Author Archives: Ella Ballard

The Best Defense: How to Prepare for a Ransomware Attack Today

When talking about security or real-life attacks, the focus naturally tends to be on the things that went wrong. Security reports look at the most common “ways in” or new potential exploits.

In a sense, the things that can go wrong – from simple human errors to bad luck – are infinite. It is actually simpler to look at the day-to-day best practices that also reduce your likelihood of attack and increase how fast you can recover.

Have a Call List

One of the most difficult aspects of incident response is that people don’t know whom to call or who is in charge.

The key stakeholders in a response may vary depending on your organizational structure, the location of the incident, or even the type of incident. This is a good starting point, where there may be additional roles that you need to include for your operations and others that may not be as relevant:

  • Local resources who can be onsite to deal with system and hardware issues
  • Facilities managers
  • In-house legal teams
  • Executive leadership, including any IT managers and possibly senior leadership, the C suite, or the board of directors
  • Business and cyberinsurance companies
  • Points of contact for vendors and service providers, both for IT and for operations

Your contact list should also be loosely ordered, so that you contact the people who will have active roles (like local IT resources and IT managers) first, while groups that need to be informed or have follow-up tasks can be dealt with later. It’s also a good idea to have backup contacts wherever possible, in case incidents occur during holidays or when key people are unavailable.

Keep It Clean

The best security practice is to make sure that general IT services are well-maintained. These include the basics:

  • Changing default passwords on devices and services
  • Regularly updating systems
  • Immediately identifying and patching systems or hardware as CVEs are identified
  • Scheduling regular backups that are stored offsite or in a separate cloud environment

That’s really just a starting point. Some of the more complicated aspects of a recovery come when the infrastructure and data are not well understood. Be familiar with and document every aspect of your infrastructure.

  • Identify all datastores for all services, and what kind of data is stored there (particularly PII or confidential data)
  • Identify and map all domains, cloud environment, physical systems, and hardware across your infrastructure. This can be extensive; the main thing is to know what general operating environments you have and to avoid shadow IT or deprecated environments.
  • Identify dependencies across environments.

And the last part is to understand who (both users and machines) has access to your infrastructure and make sure that their access privileges reflect their role.

  • Define different Active Directory domains for different operating environments and physical locations.
  • Use role-based access control or similar approaches to restrict access to services unless necessary.
  • Use operating system-level management to restrict permissions granted to processes (including containers or virtual machines).
  • Set strong password requirements, including reasonable password expirations (not too long or too short).
  • Look out for any smart devices, like security cameras, which may be connected to the network. Make sure that these are properly secured and updated.

Build a Team

Not every useful resource is going to be internal to your organization. One major example is cyberinsurance. The majority of organizations have cyberinsurance, and these companies usually include forensics teams and investigators are part of their coverage.

Also make sure that you have dependable and knowledgeable legal counsel (either in-house or a recognized partner). Legal help is invaluable in directly dealing with ransom or extortion demands, settling terms with the insurance company, and managing any obligations because of contracts or service agreements that are affected by the attack. Ideally, the legal counsel will be separate from your cyberinsurance company to ensure that you get unbiased advice.

If you are working with an MSP for IT services or an MSSP for security services, make sure that they have experience with cyberinsurance claims. We have been able to help clients before by being able to ensure they were compliant with the terms of their insurance and that they could appropriately document and substantiate their claims. We have seen claims get denied or coverage dropped because of how other service providers addressed an attack.

Anyone can be a victim of a security breach, and the odds are that you will be at some point. Good security is like good health. It is the result of continual good habits, maintenance, and awareness. This is what it means to build a security-aware culture.

And of course, if you need guidance or ideas for your incident response plan, you can always contact Thrive.

Analysis: What Goes Wrong Before a Ransomware Attack

The most powerful word in root cause analysis is why. Not just what happened, but why. If you trace it back a few steps, that can give a pretty good idea of all of the factors that fed into a difficult situation.

