Author Archives: Ella Ballard

Into the Dark Web

If you are thinking “I’ve heard of the dark web, but I don’t really know what it is,” well, I am here to shed some light on the mysteries of the dark web.

The term Internet is often used interchangeably with the term web.  In reality, they are separate components of an ecosystem.  The Internet is the infrastructure and network that allows people and systems from all over the world to communicate with each other.  This includes the network, switches, routers, etc. that interconnect all the devices.  The web is one service that leverages the Internet but there are many others.  The World Wide Web (www) is the service that allows a browser (Edge, Chrome) to connect and interact with a web server.   Streaming services (Netflix, BritBox), conferencing services (Teams, Zoom), file sharing services (OneDrive, Google Drive) are other services commonly using the Internet.

There are essentially three webs: surface, deep, and dark.

Surface Web

The surface web is the one openly available on the Internet.  It is the one most people think of when referring to the web.  Search engines such as Google and Bing discover and index all publicly available sites allowing people to find the sites for which they are searching.

Deep Web

The deep web is essentially the opposite of the surface web.  It comprises the sites and content that are not publicly available and hidden, i.e. the content that is not indexed.  This is the content where you need to be granted access to see it.  If you think about it, this makes sense.  You need a Netflix account to stream their content.  You need a Facebook account to view posts.  What is public is the fact that the site exists, the login page, and information on how to obtain access.  To put some numbers around the size of the deep web, it is 95% of all content on the Internet.

Dark Web

The dark web is a small fraction of the deep web, comprising of about .01% of the Internet.  The surface web is the tip of the iceberg.  The vast majority of the iceberg is below the water, representing the deep web.  The dark web is the content at the very bottom, which is the most secluded part of the iceberg.

iceberg

The dark web is a portion of the internet that is intentionally hidden and requires specific tools to access.  As a result, it provides anonymity, which lends itself well to illicit online activity.

Why do people perform this illicit activity?  There are three common motivations why people may want to stray far from the straight and narrow:

  • Financial – people that want to steal data to monetize it. These are the people that take credit card data, personally identifiable information (PII), and personal healthcare information (PHI) and are in it for a buck (or quid for those of you on the other side of the pond).  Megacart, FIN7, Lazarus Group, and Evil Corp are known for performing online financial crime.
  • Hacktivism – people wishing to make a political or social statement by attacking sites. Groups such as Anonymous, LulzSec, and Cult of the Dead Cow are known for hacktivism.
  • Cyberespionage – this is state-sponsored activity that benefits a country. China and Russia are commonly thought of for performing this activity.

What they all have in common is they need a way to communicate securely and a place to buy and sell their wares with a high degree of privacy.  The dark web is the medium of choice; a marketplace of products and services used to carry out these motivations.  You can buy drugs, hire people for services, purchase passports, and so much more that may not be considered legal in many jurisdictions.  You can also check social media, get a weather report, and get directions to and from your office.

The Tor browser is used to surf the dark web and .onion sites are the pages with the content. .onion is the domain suffix for the dark web, so named because they operate like layers of an onion that you need to peel to get where you want to go.  It makes connections by relaying through at least three random nodes (the layers of the onion).  The nodes add and remove layers of encryption (more onion references) to keep each individual connection private.  As you move from page to page, a new and unique path is established.  This hides your true source and destination from anyone that may eavesdrop on your session. Only the last node in the path can be identified.

The Tor browser is based on Mozilla Firefox so it can also be used to browse the other webs as well.  It doesn’t go the other way though, so a standard browser cannot be used to surf the dark web.

The currency of choice on the dark web is Bitcoin.  It provides an anonymous way to exchange money, allowing for complete privacy in all aspects of operating on the dark web.

But there are legitimate uses for the dark web:

  • Privacy Protection
    • Journalists and activists use it to communicate securely in countries with heavy censorship or surveillance.
    • Whistleblowers can share sensitive information anonymously.
  • Access to Restricted Information
    • People in regions with internet censorship can access blocked news sites or educational resources.
  • Secure Communication
    • Encrypted messaging services and forums allow individuals to discuss topics without fear of government or corporate monitoring.
  • Research and Cybersecurity
    • Security professionals monitor dark web marketplaces for stolen data or emerging threats.
    • Companies use it to detect leaked credentials or intellectual property.
  • Legal Anonymous Browsing
    • Some users simply value anonymity for personal reasons (e.g., avoiding tracking by advertisers).

The dark web is a tool.  Like any other tool, how it is used dictates if it is for good or bad.  It is a tool that has no practical use for legitimate business purposes other than organizations that specialize in performing security research or investigations.  It is recommended to block or prevent the use of the Tor browser in a corporate environment.

If you are personally curious, please be careful when surfing on the darkest of webs.  Darkness makes it difficult to see things lurking in the shadows.

