Ransomware – Expert Talk

Do you want to avoid becoming a victim of Ransomware? And are you responsible for protecting your enterprise against cyber attacks?

In below Expert Talk by Swiss IT Security Group (Blog and Video), Maik Morgenstern - CTO of AV-TEST and Tobi Träbing - Technichal Director EMEA of XM Cyber will share examples, learnings and suggestions on how avoid becoming a victim of Ransomware and how to prevent major damage to your enterprise.

Tobias Träbing: “Maik, what lines of business are the main targets for ransomware attacks?”

Maik Morgenstern: “Everyone is a target, no matter if small and medium business or fortune 500 enterprises. All attackers have in mind is the maximum financial gain. Different studies do list top 10 however, according to their own data:
Trellix reports Banking, Utilities and Retail as top three for 2021 while Sophos reported Media, Retail and Energy/Utilities for 2022. Other targets include transport, professional services, education and even healthcare.

Although certain lines of business seem to be more prone to attacks than others, ransomware remains a constant threat for all enterprises and has been growing in importance over the last few years. But of course, companies are ill advised to focus on ransomware only. In fact, cybercrime has become a whole business sector on its own.”

Watch the full Ransomware Video:


By pressing the play button, a YouTube video is loaded and you consent to the transmission of data to Google. Google's privacy policy applies: https://policies.google.com/privacy

Video laden

Tobias Träbing: “Can you describe the landscape of security incidents? What are the most important categories?”

Maik Morgenstern: “This is all interconnected. Identity theft may be used to set up phishing sites or other social engineering attacks which will leads to credential theft and this in turn is the major infection vector that leads to ransomware. An IBM study said that in 2021 45% of ransomware attacks happened through phishing or social engineering: Attackers are no longer breaking in, they are logging in.

Security incidents in general are usually made possible by vulnerabilities in IT infrastructures. Ransomware attacks, on the other hand, are in certain ways special cases of security incidents because they rely heavily on the human factor, on mistakes made or careless user behavior. Those flaws cannot easily be fixed, but in the end, what matters much more is to ensure that mistakes and careless user behavior do not lead to catastrophic effects. Therefore, the principle of Attack Path Management does not focus on preventing the ransomware attack, but on minimizing the damage by stopping the attack in its early stages.”


Maik Morgenstern: “Tobi, what are the most common exposures that lead to ransomware compromise? And what are some best practices you recommend to reduce risk?”

Tobias Träbing: “Ransomware families often exploit known and common software vulnerabilities and IT Security misconfigurations like over-permissive user credentials or same local credentials to propagate themselves through the network.

Understanding the chaining of the different security issues is key to overcoming security threats, particularly ransomware families.  Essential steps/recommendations that have proven to be successful in limiting security issues are:


            • Continuous visibility of attack techniques and vectors to understand exposure
            • Implementation of a robust and intelligent vulnerability management process (not only covering software vulnerabilities but all security-related issues)
            • Implementation of a robust IT security hygiene program to overcome siloed issues holistically to reduce any negative impact of infections/attacks

As in most areas of IT, the threat landscape changes rapidly. Every year, there are a few attacks that make it to the front page, either because of the amount of damage, the spotlight on the target or the innovative nature of the attack.”


Tobias Träbing: “Maik, in that respect, what have been the trends in 2022? Which areas are the most prominent ones? Which incidents were the most notable ones?”

Maik Morgenstern: “When we look at the history of ransomware, it all started with malware that was locking your devices, then threatened to delete your data and finally evolved to what people nowadays understand as ransomware: Malware that will encrypt your data and demand a ransom to decrypt them. In the past few years a new approach was used: Double Extortion Ransomware. On top of just encrypting files, the data is also exfiltrated and the attacker threatens to release the data if no ransom is paid. Besides that, we see a constant improvement in the technologies used as EPP and EDR products that is making successful attacks harder.”


Demand for continuous and automated attack simulations increases

Many ransomware attacks are successful only because of lucky timing. The internal security tools may have already detected the attack, but one single user unaware of the consequences can still unleash the catastrophe.