There are a lot of factors that go into allowing a successful ransomware attack. This echoes the simplified wheel of modern infrastructure – people, process, technology. By and large, attacks are not like in the movies, where some hacker pulls up a terminal and immediately starts knocking down firewalls and transferring money or data in a few minutes. An attack is usually slow and patient – IBM’s Cost of a Data Breach Report 2024 put the total dwell time as long as 292 days. An attack starts with compromised access at a single account, and then they methodically hopscotch across systems and services, escalating privileges and identifying key assets, until the day they move on their targets.

The next blog in the series will focus on best practices, but for now, we’re going to look at the “worst” practices. Or, rather, the daily, common, routine little mistakes or missed fixes that provide opportunities to attackers.

People: Finding the Backdoor

The first step in an attack is just getting access. How do they get in? According to Verizon’s Data Breach Investigations Report 2024, there are three primary main “ways in”:

  • Compromised credentials (almost half of all attacks)
  • Phishing (around 20%)
  • Vulnerabilities in applications or hardware (also around 20%)

While phishing has decreased in frequency, it still remains a major threat because of how fast it moves: according to Verizon’s report, in security awareness training, it takes users only 21 seconds to click a phishing link and another 28 seconds to enter their credentials in a bogus site. That’s less than a minute for your entire infrastructure to be at risk.

Credentials can be compromised in any number of ways – and it may not be (only) people at risk. Gartner estimates that half of all compromised credentials belong to machine identities – so using easy to break or default passwords on cloud services, routers, and other aspects of your infrastructure is just as risky as a user scribbling their password on a sticky note.

Technology: Finding the Weak Spots

For both compromised credentials and exploited vulnerabilities, the same three services are implicated:

  • Web applications
  • Desktop sharing software
  • VPNs

While you can never completely eliminate human error (overall, 68% of all data breaches start with human error), the way that technology is being used plays a huge role in how effective an attack can be.

At some point, almost every data breach or ransomware attack takes advantage of a few different activities:

  • Exploiting unpatched vulnerabilities
  • Escalating privileges
  • Accessing unsecured services

A huge part of security comes down to good systems admin practices. It is very hard to provide a robust enough external security technology if the systems within the infrastructure are not well maintained or designed.

We have seen a variety of different administrative errors in client environments:

  • Using a single Active Directory domain rather than different domains for different physical locations as well as different operational areas (such as back office and site operations)
  • Storing backup archives within the same domain as the regular systems
  • Not enabling security features on hardware or services
  • Not performing regular updates
  • Not patching systems immediately after CVEs are released
  • Not properly restricting or managing privileges or access to services

These are common mistakes or even just delayed admin tasks that we see all the time with clients, but each mistake offers another available pathway to attackers.

Process: Failing to Plan

Even with well-maintained systems, responsible employees, and good infrastructure design, the odds are that attackers will still be able to get into your infrastructure at some point. No person and no technology is perfect.

So what happens when an attack finally happens?

In a word: panic. An effective data breach is an existential risk to most organizations. What we have seen in previous attacks is that a lot of people just freeze. They don’t know whom to call or what steps to take, and they are overwhelmed with the potential fallout. So they just don’t do anything.

Inaction only makes attacks worse. It gives attackers room to operate.

A solid incidence response plan is critical, and then that plan needs to be communicated and understood across the IT organization. An incident response plan can be simple, but it should be clear:

  • Who needs to be called if something happens? This includes internal resources like the executive leadership and IT leads, but it also should include services providers, insurance companies, and possibly legal teams who can help both with the response and with any contractual obligations related to the attack.
  • Who can help? Identify resources for each site so that people can be physically present to help reset and replace systems, including hardware if necessary.
  • Where is everything? A lot of organizations have an incomplete view of where all of their data lives, what is backed up and where, and how those systems can be accessed.
  • What matters most? What data is most critical for your operations, what services contain the most sensitive data? While systems with PII are obviously critical to protect, every organization has different priorities on what matters most, either from an operational or cultural perspective.
  • What is the first step? As soon as an alert goes out – what is the very first thing that needs to happen? Having that clearly defined helps cut through the haze that can happen in an attack and can make it easier to act.