The Reality of Managed AI

AI is here – but the reality can be very different from the hype. Are you ready to navigate the challenges of data strategy, user training, and outcome-derived use cases? Thrive is helping our clients navigate the different milestones along the path to AI, so that you are working toward a realistic and successful business goal.

Navigating the VMware Shift: Thrive’s Strategies for a Seamless Transition

At Thrive, we are dedicated to delivering world-class service and innovation. Positioned to enhance business outcomes, we offer greater value by expanding our product offerings for both private and public cloud environments. Our enhanced private cloud, powered by HPE Morpheus, ensures seamless cross-platform management, enabling superior automation and cost savings. 

ThriveCloudStrat

Thrive’s multi-pronged approach leverages proven technology within a fully supported ecosystem: 

  • Expanding private cloud capabilities with HPE | Morpheus as a key virtualization platform, enhancing automation and operational efficiency. 
  • Continuing to support VMware architecture within Thrive datacenters for clients with specific platform requirements. 
  • Providing expert guidance for public cloud strategies, with a focus on improved manageability, robust security, and scalable growth. 

Our enhanced private cloud, powered by HPE and Morpheus Enterprise, integrates advanced features with ServiceNow. This hybrid cloud management platform allows enterprises to manage IT resources across on-premises and public cloud environments, boosting agility, control, and cost-efficiency. 

We empower public cloud operations, enabling developers with self-service access while maintaining IT, security, and finance guardrails, allowing for 150x faster workload provisioning at 30% lower costs. 

For complex enterprise VMware solutions, Thrive will continue supporting VMware virtualization, to ensure unparalleled service. 

Thrive is ready to guide you through this transition with expertise and confidence. Contact us today for assistance and guidance.  

We are ready to get started. Reach out to us and start planning your next steps.

Navigating Windows 10 End of Service: Ensuring Business Continuity and Security

Microsoft is a major technology foundation for millions of businesses – but because it is so ubiquitous in organizations, it can make changes and updates time-consuming and intense. While many organizations have already upgraded to Windows 11, many more have not yet begun the upgrade process. If your company has been waiting to make the jump, time is running out to take full advantage and protect your business without disruption.  

Windows 10 was originally released in 2015 and has been in the market for 10 years. Microsoft maintains a published software lifecycle policy that outlines when both mainstream and extended support for its products will end; at the end of 2023, Microsoft announced that Windows 10 would reach end of life in October 2025.  

Read Thrive’s FAQs here for more information. 

Windows 10 will enter its End of Service (EOS) on Tuesday, October 14, 2025. This will have a wide impact on daily operations, security posture, and budget efficiencies related to all legacy systems. In the EOS phase, Windows 10 will no longer receive free technical support, updates, or security updates from Microsoft as part of the original subscription.  

However, there are options for organizations that still have Windows 10 systems. 

Top Risks of Not Upgrading 

Waiting to update to Windows 11 creates compounding risks within your environment the longer you operate after October 14, 2025, without it. 

Increased Security Vulnerability & Compliance Risks
Microsoft and 3rd party vendors will cease to push out security and other updates, resulting in cyber threat and malware vulnerabilities and potential regulatory compliance gaps. 

Reduced Efficiency & Increased Downtime
Due to a lack of patching from Microsoft and 3rd party software vendors, your systems will be slower and prone to errors and crashes, which will disrupt business operations and impact overall productivity and continuity 

End of Support Limitations
Your IT team will be left without Microsoft’s technical support assistance and resources for troubleshooting and issue resolution. In addition, 3rd party vendor patching services will only apply resources to currently supported platforms like Windows 11,meaning that your internal IT teams will be burdened with these increasingly difficult duties. 

Increased Costs and Budget Inefficiencies
While it is possible to purchase extended support for Windows 10, the period where that is available is limited and the cost increases sharply over time. Microsoft Windows 10 ESUs include Critical and Important security updates for up to 3 years after October 14, 2025 – and the costs double each year. ESUs are only security-focused, and do not include new features, compounding the opportunity and productivity costs to your business.  

Future Update Ineligibility
Future software releases and hardware upgrades are designed with Windows 11 in mind and may not be compatible with Windows 10. 

 Top Benefits of Moving to Windows 11

Windows 11 performance and feature updates enable more productive and secure collaboration and workflow across your business.  

Microsoft Support & Enhanced Security Features
With hardware-based isolation, encryption, and advanced malware protection, Windows 11 offers a robust security environment that helps safeguard your business from cyber threats. As cyberattacks become more sophisticated, having the latest security features is essential to protect sensitive data and maintain business continuity. 

Deeper Integration & Collaboration
Microsoft will continue to drive further integration from their productivity ecosystem into Windows 11. Features such as Teams chats and calls can now be accessed and launched directly from the Task Bar. The conversation opens separately from the main Teams app, reducing the number of windows and clicks needed to quickly communicate with peers. Notifications also appear here and no longer depend on the full Teams app being launched. 

