Ransomware Protection

We may all be targets, but we don’t have to be victims


With new cases reported nearly every day, ransomware has become an inescapable part of the security conversation. Attacks are seen in organizations of every size and industry, and victims can suffer a loss of productivity, revenue, and confidence, in addition to the costs of recovery, and the threat of confidential information being leaked or sold.

It doesn’t have to be this way.

Ransomware is a threat that can be handled by adopting recommended defensive and resilience practices and technologies, and leveraging information and advice shared within a community of vigilant protectors.

Rapid7 is proud to be a part of that community. We have some of the foremost thinkers, researchers, and engineers actively engaging in the conversations around ransomware and encourage them to use our platform to help inform as many security professionals as possible.

What is ransomware?

At its core, ransomware is digital extortion. Cyberattackers use a variety of tactics to disrupt an organization’s operations or hold their data hostage so they can then force the organization to pay a ransom to secure a return to standard operations. Often, those same bad actors will steal data and threaten to leak or sell it to other nefarious outfits if a second payment is not made. This is known as a double extortion attack. It is nearly impossible to completely inoculate an organization from ransomware attacks, but it is possible to dramatically improve an organization’s ability to weather an attack, as well as reduce the odds of them being hit, and make it more expensive and inconvenient for cybercriminals to mount attacks.


Discover the Blog Series


Bad Credential Hygiene Makes It Easy for Attackers to Breach Systems

The credentials we use to access our networks are among the most important defenses against nefarious actors. Unfortunately, too often, those passwords let us down. In this report, we compared Rapid7’s own honeypots with industry-standard credentials lists utilized by pentesters and attackers to better understand the state of password management. And what we found should give anyone pause.

Good Passwords for Bad Bots confirms what many have already expected about password health and how automated attackers exploit poor credential hygiene to access cloud and remote desktop networks. We show the top passwords and usernames used to access critical infrastructure, offer best practices for improving your credentials (ahem, password managers), and show how to continuously search for bad creds throughout your networks. Take a look at the report and hope that your credentials aren’t on the list.

Read the Report

The 2022 SANS Report is Out

The annual SANS Top New Attacks and Threat Report is out and full of some of the most critical data and best practices from some of the industry’s leading cybersecurity experts. Based each year on the SANS Institute’s “Five Most Dangerous Attacks” panel at RSA, the Top New Attacks and Threat Report looks at the trends in attacker behavior and their impact on organizations across sizes and spectrums. In addition to the latest statistics on threats, attacks, and breaches from the first quarter of 2022, this year’s report looks at how old threats like stalkerware and living off the land are finding new life among attackers as they venture into the cloud. There are also important tips on the need for multi-factor authentication and how to use it to its full advantage. And, as always, there are the latest best practices your security team should know to keep attackers at bay.


Get the Report Here

How does ransomware happen?

In the purest sense, ransomware is a type of malware that uses cryptography to lock data or systems up so they can be held for ransom. It exploits weaknesses within a network or organization, which could be within the network’s architecture, its third-party entry points, or even within its users themselves. It is important to note that in recent times, the term “ransomware” has become a catch-all for any extortion-based attacks, and may not actually include the delivery of malware itself. For example, some reported ransomware attacks actually leverage Distributed Denial of Service (DDoS), which does not involve malware, but rather involves attackers overloading systems with too much traffic until they fail.

For ransomware malware, the most common infiltration methods include spear phishing, ​​stolen credentials, VPN/remote access exploitation, web browser or application exploitation, and removable media. From there, attackers find ways to move through the network and encrypt data in order to extort a ransom from the organization. This lateral movement can happen in a number of ways including: command-line interface/graphical interface, scripting, user execution, and others.

Ultimately, preventing ransomware attacks means defending many points of entry across an entire network from unknown attackers seeking just a single weak spot to enter.


Malware 101

Groundbreaking Research on Double Extortion

Double extortion ransomware is a relatively new and pernicious component to the overall ransomware problem. From its initial implementation by the Maze ransomware group just a few short years ago, to the proliferation of many groups, each employing the practice to devastating effect, double extortion has proven to be a tactic in critical need of analysis. In a first-of-its-kind report, Rapid7 uses proprietary data from the clear, deep, and dark web to analyze the disclosure layer of double extortion ransomware attacks. We’ve done this because knowing your enemy, their tactics, strategies, and eccentricities is the first step toward defeating them. Our analysts have determined what data is most commonly disclosed by attackers, how those disclosures differ from industry to industry, and what data different threat actors prefer to disclose. We look at the double extortion layer of ransomware in a way no one has before.

Read the Report

Responding to the ransomware threat

It’s important to remember that there is no silver bullet to preventing ransomware, but there are plenty of silver linings. For instance, a main component to a solid prevention plan includes instituting best practices within your workforce that can defend against any number of attacks.

Typically, a robust ransomware prevention and remediation plan has three parts to guide your organization’s actions: before the attack, during the attack, and after the attack.

Before the attack:

The key to prevention is minimizing the attack surface a bad actor has to work within. That means proper workforce training to prevent phishing exploitation, credential theft, or visiting compromised websites.

It is also critical to have a robust backup regime that allows you to restore your data back to a time before the attack. Finally, make sure you have a full incident response plan in place. This includes asking frank questions about your preparedness, understanding what measures you will take to identify ransomware before encryption takes place, ways to contain those breaches, how to recover lost data, and eradicate an existing threat. Make sure your incident response plan is available offline.

During the attack:

Once an attack is underway, the single most important goal your team should have is mitigating the impact. This means operationalizing your incident response plan, restoring data from backups, issuing new assets that are clean and free of exposure, and remediating initial access and execution vectors to prevent repeat attacks.

One of the biggest questions businesses face at this point is whether to pay the ransom. It is a complicated question rife with competing interests, viewpoints, and legal ramifications. We explore this question in depth in our Ransomware Playbook and offer alternative solutions to simply paying the ransom.

After the attack:

Once the worst is over, it is critical that your team debrief to determine how well your plan worked and whether there are gaps or weaknesses that need to be addressed. There are also several remediation and mitigation steps to take, including rebuilding systems from a known-good baseline, quarantining endpoints, changing credentials, and locking compromised accounts.


Get the Ransomware Playbook

How can we help?

There’s no one single solution to ransomware that can completely inoculate your organization from the threat and protecting every entry into our networks from ransomware can feel like an uphill climb. But while we may all be targets, we don't have to be victims. There are many internal and external tactics and products that, when used together, can give you the best line of defense available.

Attackers are working together, training each other, spreading their knowledge, and sharing their tactics and technologies. The good news is so are we. At Rapid7, we have industry-leading vulnerability risk management — InsightVM — and incident detection and response — InsightIDR— solutions that can help you understand and reduce your attack surface, identify risks, detect ransomware, and eradicate it within your networks as quickly and cleanly as possible. We are constantly and consistently improving these offerings to evolve alongside the threat of ransomware so you can be assured that our solutions will keep up with your internal efforts. When it comes down to protecting yourself from ransomware, you are not alone.


Discover InsightVM   Discover InsightIDR