Missing the Goal

One thing to note is that a lot of organizations tend to focus on the wrong goal: not being involved in an attack. While good systems configuration and security practices are critical, they aren’t going to be able to stop every attack. The security of your infrastructure shouldn’t require a perfect shield.

Helping to set priorities is a key part of our incident response planning; reach out if you want more info.

How Ransomware Attacks Are Changing

There are a lot of different types of malicious software (malware). Viruses and worms directly infect systems for a specific purpose. This can be stealing data or credentials, but it could be to perform any kind of unauthorized tasks. Older malware could hijack a system to try to mine for cryptocurrency; one highly specific virus was spread benignly across the world until it hit Iranian uranium centrifuges and caused them to malfunction.

Ransomware functions a little differently. Unlike passive attacks, ransomware targets a specific organization (usually through stolen credentials) and then plants an executable that begins disabling security systems and encrypting data. They then follow up with a ransom demand in exchange for access to the data.

Changing Targets and Goals

As with all technology, ransomware is evolving. The first generations of ransomware were specialized and sophisticated pieces of software and required both skilled developers and skilled hackers to take advantage of access. Because of the effort of creating ransomware, early attacks were done by closed, organized groups. Attacks were focused on large enterprise or high-value organizations such as hospitals, government departments, and banks – organizations with large amounts of sensitive data and very deep pockets to pay substantial ransoms.

That trend is definitely shifting. Looking at Thrive’s customer base and incidents over the past year, manufacturing and logistics companies are 7.5 times more likely to be attacked by ransomware than financial services or health care organizations.

On one hand, large enterprises remain a major target because of the likelihood of getting a large payout. The average ransomware demand in 2020 was $200,000; in 2024, it had skyrocketed to over $5 million. However, midmarket organizations typically face smaller payouts, both from slightly smaller demands and from being more likely to try negotiations. In 2020, they were paying as little as $5,000 on average; in 2024, it was over half a million dollars.

There has also been a shift in the different ways that attacker groups extort money.

  • The original extortion tactic was to encrypt key databases or servers and then demand payment for decryption information or access.
  • Increasingly, groups are extorting to prevent the release of sensitive information, from employee and client data to patents and confidential information.

And of course, most groups want payments for both.

Changing Technology

The tactics of ransomware attacks are changing because the technology of ransomware is changing. Over the past five years or so, ransomware has shifted from custom, installed software created by underground groups into software-as-a-service. Relatively unsophisticated criminal organizations can part with ransomware providers to run attacks – frequently working on a commission basis.

New types of ransomware emerges routinely, but there are three ransomware groups that have consistently been at the heart of most ransomware attacks since 2022, at least looking at our Thrive customer base.

Retro Groove: Akira

The main hallmark of Akira is its intentionally retro styling: it has an 80s-style command-line interface (CLI) which appears on affected systems.

Akira tries to avoid detection by using legitimate tools to run processes. It uses different encryption methods for keys and files to make it harder to decrypt, and it stops itself from running in analysis tools to make it harder to reverse engineer. Stolen data files are uploaded to torrent sites.

Unlike other types of ransomware, Akira targets almost exclusively small and medium-sized businesses. It presents demands for both file access and to prevent leaking stolen data (double extortion) and usually has high ransom demands.

Akira usually exploits known vulnerabilities in VPNs to steal credentials for user accounts not using multi-factor authentication.

Game’s On: Play

Play ransomware is some of the oldest running, having emerged in June 2022. Unlike Akira or RansomHub, it is a closed model rather than ransomware-as-a-service.

Part of what makes Play so ominous is that it uses very personal methods to communicate. Play attacks use a unique email address to communicate demands and are usually followed up with a phone call.

Play attacks can occur relatively quickly because it uses intermittent encryption to process files very quickly. Its executables usually boot into safe mode or use similar system tools to avoid endpoint detection and response (EDR) agents.

Play also makes it hard to identify binaries by using unique filehashes and names for every attack.