Improved Memory Management & Performance
Windows 11 manages resources more efficiently, giving active and in-focus applications more processing power and memory allocation. This enables smoother performance and better productivity outcomes as the user multitasks between applications. 

Modern Interface & User Experience
The Windows 11 user interface focuses on streamlining navigation with a centrally aligned taskbar, redesigned Start menu, and features like Snap Layouts and Snap Groups for easier and more organized windows multitasking.  

Redesigned Virtual Desktop Management & Navigation
Virtual Desktops were also redesigned in Windows 11, with the Task View now showing each desktop name and sliding animations to easily navigate between them, enabling users to seamlessly switch and manage their workspaces. 

Steps for a Successful Windows 11 Update 

Upgrading to Windows 11 as soon as possible will help you avoid last-minute disruptions and will allow you to take advantage of the latest performance, productivity, and security enhancements. 

As a trusted Microsoft Solutions partner, Thrive experts recommend the following steps to ensure a successful migration: 

  1. Assess Your Current Setup: Evaluate your existing hardware and software to determine compatibility with Windows 11 (for existing Thrive customers, this can be done through the Client Portal).
  2. Backup Your Data: Ensure that all important data is backed up before starting the upgrade process.
  3. Create a Timeline: Plan a timeline for the upgrade, considering factors such as business operations and potential downtime.
  4. Test Before Rollout: Perform a test upgrade on a small group of devices to identify any issues and address them before an organization-wide rollout.
  5. Train Your Team: Provide training and resources to help your team get familiar with Windows 11 and its new features 

Windows 11 Upgrade Options 

Whether you’re aiming to update to Windows 11 before the End of Service deadline, or you’re looking for a grace period as you manage some hurdles, Thrive’s Microsoft experts are here to help. 

There are two different device update paths: 

  • For newer systems with adequate hardware, the easiest thing is to do a system update 
  • For systems which are older than 18 months old or which do not meet the hardware specifications, the system should be replaced with a new one. 

For most organizations, upgrading to Windows 11 is recommended for the best security, performance, and long-term support.  

Thrive helps you assess your current environment and determine your upgrade readiness with a report on any devices that are not eligible and need replacement. Thrive’s strong hardware vendor relationships provide you with the best equipment options on the market. 

Before fully rolling out the upgrade, for large scale deployments, Thrive will run a pilot migration to prove its effectiveness. Once determined ready, Thrive will deploy the Windows 11 Feature Update to the remaining eligible devices and provide remote support during the next business day to help ensure a smooth transition.  

After the upgrade process is complete, Thrive will provide a summary of all the devices that were upgraded, which you can review with your account management team.  

As part of the overall migration process, Thrive can help activate and install ESUs to cover systems which are in the process of being updated or which will soon be retired. These ESUs are a temporary solution; there is a maximum of three years availability, and it only covers Critical and Important security fixes, not support.  

 

Thrive helps businesses complete their Windows 11 upgrade quickly and efficiently and provides ongoing technical advisory and support contact us today to learn more.

Protecting the Crown Jewels: How Ransomware Groups Exploit Domains

When ransomware is dropped on your desktop and file shares, it feels like the beginning of the nightmare. It’s the final scene. Long before encryption begins, attackers have already worked their way through the network escalating privileges, stealing credentials, and hunting for what really matters: Active Directory, backups, datashares and the virtualization infrastructure that keeps the business running.

And the harsh truth is this: they don’t need zero-days to get there. They rely on weaknesses most organizations already know about, legacy protocols, overprivileged accounts, flat networks, and poorly isolated recovery systems. Once they exploit these vulnerabilities, your company’s resilience is on the line.

Why Active Directory Is the “Crown Jewel”

Active Directory (AD) isn’t just another system; it’s the backbone of enterprise identity. Whoever controls AD controls the business.

Attackers typically start with a single compromised endpoint. From there:

  1. They dump the LSASS process to harvest credentials.
  2. They perform Kerberoasting (decrypting AD credentials) to crack service accounts offline.
  3. They attempt a DCSync to replicate the credential database.

And with tools like Mimikatz, Rubeus, or Impacket, they escalate privileges until they reach the KRBTGT (Kerberos key account) hash —the golden ticket to unlimited persistence.

This is why the AD domain isn’t just another stop along the way. It’s the crown jewel adversaries are after.

The Legacy Problem

One reason attackers succeed so often is that organizations still carry the weight of legacy technology.

  • NTLMv1 is still enabled in some places, even though it’s fundamentally broken.
  • NTLMv2, while stronger, is still open to relay and pass-the-hash attacks if signing or extended protection isn’t enforced
  • SMBv1, unencrypted LDAP, and WMI/DCOM create additional lateral movement paths.

