What is Ransomware and how do I protect my organisation?

Ransomware, what is it?

Ransomware is malicious software, or malware, that encrypts the information on a person’s computer. It will not  release these files until the user pays a fee — or ransom — to unlock these files and get them back.


Ransomware has quickly become the most profitable type of malware ever seen and is on its way to becoming a $1 billion annual market.

But how do computers get infected to begin with?

Ransomware commonly makes its way onto a computer or network through the web or email. On a website, ransomware may infiltrate through infected ads that can deliver malware, known as “malvertising.” Users surf sites with malicious ads that automatically download malware or redirect them to exploit kits. In email, ransomware uses phishing or spam messages to gain a foothold. Users merely have to click links in phishing or spam email or open attachments for ransomware to download and call out to its command-and- control server.

You mention exploit kits, what are they?

Ransomware can also take control of systems by using exploit kits. Exploit kits are software kits designed to identify software vulnerabilities on end systems. They then upload and run malicious code, such as ransomware, on those vulnerable systems.

I’ve heard of something called the Ransomware kill chain, what’s that?

The infection or attack process outlined above can usually be broken down into seven stages, not all attacks use every stage, but these are the most common.



The term “kill chain” refers to the ability to block an attack at any of these specific stages if the correct capabilities can be employed. The kill chain helps us understand and combat ransomware, security breaches, and advanced persistent attacks (APTs).

RECON: The attacker gathers information to help them create seemingly trustworthy places and messages to stage their malvertisements and phishing emails.

STAGE: Using information collected during RECON, the cybercriminals try to fool users into opening e-mails or clicking on links.

LAUNCH: The staging sites redirect from trustworthy-looking sites to sites that launch the exploit kits and/or other malicious content.

EXPLOIT: When a user is at the compromised site, their system is scanned for vulnerabilities that are then exploited to take control of the user’s system.

INSTALL: Once an exploit has taken control, the final dropped file/tool is installed that will infect and encrypt the victim’s system—the ransomware payload. This stage may also include additional executables to deliver other malware in the future.

CALLBACK: Once infected, the malware “calls home” to a command-and-control server (C2) where it retrieves keys to perform the encryption or receive additional instructions.

PERSIST: The files on the hard disk, mapped network drives, and USB devices are encrypted and a notice or splash screen pops up with instructions to pay the ransom to restore the original files. This notice persists, and at times deletes files, as a timer counts down to the expiration of being able to retrieve the unlock keys, putting extreme pressure on the user. Additionally, the exploit kit can persist and pivot to other more critical systems.

How can I use the Kill Chain to prevent Ransomware?

No single product or service can provide security through every step of the kill chain. By understanding the specific stages of the kill chain, you tailor security capabilities to create multiple layers of defence in order to identify ways to prevent, detect, and respond to ransomware attacks:

  • Prevent ransomware from getting into the enterprise wherever possible
  • Stop it at the system level before it gains command and control
  • Detect when it is present in the network
  • Work to contain it from expanding to additional systems and network areas
  • Perform incident response to fix the vulnerabilities and areas that were attacked

The diagram below maps security capability to each stage of the kill chain.



What type of Security Capability do I need to deal with Ransomware:

Cisco Ransomware Defence brings together all the necessary pieces of the Cisco security architecture to address the ransomware challenge. You can choose all the pieces or select ones that fulfil an immediate security need. The Cisco Ransomware Defence solution provides an integrated and multi-layered approach to dealing with this danger. Each security element provides protection from a multitude of external and internal threats but when brought together as an integrated system, the Cisco solution offers unprecedented visibility and control.

Cube Cyber is a Cisco Systems Advanced Security Architecture partner. We work closely with Cisco Systems to delivery products and services that provide you with the security capability required to effectively prevent, detect, and respond to ransomware attacks.

Ransomware Defence comprises:

Cisco Umbrella protects devices on and off the corporate network. It blocks DNS requests before a device can even connect to malicious sites hosting ransomware.

Cisco Advanced Malware Protection (AMP) for Endpoints blocks ransomware files from opening on endpoints.

Cisco Email Security with Advanced Malware Protection (AMP) blocks spam and phishing emails and malicious email attachments and URLs. The AMP technology is the same at that applied on the endpoint, but it’s deployed at the email gateway.

Cisco Firepower Next-Generation Firewall with Advanced Malware Protection (AMP) and Threat Grid sandboxing technology blocks known threats and command-and-control callbacks while providing dynamic analysis for unknown malware and threats.

Cisco ISE via the Cisco network to dynamically segment your network, so access to services and applications stays highly secure and ransomware cannot spread laterally.

The Cube Cyber difference:

With decades of cybersecurity experience, the team at Cube Cyber pride ourselves on delivering effective security solutions to real threats. Our team have a proven track record of delivering these solutions to both small and large complex network environments.

The key differences you will find working with us include:

  • A philosophy of long term partnering and engagement with our clients
  • A commitment to lower risk, lower complexity and increased effectiveness
  • Properly engineered systems approach addressing the full operational lifecycle
  • Professionally commissioned systems with focus on design, testing and operational integrity
  • A focus on cybersecurity you won’t find elsewhere – it is all we do.

Contact us to discuss how we can help.