

If you're a business owner, you know that staying on top of the latest in cybersecurity can feel like an uphill battle. But there are ways to ensure that your business stays secure from the dangers of ransomware and other forms of malware.

Here are five tips for staying safe:

  1. Train your cyber team on the newest threats and how they should respond.
    1. This training should include phishing training to help thwart one of the top two methods used for ransomware initial entry.
  2. Keep your software and network appliances updated with the latest patches and updates.
    1. Software vulnerabilities are everywhere. Avoid them at all costs.
    2. Don’t forget that your network appliances, including firewalls, have operating systems that most likely require updates. Many ransomware breaches occur due to exploitation of network devices.
  3. Don't open suspicious emails or click on links.
    1. Again, phishing is a massive entry vector. Train your staff. Then train them some more.
      Keep an eye out for unusual activity on your network—if something looks suspicious, don't hesitate to reach out for help!
  4. You want to foster an environment in which your employees are prone to report vs. not doing so.
    1. The impact of many ransomware and other attacks have been lessened thanks to diligent reporters.
  5. Encrypt all sensitive data so even if it does get stolen, it's not stored in plaintext.
    1. Starting in 2019, the MAZE Team made popular the data extortion that we now see in most ransomware attacks. If a ransomware actor gets into your network, will they be able to exfiltrate data that is not encrypted? Chances are they will. Do all that you can to avoid this by leveraging encryption at-rest.

Learn more about the course at www.sans.org/FOR528

Share:
TwitterLinkedInFacebook
Copy url Url was copied to clipboard
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Cote D'ivoire
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Eswatini
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
North Macedonia
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania, United Republic Of
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City State
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Recommended Training

  • FOR528: Ransomware and Cyber Extortion™
  • LDR553: Cyber Incident Management™
  • SEC501: Advanced Security Essentials - Enterprise Defender™

Tags:
  • Digital Forensics, Incident Response & Threat Hunting

Related Content

Blog
DFIR blog image.png
Digital Forensics, Incident Response & Threat Hunting
August 22, 2024
A Visual Summary of SANS DFIR Summit 2024
Check out these graphic recordings created in real-time throughout the event for SANS DFIR Summit 2024
No Headshot Available
Alison Kim
read more
Blog
blog image - ransomware summit.png
Digital Forensics, Incident Response & Threat Hunting
May 29, 2024
A Visual Summary of SANS Ransomware Summit 2024
Check out these graphic recordings created in real-time throughout the event for SANS Ransomware Summit 2024
No Headshot Available
Alison Kim
read more
Blog
FOR528_updates.png
Digital Forensics, Incident Response & Threat Hunting
January 16, 2024
FOR528: Ransomware & Cyber Extortion Course Updates Implemented – What’s New?
The recent FOR528 course better addresses the differences between ransomware and cyber extortion, and provides new hands-on labs and bonus content.
370x370_ryan-chapman.jpg
Ryan Chapman
read more
  • Company
  • Mission
  • Instructors
  • About
  • FAQ
  • Press
  • Contact Us
  • Careers
  • Policies
  • Training Programs
  • Work Study
  • Academies & Scholarships
  • Public Sector Partnerships
  • Law Enforcement
  • SkillsFuture Singapore
  • Degree Programs
  • Get Involved
  • Join the Community
  • Become an Instructor
  • Become a Sponsor
  • Speak at a Summit
  • Join the CISO Network
  • Award Programs
  • Partner Portal
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Cote D'ivoire
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Eswatini
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
North Macedonia
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania, United Republic Of
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City State
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
  • Privacy Policy
  • Terms and Conditions
  • Do Not Sell/Share My Personal Information
  • Contact
  • Careers
© 2025 The Escal Institute of Advanced Technologies, Inc. d/b/a SANS Institute. Our Terms and Conditions detail our trademark and copyright rights. Any unauthorized use is expressly prohibited.
  • Twitter
  • Facebook
  • Youtube
  • LinkedIn