It isn’t that attackers are brilliant, it’s that too many environments haven’t turned off the weak links. Every legacy protocol left enabled is another open door.

The Hidden Weakness: Backups and Virtualization

Stopping at AD is no longer enough for ransomware groups. Once they’ve compromised the domain, the blast radius expands dramatically. The first systems they go after are backups and virtualization systems.

If backup servers are domain-joined, once AD is compromised the backups are too. Attackers delete retention chains, wipe repositories, and in some cases, even delete jobs from backup applications running on domain controllers, a catastrophic misconfiguration.

Virtualization platforms like VMware ESXi and vCenter are now frequent targets. With access, attackers can power down VMs, encrypt virtual disks, and wipe snapshots. Furthermore, they erase the forensic evidence needed for regulatory reporting and incident scoping. Without these artifacts, organizations cannot prove whether sensitive data was accessed, determine the true extent of compromise, or validate that persistence has been removed. This forces responders into broad, time-consuming remediation efforts, rebuilding more systems than necessary and extending downtime, all while leaving regulators, insurers, and clients with unanswered questions.

The Akira ransomware group shows exactly how this plays out. Active since 2023, Akira has carried out 300+ attacks and raked in over $42 million. They specifically target ESXi and vCenter servers, encrypting datastores and deleting backups from accessible software on compromised servers.

Backup management and servers, as well as virtualization hosts should never reside on flat networks. Yet time and again, we see organizations make this mistake, placing their most critical recovery and infrastructure components on the same plane as user devices.

When Resilience Disappears

The reason for all why this matters is simple: resilience collapses the moment backups and virtualization are gone.

In 96% of ransomware cases, attackers go after backups, and in 76%, they succeed.

When backups are compromised, ransom demands double (from ~$1M to ~$2.3M), victims are twice as likely to pay, and recovery costs rise 8x higher.

Nearly one in three organizations fail to restore backups during an attack. even though 92% claim to have them.

If AD is owned, backups deleted, and hypervisors encrypted, restoration efforts collapse completely. At that point, the ransom isn’t just extortion, it may be the only path back for business operations.

What Resilience Really Looks Like

Protecting the crown jewels is about discipline and architecture. Practical steps include:

  • For Active Directory: Disable NTLMv1, enforce signing, monitor for Kerberos anomalies, protect LSASS with Credential Guard, and collect DC logs.
  • For Privileged Access: At minimum, enforce MFA for all admin accounts and consider implementing Just-in-Time elevation with a Privileged Access Management (PAM) solution. For greater maturity, require Privileged Access Workstations (PAWs) to separate admin tasks from everyday use.
  • For File Shares: Apply least-privilege permissions, use Access-Based Enumeration, and enforce SMB signing and encryption. Block legacy SMBv1 entirely.
  • For Backups: Never domain-join backup servers; keep backup networks isolated; and follow the 3-2-1-1-0 rule. maintain 3 copies of data on 2 different media, with 1 offsite, 1 immutable or air-gapped, and 0 errors verified through regular restore testing.
  • For Virtualization: Keep vCenter/Hyper-V management on dedicated networks, enforce MFA/RBAC, and monitor for suspicious mass VM or snapshot activity.
  • For Network Design: Eliminate flat architecture. User devices should never have direct access to domain controllers, backups, or hypervisors.

The ransom note isn’t the beginning of a ransomware incident. It’s the end of a campaign that may have been unfolding for weeks. By then, the attackers may already have your domain, your backups, and your hypervisors under control.

That’s why ransomware is no longer just an availability issue, it’s a resiliency issue. If your crown jewels aren’t isolated and hardened, restoration may be impossible, leaving your only option on the table: paying the ransom.

The organizations that recover quickly are the ones that treat AD, backups, and virtualization like critical infrastructure, isolate them from compromise, and build recovery paths attackers can’t touch. Anything less is leaving the keys under the mat.

The Best Defense: How to Prepare for a Ransomware Attack Today

When talking about security or real-life attacks, the focus naturally tends to be on the things that went wrong. Security reports look at the most common “ways in” or new potential exploits.

In a sense, the things that can go wrong – from simple human errors to bad luck – are infinite. It is actually simpler to look at the day-to-day best practices that also reduce your likelihood of attack and increase how fast you can recover.

Have a Call List

One of the most difficult aspects of incident response is that people don’t know whom to call or who is in charge.

The key stakeholders in a response may vary depending on your organizational structure, the location of the incident, or even the type of incident. This is a good starting point, where there may be additional roles that you need to include for your operations and others that may not be as relevant:

  • Local resources who can be onsite to deal with system and hardware issues
  • Facilities managers
  • In-house legal teams
  • Executive leadership, including any IT managers and possibly senior leadership, the C suite, or the board of directors
  • Business and cyberinsurance companies
  • Points of contact for vendors and service providers, both for IT and for operations

Your contact list should also be loosely ordered, so that you contact the people who will have active roles (like local IT resources and IT managers) first, while groups that need to be informed or have follow-up tasks can be dealt with later. It’s also a good idea to have backup contacts wherever possible, in case incidents occur during holidays or when key people are unavailable.

