At a critical time would you know what to do?

Business Guidance During a Ransomware Attack

Ransomware Attacks: What to Do If Your Business is Affected?

Businesses globally are experiencing a significant increase in ransomware attacks and it’s a threat that we’re only seeing more of. As techniques become more sophisticated, organisations need visibility of the potential risks their businesses face and the options available for ransomware protection.

This report provides high-level guidance to business leaders on how to detect the signs of a ransomware attack and the preventative measures that are currently available.

Key Points

Seven stages of a typical ransomware attack →

How to tell if you have been hit by ransomware →

The first steps to take if you detect ransomware →

Experienced a ransomware attack? Contact us today.

Understanding Ransomware Attacks

The detection of a ransomware attack can occur at any stage of the attack lifecycle but is dependent on your cyber security posture and the cyber tools you have within your organisation.

The earlier the point of detection, the greater the chance of mitigating the damage and rescuing your organisation. It is important to highlight that the most damaging part of any ransomware attack (the encryption of files) typically takes place at a later stage in the attack lifecycle. At this point, your organisation may have unknowingly been exposed to ransomware for days or even weeks before noticing any symptoms.

The point of encryption exponentially decreases the chances of an organisation mitigating material loss. This article will discuss the typical stages of a ransomware attack and the available mitigation steps you can take at each stage.

Seven stages of a typical ransomware attack

Stage 1 – Gaining access…

Attackers will enter the estate typically through remote access points with stolen credentials, via a brute force attack or through exploitable vulnerabilities. Alternatively, a payload may be dropped onto an employee’s device from a phishing email attack to infiltrate the network.

Stage 2 – Seeking your weak spots…

Attackers will deploy vulnerability detection sensors (Cobalt Strike Beacons) onto servers, seeking areas for exploitation in order to achieve lateral movement across an estate. Where more Cobalt Strike Beacons are deployed, more lateral movement will occur.

Stage 3 – Isolate all servers…

Attackers will analyse the estate to determine what is available to them and which are the most critical servers. The attackers will look to uninstall or alter the anti-virus products. They will also look to inhibit any other security solutions within the estate. Any backups that are not sitting within a storage repository off the corporate domain and network (air-gapped) could be deleted, encrypted or tampered with to prevent business recovery.

Stage 4 – Data extraction…

Tools will be deployed into the estate and these tools will be used to collect and then extract data outwards from your organisation, usually to common sharing sites like MEGA.NZ. A common tool that was used in recent years is rclone.exe.

Stage 5 – Ransomware encryption…

Once all your data has been extracted and Cobalt Strike Beacons have been deployed across the entire estate the ransomware will begin. Servers will begin to be encrypted and files with be renamed with encryption extensions. Servers will become unresponsive and ransomware notes will be installed so that they can be easily found. All endpoints connected to the network at the point of encryption may also be affected and at risk of encryption.

Stage 6 – Blackmailing begins…

Emails will begin to arrive into the organisation, usually from free mail accounts (e.g. Proton, Gmail, Hotmail). These emails will threaten the receiver, that if payment is not received, organisation data will be published on the dark web or the attacker’s associated web pages.

Stage 7 – Your data will be exploited…

Data will be published on these malicious websites and can include a Terabyte worth of your data. Usually, there is a 14- 28 day gap between stage 6 and stage 7, during this time, you may be sent samples of your data as evidence before stage 7 occurs.

How to tell if you have been hit by ransomware

Initial stages of the ransomware attack can be detected within the following tools and IF these tools are available, then regular checks MUST be made on their output.

  • Anti-Virus products (if not uninstalled by the attack)
  • Security Incident Event Monitoring (SIEM) technology
  • Endpoint Detection and Response (EDR) technology
  • Security event Logs
  • Regular analysis of the firewall logs
  • Security tools monitoring the email audit logs or any email alerting configured

Typically, the ransomware only becomes known to the organisation at the point of encryption, where machines become unresponsive, encrypted files are detected or the ransomware note is found.

The first step to take if you detect ransomware



If you have an EDR solution, this will kill malicious processes and disable any/all infected servers and endpoints. Often the disabling of machines is not turned on by default and in those instances, you should contact your provider who can disable the estate quickly via the EDR console.



If no such tools are available and you can determine which machines have been affected, then these machines need to be isolated from the network. The simplest method to achieve this is to disable the Network Interface Cards (NICS), unplug the network connector or disable the WI-FI connector.



If you cannot determine the exact machines that have been impacted, the safest option is to isolate all servers from the network. It’s recommended to do this at the switch level, taking network segments offline rather than individual devices. If this is not possible, then isolate devices individually.

NOTE: If you just power off your devices you risk losing important forensics and getting them back on may prove difficult or impossible.



The next phase is to determine which endpoints and servers have been impacted. The simplest way to achieve this is to run an online tool that can scan devices. You need to determine if your backups have been impacted, and if not, ensure you take offline copies immediately. This is essential for business recovery.



You can modify your firewall and put pinholes in for business-critical activities only. This may prevent the extraction of your data. If you can determine the ransomware strand, then you can find generic Indicators of Compromise (IOC) from reverse engineering papers online and implement these generic blocks.



The first step will be contacting your insurance providers who will make ransomware recovery teams available. If you don’t have cyber insurance, contact our Cyber Security Incident Response Team (CSIRT)  for guidance and immediate assistance.

NOTE: It is recommended not to use email as the attackers may have compromised the email estate. Using the phone would be a preferred communication method.

Solace Cyber meets the UK’s highest cyber security standards, offering first-class incident response support and recovery.

Request a call back to speak with a ransomware specialist

Whether you are experiencing a ransomware attack now or want to chat about preventing ransomware attacks in the future contact us today