Convenient Affiliate Program: RansomHub

RansomHub is one of the newer ransomware attacks, emerging in early 2024. One of the “coolest” things about RansomHub is its financial model. RansomHub is a ransomware-as-a-service that runs a user-friendly affiliate program. Users can prepay for advanced support or customization and can select different levels for commission rates. As with other types of ransomware attacks, RansomHub has the double-extortion model, both for data files and for preventing data leaks.

RansomHub borrows some of the techniques of other ransomware, such as intermittent encryption and disabling EDR and security services. It uses simple but effective ways to cover its tracks, like password-encrypting its configuration files and erasing Windows events logs. RansomHub isn’t selective in what systems it hits – anything on the network, from mainframes to laptops – can be affected.

RansomHub uses malicious plugins in browsers to deliver its payload, and from there, it exploits unpatched systems.

What Makes You Vulnerable

One attack type, years ago, involved a group that would hack a user account at a bank, but then go and physically watch that person performing their duties. They would figure out that person’s normal processes and access, imitate that, and then slowly ramp up until they had admin access and they would dump money from an ATM. This was usually never caught by IT; it would come out after auditing the cash reserves in the ATMs.

That’s not a “ransomware” attack, but it perfectly lays out the same pattern of account exploitation and privilege escalation.

Many customers don’t think they’re big enough or public enough to catch the attention of attack groups, and that leads them to be lax in their typical system maintenance. I consistently see the same pathways to an attack:

  • Bruteforcing VPN or firewall access
  • Exploiting unpatched vulnerabilities on hardware and systems
  • Taking advantage of weak credential requirements for accounts
  • Escalating privileges through poor domain and permissions management for applications and processes

And that’s really the moral of security: security starts with good system administration practices. After that, the key areas for security process planning are:

  • Defining an incident response plan
  • Managing data security
  • User security policies and training
Autopsy of a Ransomware Attack

Early in 2025, a Thrive customer noticed something odd. One seemingly innocuous CPU spike was the first indicator of a problem that could have potentially destroyed an entire multi-state manufacturing company.

The Background Before the Attack

This company (Example Corp, for anonymity) had been a Thrive customer for awhile. In the spring of 2025, they were using Thrive for managed services, including performance and event monitoring, but were using their internal teams for MDR and security services. The customer is headquartered in Florida but has other major operations hubs throughout the southeastern United States.

Manufacturing and logistics are often heavily reliant on proprietary operational technology (OT) that’s hard to secure and often lacks comprehensive security monitoring. Many organizations integrate OT into their IT networks without proper segmentation, increasing the risk of devastating impact should either side be breached. Combined with limited IT resources, fewer cybersecurity regulations, and low downtime tolerance, this makes them highly likely to be targeted by ransomware, no matter the size of the organization. Thrive’s intelligence shows manufacturing, construction, and logistics are targeted 7.5 times more than financial services by ransomware groups like RansomHub, Akira, and Play. This mix of weak defenses and high impact makes manufacturing a prime ransomware target.

Thankfully, that wasn’t the case at Example Corp. Their CTO had a strong grasp of the internal environment and knew exactly what was needed—phase by phase—to bring operations back online quickly. He also leaned heavily on Thrive’s deep expertise in incident response and threat actor behavior to avoid common pitfalls, ensure a secure restoration, and remediate any potentially lingering threats. With 24/7 support from Thrive, his disciplined leadership and reliance on proven best practices were critical to saving Acme that day in February.

The Attack

Early on Friday morning, the Thrive event management team noticed an atypical CPU spike on a server. Since it was very early in the morning – hours before the start of the workday – the Thrive team decided to check on what was going on.

The Thrive team discovered that the CPU usage was coming from an abnormal process, and they called in the Thrive security team to take a look (even though, at the time the customer wasn’t using Thrive for security services). The security team recognized ransomware executables and shut down the server immediately to try to limit the scope of the attack.