Keep It Clean

The best security practice is to make sure that general IT services are well-maintained. These include the basics:

  • Changing default passwords on devices and services
  • Regularly updating systems
  • Immediately identifying and patching systems or hardware as CVEs are identified
  • Scheduling regular backups that are stored offsite or in a separate cloud environment

That’s really just a starting point. Some of the more complicated aspects of a recovery come when the infrastructure and data are not well understood. Be familiar with and document every aspect of your infrastructure.

  • Identify all datastores for all services, and what kind of data is stored there (particularly PII or confidential data)
  • Identify and map all domains, cloud environment, physical systems, and hardware across your infrastructure. This can be extensive; the main thing is to know what general operating environments you have and to avoid shadow IT or deprecated environments.
  • Identify dependencies across environments.

And the last part is to understand who (both users and machines) has access to your infrastructure and make sure that their access privileges reflect their role.

  • Define different Active Directory domains for different operating environments and physical locations.
  • Use role-based access control or similar approaches to restrict access to services unless necessary.
  • Use operating system-level management to restrict permissions granted to processes (including containers or virtual machines).
  • Set strong password requirements, including reasonable password expirations (not too long or too short).
  • Look out for any smart devices, like security cameras, which may be connected to the network. Make sure that these are properly secured and updated.

Build a Team

Not every useful resource is going to be internal to your organization. One major example is cyberinsurance. The majority of organizations have cyberinsurance, and these companies usually include forensics teams and investigators are part of their coverage.

Also make sure that you have dependable and knowledgeable legal counsel (either in-house or a recognized partner). Legal help is invaluable in directly dealing with ransom or extortion demands, settling terms with the insurance company, and managing any obligations because of contracts or service agreements that are affected by the attack. Ideally, the legal counsel will be separate from your cyberinsurance company to ensure that you get unbiased advice.

If you are working with an MSP for IT services or an MSSP for security services, make sure that they have experience with cyberinsurance claims. We have been able to help clients before by being able to ensure they were compliant with the terms of their insurance and that they could appropriately document and substantiate their claims. We have seen claims get denied or coverage dropped because of how other service providers addressed an attack.

Anyone can be a victim of a security breach, and the odds are that you will be at some point. Good security is like good health. It is the result of continual good habits, maintenance, and awareness. This is what it means to build a security-aware culture.

And of course, if you need guidance or ideas for your incident response plan, you can always contact Thrive.

Other posts in this series:

Analysis: What Goes Wrong Before a Ransomware Attack

The most powerful word in root cause analysis is why. Not just what happened, but why. If you trace it back a few steps, that can give a pretty good idea of all of the factors that fed into a difficult situation.

There are a lot of factors that go into allowing a successful ransomware attack. This echoes the simplified wheel of modern infrastructure – people, process, technology. By and large, attacks are not like in the movies, where some hacker pulls up a terminal and immediately starts knocking down firewalls and transferring money or data in a few minutes. An attack is usually slow and patient – IBM’s Cost of a Data Breach Report 2024 put the total dwell time as long as 292 days. An attack starts with compromised access at a single account, and then they methodically hopscotch across systems and services, escalating privileges and identifying key assets, until the day they move on their targets.

The next blog in the series will focus on best practices, but for now, we’re going to look at the “worst” practices. Or, rather, the daily, common, routine little mistakes or missed fixes that provide opportunities to attackers.

People: Finding the Backdoor

The first step in an attack is just getting access. How do they get in? According to Verizon’s Data Breach Investigations Report 2024, there are three primary main “ways in”:

  • Compromised credentials (almost half of all attacks)
  • Phishing (around 20%)
  • Vulnerabilities in applications or hardware (also around 20%)

While phishing has decreased in frequency, it still remains a major threat because of how fast it moves: according to Verizon’s report, in security awareness training, it takes users only 21 seconds to click a phishing link and another 28 seconds to enter their credentials in a bogus site. That’s less than a minute for your entire infrastructure to be at risk.

Credentials can be compromised in any number of ways – and it may not be (only) people at risk. Gartner estimates that half of all compromised credentials belong to machine identities – so using easy to break or default passwords on cloud services, routers, and other aspects of your infrastructure is just as risky as a user scribbling their password on a sticky note.

Technology: Finding the Weak Spots

For both compromised credentials and exploited vulnerabilities, the same three services are implicated:

  • Web applications
  • Desktop sharing software
  • VPNs

While you can never completely eliminate human error (overall, 68% of all data breaches start with human error), the way that technology is being used plays a huge role in how effective an attack can be.