Maik Morgenstern: “Is timing a crucial factor for ransomware attacks? How do Attack Path Management Services factor in when it comes to reducing cyber risk and closing security gaps?”

Tobias Träbing: “Yes, timing is definitely a crucial factor for ransomware attacks. Some attacks will only be successful at a certain time of the day or on a certain day of the week, for example because you may reach less security conscious or focused staff at night or on weekends. In the early morning, a phishing e-mail may reach an employee that might otherwise have already received a warning from the IT department.  

And timing is also a critical factor in understanding attack paths and exposures within companies. Very often, companies and responsible stakeholders use “ad-hoc” processes or timely inefficient ways to assess the infrastructure like vulnerability scans and penetration tests. These analyses only provide a snapshot of a given timeframe or even environment – this will not help companies keep control of the ever-changing landscape of their environment.

We now see more and more Cloud and IaaS providers being used, enabling businesses to run operations even faster than before – yet this dynamic is increasing the risk of overlooking exposures and security issues.

As the Attack Path Management Services run continiously 24×7 the platform can tell organizations at any given point in time:

    what their exposures are and

    how changes within the environment are affecting these exposures.


APM Services therefore help to:

    quickly and easily understand the impact of new security issues (e.g., Log4j),

    measure and quantify the cyber risk to communicate that to other stakeholders easily and

    understand what can be done toovercome the exposures in the most efficient way” 


Unusual attack paths - understanding the hacker

Although cyber attacks in general and ransomware attacks in particular leave anyone thinking about them with an uneasy feeling, they also provoke a certain sense of fascination.


Tobias Träbing: “Maik, what is the most unusual ransomware attack you have encountered?”

Maik Morgenstern: “Probably when Lockbit attacked a children’s hospital and then later posted a public apology and provided a decryptor for free. This case is also a great example for one of the most interesting trends in the “ransomware industry”. After the incident, Lockbit blamed a “partner” for the infection. This bizarre constellation was made possible by the fact that Lockbit provides “affiliates” access to their malware in return for a cut of the ransom profits: “Ransomware as a service”.

The world of IT moves fast. An attacker moves even faster. As IT security tools become more and more sophisticated, so do the attacks. And the attacker often seems to be the decisive step ahead.”


Tobias Träbing: “In what ways have attacks become more sophisticated?”

Maik Morgenstern: “In the beginning of the ransomware era, an infected system would be encrypted right away, and a ransom would be demanded by the attacker. Attackers wouldn’t know whether this was an interesting, high-profile target or not.
Attackers did learn that they could earn more money if they attack certain organizations with more sensitive data. So, they will carefully assess the situation once they have access to a network to decide whether this a good target. They will then start to move through the network and look for the most sensitive data and systems to exfiltrate or to encrypt. This allows attackers to use their resources on those targets that would possibly pay higher ransom fees.”

How to beat the hacker

Maik Morgenstern: “Tobi, how can Attack Path Management Services help? How do they support organizations in preventing and mitigating ransomware risks?”

Tobias Träbing: “Attack Path Management Services, by using XM Cyber platform, continuously assess all different attack vectors and techniques of ransomware families to understand how they could spread within the network. Being able to understand the underlying security issues like for example software vulnerabilities, IT security hygiene and risky user behavior is key to stopping and preventing ransomware attacks.

The platform provides with that an overview of the network,  how attackers can see your network, and with the managed services from your company, SITS Group, companies will understand what needs to be fixed to stop the attack paths of ransomware families to all entities (cloud, on-prem, hybrid), but most importantly, to critical assets to ensure business continuity and confidentiality, integrity and availability of data.”


Tobias Träbing: “What are the most effective measures to prevent ransomware attacks?”

Maik Morgenstern:

    Backups of all data on a regular basis.

     Identify data and systems that need special attention or extra protection.

     Use defense in depth with several security layers. Even if one layer fails, there are still others that can stop or at least detect the attack.


Tobias Träbing: “What is the best reaction in case something has already happened?”