Storagepipe Is Now Thrive

Learn More

GridWay Is Now Thrive

Learn More

Security

Analysis: What Goes Wrong Before a Ransomware Attack

07.21.25
Cybersecurity Disaster Recovery Planning Ransomware Security
By: Christopher Clark, Cybersecurity Incident Responder and Threat Hunter

The most powerful word in root cause analysis is why. Not just what happened, but why. If you trace it back a few steps, that can give a pretty good idea of all of the factors that fed into a difficult situation.

There are a lot of factors that go into allowing a successful ransomware attack. This echoes the simplified wheel of modern infrastructure – people, process, technology. By and large, attacks are not like in the movies, where some hacker pulls up a terminal and immediately starts knocking down firewalls and transferring money or data in a few minutes. An attack is usually slow and patient – IBM’s Cost of a Data Breach Report 2024 put the total dwell time as long as 292 days. An attack starts with compromised access at a single account, and then they methodically hopscotch across systems and services, escalating privileges and identifying key assets, until the day they move on their targets.

The next blog in the series will focus on best practices, but for now, we’re going to look at the “worst” practices. Or, rather, the daily, common, routine little mistakes or missed fixes that provide opportunities to attackers.

People: Finding the Backdoor

The first step in an attack is just getting access. How do they get in? According to Verizon’s Data Breach Investigations Report 2024, there are three primary main “ways in”:

  • Compromised credentials (almost half of all attacks)
  • Phishing (around 20%)
  • Vulnerabilities in applications or hardware (also around 20%)

While phishing has decreased in frequency, it still remains a major threat because of how fast it moves: according to Verizon’s report, in security awareness training, it takes users only 21 seconds to click a phishing link and another 28 seconds to enter their credentials in a bogus site. That’s less than a minute for your entire infrastructure to be at risk.

Credentials can be compromised in any number of ways – and it may not be (only) people at risk. Gartner estimates that half of all compromised credentials belong to machine identities – so using easy to break or default passwords on cloud services, routers, and other aspects of your infrastructure is just as risky as a user scribbling their password on a sticky note.

Technology: Finding the Weak Spots

For both compromised credentials and exploited vulnerabilities, the same three services are implicated:

  • Web applications
  • Desktop sharing software
  • VPNs

While you can never completely eliminate human error (overall, 68% of all data breaches start with human error), the way that technology is being used plays a huge role in how effective an attack can be.

At some point, almost every data breach or ransomware attack takes advantage of a few different activities:

  • Exploiting unpatched vulnerabilities
  • Escalating privileges
  • Accessing unsecured services

A huge part of security comes down to good systems admin practices. It is very hard to provide a robust enough external security technology if the systems within the infrastructure are not well maintained or designed.

We have seen a variety of different administrative errors in client environments:

  • Using a single Active Directory domain rather than different domains for different physical locations as well as different operational areas (such as back office and site operations)
  • Storing backup archives within the same domain as the regular systems
  • Not enabling security features on hardware or services
  • Not performing regular updates
  • Not patching systems immediately after CVEs are released
  • Not properly restricting or managing privileges or access to services

These are common mistakes or even just delayed admin tasks that we see all the time with clients, but each mistake offers another available pathway to attackers.

Process: Failing to Plan

Even with well-maintained systems, responsible employees, and good infrastructure design, the odds are that attackers will still be able to get into your infrastructure at some point. No person and no technology is perfect.

So what happens when an attack finally happens?

In a word: panic. An effective data breach is an existential risk to most organizations. What we have seen in previous attacks is that a lot of people just freeze. They don’t know whom to call or what steps to take, and they are overwhelmed with the potential fallout. So they just don’t do anything.

Inaction only makes attacks worse. It gives attackers room to operate.

A solid incidence response plan is critical, and then that plan needs to be communicated and understood across the IT organization. An incident response plan can be simple, but it should be clear:

  • Who needs to be called if something happens? This includes internal resources like the executive leadership and IT leads, but it also should include services providers, insurance companies, and possibly legal teams who can help both with the response and with any contractual obligations related to the attack.
  • Who can help? Identify resources for each site so that people can be physically present to help reset and replace systems, including hardware if necessary.
  • Where is everything? A lot of organizations have an incomplete view of where all of their data lives, what is backed up and where, and how those systems can be accessed.
  • What matters most? What data is most critical for your operations, what services contain the most sensitive data? While systems with PII are obviously critical to protect, every organization has different priorities on what matters most, either from an operational or cultural perspective.
  • What is the first step? As soon as an alert goes out – what is the very first thing that needs to happen? Having that clearly defined helps cut through the haze that can happen in an attack and can make it easier to act.

Missing the Goal

One thing to note is that a lot of organizations tend to focus on the wrong goal: not being involved in an attack. While good systems configuration and security practices are critical, they aren’t going to be able to stop every attack. The security of your infrastructure shouldn’t require a perfect shield.

Helping to set priorities is a key part of our incident response planning; reach out if you want more info.