At some point, almost every data breach or ransomware attack takes advantage of a few different activities:

  • Exploiting unpatched vulnerabilities
  • Escalating privileges
  • Accessing unsecured services

A huge part of security comes down to good systems admin practices. It is very hard to provide a robust enough external security technology if the systems within the infrastructure are not well maintained or designed.

We have seen a variety of different administrative errors in client environments:

  • Using a single Active Directory domain rather than different domains for different physical locations as well as different operational areas (such as back office and site operations)
  • Storing backup archives within the same domain as the regular systems
  • Not enabling security features on hardware or services
  • Not performing regular updates
  • Not patching systems immediately after CVEs are released
  • Not properly restricting or managing privileges or access to services

These are common mistakes or even just delayed admin tasks that we see all the time with clients, but each mistake offers another available pathway to attackers.

Process: Failing to Plan

Even with well-maintained systems, responsible employees, and good infrastructure design, the odds are that attackers will still be able to get into your infrastructure at some point. No person and no technology is perfect.

So what happens when an attack finally happens?

In a word: panic. An effective data breach is an existential risk to most organizations. What we have seen in previous attacks is that a lot of people just freeze. They don’t know whom to call or what steps to take, and they are overwhelmed with the potential fallout. So they just don’t do anything.

Inaction only makes attacks worse. It gives attackers room to operate.

A solid incidence response plan is critical, and then that plan needs to be communicated and understood across the IT organization. An incident response plan can be simple, but it should be clear:

  • Who needs to be called if something happens? This includes internal resources like the executive leadership and IT leads, but it also should include services providers, insurance companies, and possibly legal teams who can help both with the response and with any contractual obligations related to the attack.
  • Who can help? Identify resources for each site so that people can be physically present to help reset and replace systems, including hardware if necessary.
  • Where is everything? A lot of organizations have an incomplete view of where all of their data lives, what is backed up and where, and how those systems can be accessed.
  • What matters most? What data is most critical for your operations, what services contain the most sensitive data? While systems with PII are obviously critical to protect, every organization has different priorities on what matters most, either from an operational or cultural perspective.
  • What is the first step? As soon as an alert goes out – what is the very first thing that needs to happen? Having that clearly defined helps cut through the haze that can happen in an attack and can make it easier to act.

Missing the Goal

One thing to note is that a lot of organizations tend to focus on the wrong goal: not being involved in an attack. While good systems configuration and security practices are critical, they aren’t going to be able to stop every attack. The security of your infrastructure shouldn’t require a perfect shield.

Helping to set priorities is a key part of our incident response planning; reach out if you want more info.

Other posts in this series:

How Ransomware Attacks Are Changing

There are a lot of different types of malicious software (malware). Viruses and worms directly infect systems for a specific purpose. This can be stealing data or credentials, but it could be to perform any kind of unauthorized tasks. Older malware could hijack a system to try to mine for cryptocurrency; one highly specific virus was spread benignly across the world until it hit Iranian uranium centrifuges and caused them to malfunction.

Ransomware functions a little differently. Unlike passive attacks, ransomware targets a specific organization (usually through stolen credentials) and then plants an executable that begins disabling security systems and encrypting data. They then follow up with a ransom demand in exchange for access to the data.

Changing Targets and Goals

As with all technology, ransomware is evolving. The first generations of ransomware were specialized and sophisticated pieces of software and required both skilled developers and skilled hackers to take advantage of access. Because of the effort of creating ransomware, early attacks were done by closed, organized groups. Attacks were focused on large enterprise or high-value organizations such as hospitals, government departments, and banks – organizations with large amounts of sensitive data and very deep pockets to pay substantial ransoms.

That trend is definitely shifting. Looking at Thrive’s customer base and incidents over the past year, manufacturing and logistics companies are 7.5 times more likely to be attacked by ransomware than financial services or health care organizations.

On one hand, large enterprises remain a major target because of the likelihood of getting a large payout. The average ransomware demand in 2020 was $200,000; in 2024, it had skyrocketed to over $5 million. However, midmarket organizations typically face smaller payouts, both from slightly smaller demands and from being more likely to try negotiations. In 2020, they were paying as little as $5,000 on average; in 2024, it was over half a million dollars.

There has also been a shift in the different ways that attacker groups extort money.

  • The original extortion tactic was to encrypt key databases or servers and then demand payment for decryption information or access.
  • Increasingly, groups are extorting to prevent the release of sensitive information, from employee and client data to patents and confidential information.

And of course, most groups want payments for both.

Changing Technology

The tactics of ransomware attacks are changing because the technology of ransomware is changing. Over the past five years or so, ransomware has shifted from custom, installed software created by underground groups into software-as-a-service. Relatively unsophisticated criminal organizations can part with ransomware providers to run attacks – frequently working on a commission basis.