Thrive also began trying to contact the CTO and other IT points of contact, which took almost an hour. In that time, Thrive had begun isolating affected systems and using forensic tools to identify the extent of the attack. Thrive had also attributed the damage to a specific threat actor. After learning of this attribution and the impact details provided by Thrive, the client engaged their cyberinsurance provider. The forensics team assigned through the insurer decided to use the data already collected by Thrive to conduct their investigation. This allowed them to begin their analysis quickly and supported a rapid restoration without introducing further delays.

Timeline to Recovery

Example Corp did not have an incident response plan, but their teams had deep knowledge of their systems and domains, so once the Thrive and customer IT teams were able to connect, they started rolling on mitigating the damage and recovering their operations.

  • Thrive and Example Corp held near-hourly standup calls to quickly address their most immediate actions and next steps, with everyone working collaboratively. These meetings were short and focused on completing tasks, removing roadblocks, and outlining next steps with clear timelines.
  • They shut down any VPN tunnels and site-to-site tunnels between their five sites.
  • Using the forensics tools, they began reviewing timelines and affected systems.
  • Within the first hour, Thrive had confirmed there had been data exfiltration (stolen data) and had run a damage assessment. The attackers had tried to download lightweight assets like text files, documents, PDFs, spreadsheets, and images.
  • Example Corp contacted their cyberinsurance agency, and they used the insights from Thrive to run a parallel investigation.
  • Example Corp had people onsite at three of the five locations on the same day; the other two were restored remotely when the main site was restored.

The recovery went fairly smoothly. One of the affected systems was a virtual host, so all of the associated virtual machines had to be rebuilt; in addition, a couple of domain controllers were lost and had to be restored. Thrive rebuilt all affected servers and restored most data from backup with minimal loss.

The initial attack was sparked Friday morning; all five had been restored to full operations by Sunday afternoon. By contrast, other manufacturing businesses typically take 7-14 days to restore to full functionality.

What Went Right

Technology is only one part of the People – Process – Technology Framework. This customer had all three pillars in place long before their ransomware attack.

people process

  • Prepared team. Many organizations only think to call their service provider or cyberinsurance company and then wait to be told what to do. Example Corp didn’t have a formal incident response plan, but all of their IT personnel had a thorough understanding of their systems, services, and dependencies, as well as a full asset inventory. This allowed them to move very quickly, which ultimately minimized the damage.
  • Effective communication and time management. Example Corp and Thrive teams were cohesive and worked very well together, across multiple states.
    • Held response team meetings every couple of hours
    • Limited length to less than 30 minutes
    • Focused only on what was new, what was next, and any blockers.
  • Clear ownership. CTO took ownership of critical internal systems. They also created a running, prioritized list of services and tasks in the background but worked to keep from overwhelming the team by only adding new actions as the current ones were completed.
  • Solid system management and architecture practices. Example Corp had good IT practices in place, such as using separate Active Directory domains for different sites and services. They also had routine backups in a separate location, so no backup data were corrupted in the attack. these basic tasks made it possible to quickly replace and recover their systems.
  • High level of urgency. This incident had the risk to collapse the company, but the entire customer team, from the CTO to the practitioners, was focused on the potential impact to their employees and customers. One of the potentially affected systems included payroll services, and their primary objective was to make sure everyone got paid on time.

What Were Their Next Steps

Example Corp came through the entire event unscathed, but the threat had truly been existential. They had several major business deals which would have failed had there been any disruption in operations for days, much less weeks.

Their CTO had already been talking with Thrive about switching their in-house security services, so the first changes that they looked at were in bolstering their security resources:

  • Scheduled penetration testing and created list of follow-up actions
  • Bought advisory services for ongoing reviews and feedback on their processes and technology stack
  • Migrated to Thrive’s MDR services
  • Began drafting a formal incidence response plan

One tenet of cyber resilience is that it is wasted effort to try to prevent all attacks. It is a much more strategic decision to focus on security technologies that allow greater visibility into systems, solid IT practices, and well-trained and committed teams. That allows you to recover quickly, no matter what happens.

You can find out more about Thrive’s disaster recovery services or contact Thrive for a chat. You can also check out our on-demand webinar on cybersecurity tech trends.