Cybercriminals are innovative, agile, and tenacious. Most medium and large enterprises are not. Ransomware gangs have significantly changed the way they operate in the last 12 to 18 months. But, have you significantly changed your approach to detection and response for ransomware events in your organisation? No, didn’t think so.
How it begins
Some things haven’t changed. Most ransomware attacks still start the way they always have. Someone clicks a phishing link. A password gets reused. A system goes unpatched. In fact, the top three breach methods remain the same:
– 78% start with human error:
Including phishing, stolen credentials, compromised employees or social engineering
– 11 % come from misconfigured or unpatched systems:
Including system integration points such as poorly developed APIs
– Only 3 % involve zero-day exploits
Then:
Quiet, patient, and hidden in plain sight
Attackers haven’t changed the way they get in, but they have changed what they do once they’re inside. Two years ago, attackers took their time. Once they had access, they’d quietly explore. Their approach was known as ‘living off the land,’ using the tools and credentials already inside your environment to avoid detection. They would:
– Use PowerShell
to run commands without downloading new tools
– Use Remote Desktop Protocols
to move around your environment
– Set up scheduled tasks
to ensure that access privileges remained in place
– Exploit default admin accounts
to hide in plain sight
All the time, they would be quietly seeding their ransomware scripts across systems, often spreading them into backups unnoticed. The longer they stayed, the more control they gained, and the more chaos they would cause when they finally ‘pulled the trigger’ on the attack.
Two years ago, the average ‘dwell time’ was well over 100 days.
Now:
Fast, automated and clinical
This approach no longer works. Security technology has improved significantly. Businesses are investing more than ever in tools like:
– EDR (Endpoint Detection and Response)
– XDR (Extended Detection and Response)
– SIEM platforms with real-time alerting
These tools detect behaviour patterns, track lateral movement, and raise alerts much earlier than they did before. To stay ahead, attackers have flipped the playbook.
Now they use automated reconnaissance tools (used in 91% of modern breaches). These tools scan entire environments in hours, logging keystrokes, showing attackers where backups are stored, how security policies are configured, and which systems hold the keys.
From breach to boom can now take less than 14 days.
What attackers target first
Once they’re in, attackers don’t waste any time. Their priorities are usually the same:
– Active Directory: to escalate access and move freely
– Backup systems: to delete copies, corrupt data or block recovery
– Security tools: to modify policies, disable alerts and whitelist malware
They time the final attack – often referred to as the “boom moment” – for when your team is least ready. Think long weekends and public holidays.
Why your security tools aren’t catching everything
Here’s the part that often gets missed. Production security tools aren’t typically configured to scan every file on every system, every day. Doing this would kill the performance of production systems and seriously impact your business’s ability to operate.
Instead, they typically scan files when:
– They’re created
– They’re modified
– Occasionally, when they’re accessed.
This means if malware slips past the perimeter defences, it can go completely undetected. So what’s the answer?
The answer (and probably some malware) is in your backups.
The team at Predatar has realised something very powerful. Your backups are much more than a last line of defence, they can be the frontline in threat detection. Your backups are a copy of all of your data, and while it’s not practical to continuously scan your production systems every day – you can scan your backups.
The Predatar Recovery Assurance platform continuously moves backups into an isolated CleanRoom, where it uses best-in-class integrated security tools from Trend Micro to interrogate every file for signs of malware, with no negative impact on production systems.
Today, businesses around the world are using Predatar to validate the recoverability and cleanliness of their data 24×7, and the findings are truly worrying.
In the last year alone, Predatar has discovered malware in more than 80% of its users backups. That includes:
– Active ransomware strains:
complete with embedded ransom notes
– Encrypted data from attacks:
that customers did not realise was in progress
– And in over 50 percent of cases:
reconnaissance tools that help attackers map environments and identify weak points
What does this mean for you? Let’s start with the good news. With Predatar, you can perform in-depth security scanning in your backup environment that simply isn’t possible on production systems. The bad news? Well, you probably already have malware hiding in your data.
Discover Predatar:
Discover how Predatar can help your organisation hunt down hidden malware before a crisis. Find out more at www.predatar.com, watch the short explainer video [90 seconds], or book a demo.