New types of ransomware emerges routinely, but there are three ransomware groups that have consistently been at the heart of most ransomware attacks since 2022, at least looking at our Thrive customer base.

Retro Groove: Akira

The main hallmark of Akira is its intentionally retro styling: it has an 80s-style command-line interface (CLI) which appears on affected systems.

Akira tries to avoid detection by using legitimate tools to run processes. It uses different encryption methods for keys and files to make it harder to decrypt, and it stops itself from running in analysis tools to make it harder to reverse engineer. Stolen data files are uploaded to torrent sites.

Unlike other types of ransomware, Akira targets almost exclusively small and medium-sized businesses. It presents demands for both file access and to prevent leaking stolen data (double extortion) and usually has high ransom demands.

Akira usually exploits known vulnerabilities in VPNs to steal credentials for user accounts not using multi-factor authentication.

Game’s On: Play

Play ransomware is some of the oldest running, having emerged in June 2022. Unlike Akira or RansomHub, it is a closed model rather than ransomware-as-a-service.

Part of what makes Play so ominous is that it uses very personal methods to communicate. Play attacks use a unique email address to communicate demands and are usually followed up with a phone call.

Play attacks can occur relatively quickly because it uses intermittent encryption to process files very quickly. Its executables usually boot into safe mode or use similar system tools to avoid endpoint detection and response (EDR) agents.

Play also makes it hard to identify binaries by using unique filehashes and names for every attack.

Convenient Affiliate Program: RansomHub

RansomHub is one of the newer ransomware attacks, emerging in early 2024. One of the “coolest” things about RansomHub is its financial model. RansomHub is a ransomware-as-a-service that runs a user-friendly affiliate program. Users can prepay for advanced support or customization and can select different levels for commission rates. As with other types of ransomware attacks, RansomHub has the double-extortion model, both for data files and for preventing data leaks.

RansomHub borrows some of the techniques of other ransomware, such as intermittent encryption and disabling EDR and security services. It uses simple but effective ways to cover its tracks, like password-encrypting its configuration files and erasing Windows events logs. RansomHub isn’t selective in what systems it hits – anything on the network, from mainframes to laptops – can be affected.

RansomHub uses malicious plugins in browsers to deliver its payload, and from there, it exploits unpatched systems.

What Makes You Vulnerable

One attack type, years ago, involved a group that would hack a user account at a bank, but then go and physically watch that person performing their duties. They would figure out that person’s normal processes and access, imitate that, and then slowly ramp up until they had admin access and they would dump money from an ATM. This was usually never caught by IT; it would come out after auditing the cash reserves in the ATMs.

That’s not a “ransomware” attack, but it perfectly lays out the same pattern of account exploitation and privilege escalation.

Many customers don’t think they’re big enough or public enough to catch the attention of attack groups, and that leads them to be lax in their typical system maintenance. I consistently see the same pathways to an attack:

  • Bruteforcing VPN or firewall access
  • Exploiting unpatched vulnerabilities on hardware and systems
  • Taking advantage of weak credential requirements for accounts
  • Escalating privileges through poor domain and permissions management for applications and processes

And that’s really the moral of security: security starts with good system administration practices. After that, the key areas for security process planning are:

  • Defining an incident response plan
  • Managing data security
  • User security policies and training

Other posts in this series:

Autopsy of a Ransomware Attack

Early in 2025, a Thrive customer noticed something odd. One seemingly innocuous CPU spike was the first indicator of a problem that could have potentially destroyed an entire multi-state manufacturing company.

The Background Before the Attack

This company (Example Corp, for anonymity) had been a Thrive customer for awhile. In the spring of 2025, they were using Thrive for managed services, including performance and event monitoring, but were using their internal teams for MDR and security services. The customer is headquartered in Florida but has other major operations hubs throughout the southeastern United States.

Manufacturing and logistics are often heavily reliant on proprietary operational technology (OT) that’s hard to secure and often lacks comprehensive security monitoring. Many organizations integrate OT into their IT networks without proper segmentation, increasing the risk of devastating impact should either side be breached. Combined with limited IT resources, fewer cybersecurity regulations, and low downtime tolerance, this makes them highly likely to be targeted by ransomware, no matter the size of the organization. Thrive’s intelligence shows manufacturing, construction, and logistics are targeted 7.5 times more than financial services by ransomware groups like RansomHub, Akira, and Play. This mix of weak defenses and high impact makes manufacturing a prime ransomware target.

Thankfully, that wasn’t the case at Example Corp. Their CTO had a strong grasp of the internal environment and knew exactly what was needed—phase by phase—to bring operations back online quickly. He also leaned heavily on Thrive’s deep expertise in incident response and threat actor behavior to avoid common pitfalls, ensure a secure restoration, and remediate any potentially lingering threats. With 24/7 support from Thrive, his disciplined leadership and reliance on proven best practices were critical to saving Acme that day in February.

