Ransomware is everywhere and cybercriminals are increasingly more antagonistic, demanding ever increasing ransom payments. Palo Alto Networks’ Unit 42 says that payments are up 82% in the first half of 2021, with an average payment amount at a record $570,000. But with ransoms increasing and cybercriminals ever hungry for users’ data, what can you do to stop these attacks?

Stopping ransomware before it locks you out 

You can’t prevent all ransomware from getting on the network, but that doesn’t mean you’re stuck. If you prepare yourself, you can reduce the impact of ransomware by having the right network-based security solutions—after all, ransomware attacks start on the network.

Cybercriminals gain access to your network through employees, contractors, vendors, and so many others—be it from phishing emails or accessing compromised websites—but the systems first compromised aren’t usually those that maintain your critical data. After all, most people don’t, or shouldn’t, keep a majority of critical business date on their laptop, which is often where the first compromise takes place. This acts as a first-line defense—a de facto firewall—to stop ransomware. The hackers must first find the information they want on other systems.

To track where the ransomware is looking for the data, you’ll need a network detection and response (NDR) solution, like Plixer’s NDR platform. Legacy, signature-based security solutions don’t use advanced technologies like machine learning to detect suspicious traffic on the network. This leaves gaps in detection because without machine learning, your ability to detect is based on known vulnerabilities, and many ransomware attacks rely on technologies not yet known to IPS and signature-based systems.

The key to stopping ransomware is to stop it from getting on the systems that are most critical. But how do you prevent ransomware from getting to those systems? The solution to this lies in lateral movement.

Tracking lateral movement 

Lateral movement is one of the most common techniques used by malicious actors to progressively move throughout the network as they search for critical data. This data is what the hackers really want since it pays the most in ransoms.

It may seem like detecting lateral movement is straightforward, but understanding how malicious software is connecting throughout your network requires having an NDR system capable of collecting network flow data and analyzing it. By analyzing flow data, you can quickly determine where ransomware—and other malware—are moving across the network.

One of the most important reasons to track network connections for lateral movement is that it significantly reduces the dwell time for ransomware infections. If you can detect the ransomware before it locks out a system, the ransomware can be contained before any serious damage is done. The longer the ransomware is on your network, the more devices will be compromised. Even if it doesn’t gain access to your most critical data, it could have an impact on day-to-day operations. By tracking the ransomware’s lateral movement, you can see where it moved, and which machines were infected. This is necessary because you’ll reduce how many other machines become compromised, which will decrease the risk to other machines on the network. By doing this, you’ll reduce your time to recovery.

Tracking lateral movement is only as good as the data being collected. When new machines or new employees connect to the network, you should start monitoring those connections right away. Doing so will provide the most visibility and will enable you to identify malicious movement from all devices on the network. Additionally, if you can ingest high-fidelity flow data into your NDR system, you will have better visibility and reduce the amount of time that ransomware is left on the network. This type of information is exportable via IPFIX and most network hardware vendors support the protocol.

Concluding thoughts 

Ransomware isn’t going away. In fact, it’s only going to get worse. With ransomware-as-a-service growing in popularity over the last few years, it’s become easier for malicious actors to harm organizations. But by using a flow-based NDR system to detect lateral movement, you can quickly stop the ransomware from getting to critical business data and systems, limiting the impact the ransomware has on your business. If you do fall victim to a ransomware attack, there is some light at the end of the tunnel. Recently, the US seized $6.1 million from ransomware payments. If you’ve paid a ransom, work with local law enforcement and provide them information such as the network traffic details leading up to the ransomware lockout as well as the digital address to which you’ve made payments.


Justin Jett is Director of Audit and Compliance at Plixer with roles ranging from system administration of web services to technical product marketing for Plixer’s incident response system, Scrutinizer. Jett, a graduate of the University of Maine at Farmington, is an avid learner of all things security, with a particular interest in TLS and DNS attacks.