The Attack

Early on Friday morning, the Thrive event management team noticed an atypical CPU spike on a server. Since it was very early in the morning – hours before the start of the workday – the Thrive team decided to check on what was going on.

The Thrive team discovered that the CPU usage was coming from an abnormal process, and they called in the Thrive security team to take a look (even though, at the time the customer wasn’t using Thrive for security services). The security team recognized ransomware executables and shut down the server immediately to try to limit the scope of the attack.

Thrive also began trying to contact the CTO and other IT points of contact, which took almost an hour. In that time, Thrive had begun isolating affected systems and using forensic tools to identify the extent of the attack. Thrive had also attributed the damage to a specific threat actor. After learning of this attribution and the impact details provided by Thrive, the client engaged their cyberinsurance provider. The forensics team assigned through the insurer decided to use the data already collected by Thrive to conduct their investigation. This allowed them to begin their analysis quickly and supported a rapid restoration without introducing further delays.

Timeline to Recovery

Example Corp did not have an incident response plan, but their teams had deep knowledge of their systems and domains, so once the Thrive and customer IT teams were able to connect, they started rolling on mitigating the damage and recovering their operations.

  • Thrive and Example Corp held near-hourly standup calls to quickly address their most immediate actions and next steps, with everyone working collaboratively. These meetings were short and focused on completing tasks, removing roadblocks, and outlining next steps with clear timelines.
  • They shut down any VPN tunnels and site-to-site tunnels between their five sites.
  • Using the forensics tools, they began reviewing timelines and affected systems.
  • Within the first hour, Thrive had confirmed there had been data exfiltration (stolen data) and had run a damage assessment. The attackers had tried to download lightweight assets like text files, documents, PDFs, spreadsheets, and images.
  • Example Corp contacted their cyberinsurance agency, and they used the insights from Thrive to run a parallel investigation.
  • Example Corp had people onsite at three of the five locations on the same day; the other two were restored remotely when the main site was restored.

The recovery went fairly smoothly. One of the affected systems was a virtual host, so all of the associated virtual machines had to be rebuilt; in addition, a couple of domain controllers were lost and had to be restored. Thrive rebuilt all affected servers and restored most data from backup with minimal loss.

The initial attack was sparked Friday morning; all five had been restored to full operations by Sunday afternoon. By contrast, other manufacturing businesses typically take 7-14 days to restore to full functionality.

What Went Right

Technology is only one part of the People – Process – Technology Framework. This customer had all three pillars in place long before their ransomware attack.

people process

  • Prepared team. Many organizations only think to call their service provider or cyberinsurance company and then wait to be told what to do. Example Corp didn’t have a formal incident response plan, but all of their IT personnel had a thorough understanding of their systems, services, and dependencies, as well as a full asset inventory. This allowed them to move very quickly, which ultimately minimized the damage.
  • Effective communication and time management. Example Corp and Thrive teams were cohesive and worked very well together, across multiple states.
    • Held response team meetings every couple of hours
    • Limited length to less than 30 minutes
    • Focused only on what was new, what was next, and any blockers.
  • Clear ownership. CTO took ownership of critical internal systems. They also created a running, prioritized list of services and tasks in the background but worked to keep from overwhelming the team by only adding new actions as the current ones were completed.
  • Solid system management and architecture practices. Example Corp had good IT practices in place, such as using separate Active Directory domains for different sites and services. They also had routine backups in a separate location, so no backup data were corrupted in the attack. these basic tasks made it possible to quickly replace and recover their systems.
  • High level of urgency. This incident had the risk to collapse the company, but the entire customer team, from the CTO to the practitioners, was focused on the potential impact to their employees and customers. One of the potentially affected systems included payroll services, and their primary objective was to make sure everyone got paid on time.

What Were Their Next Steps

Example Corp came through the entire event unscathed, but the threat had truly been existential. They had several major business deals which would have failed had there been any disruption in operations for days, much less weeks.

Their CTO had already been talking with Thrive about switching their in-house security services, so the first changes that they looked at were in bolstering their security resources:

  • Scheduled penetration testing and created list of follow-up actions
  • Bought advisory services for ongoing reviews and feedback on their processes and technology stack
  • Migrated to Thrive’s MDR services
  • Began drafting a formal incidence response plan

One tenet of cyber resilience is that it is wasted effort to try to prevent all attacks. It is a much more strategic decision to focus on security technologies that allow greater visibility into systems, solid IT practices, and well-trained and committed teams. That allows you to recover quickly, no matter what happens.

You can find out more about Thrive’s disaster recovery services or contact Thrive for a chat. You can also check out our on-demand webinar on cybersecurity tech trends.

Other posts in this series: