header image

Timing Is Everything: Return to Work & The Lurking Threat of Ransomware

Lukas Weber 2 July 2020
2 July 2020    Lukas Weber


In our latest report, we examine a cyber incident from the perspective of several key stakeholders.

Download Report

Ransomware as a double-edged sword

Ransomware payments increased by an average of 33% to $111,000 in the first quarter of 2020 relative to the last quarter of 2019, demonstrating that ransomware continues to be an attractive weapon in the arsenal of organised criminal groups. Historically, victims of ransomware have been primarily concerned with the operational consequences of victims being unable to access – and potentially losing – their data. However, in the first half of 2020, an emerging trend of data exfiltration has seen ransomware become a double-edged sword. With data exfiltration, the threat actor extracts sensitive data from a victim’s network and later threatens to release it publicly unless a ransom is paid. Victims of ransomware are therefore having to grapple not only with the possible loss of their data, but the operational, reputational, and legal ramifications of this data being publicly disclosed or sold for future exploitation. In fact, some threat actors have started asking for two ransoms – one for releasing the victim’s data, and the other for refraining to publish or sell it on.

Ransomware payments increased by an average of 33% to $111,000 in the first quarter of 2020 relative to the last quarter of 2019

Setting the scene

More than three quarters of ransomware incidents stem from phishing and brute force attacks against Remote Desktop Protocol (RDP), a protocol that allows users to connect to another computer over a network connection. With RDP attacks increasing by more than 85% between December 2019 and the end of April 2020, it is fair to say that organised criminals have been working hard during the lockdown period, attempting to gain footholds in vulnerable organisations. This assessment is further supported by the 660% spike in phishing attacks observed since the end of February 2020.

The COVID-19 pandemic set the conditions for attackers to increase the success rate of their phishing campaigns, taking advantage of employees spending more time online and experiencing heightened levels of anxiety, rendering them more susceptible to clicking on phishing emails. Indeed, in April 2020, 60% of all advanced spear-phishing attacks blocked by Darktrace, an organisation specialising in cyber threat detection, either related to COVID-19 or aimed to trick employees by referencing remote working practices.

Any team is as strong as its weakest link

In managing the closure of offices globally, many information security teams will have been forced to compromise on security controls in a trade-off to facilitate a smoother working-from-home experience. This is despite the fact that company exposure to online threats has risen as employees have spent more time interacting online, using personal devices, and using unapproved personal applications. Furthermore, the economic impacts of COVID-19 have also forced many organisations to reduce the sizes of their workforce, including shrinking the sizes of their IT security teams. Smaller teams has meant that there have been fewer eyes to monitor security alerts.

Combined, it is clear the fallout from the pandemic has made organisations more vulnerable to cyber attacks. Given the increasing profitability of ransomware, the ease with which it can be deployed, and the surge in RDP and phishing attacks during the extended lockdown period, as companies return to the office and a ‘new normal’ ensues, they are not yet out of the woods.

Patience is a virtue

The average dwell time – the time between the first occurrence of a compromise and its detection – increased by approximately 10 days to 95 days in 2019  (although the average dwell time is around 60 days when breaches with dwell times of greater than one year are excluded). This increase can be attributed, in part, to “big game hunting”, attacks that focus on high-value data or assets within organisations that are especially sensitive to downtime and more likely to pay a larger ransom. The longer dwell time means that attackers are now applying countermeasures that allow them to “live off the land – by remaining undetected for longer they have additional time to perform deeper reconnaissance and exfiltrate more data.

“Big game hunting” is a type of attack that focuses on high-value data or assets within organisations that are especially sensitive to downtime and more likely to pay a larger ransom.

With this in mind, it is likely that many organisations that were infiltrated during the lockdown period – when they were most vulnerable to attack – do not yet know it. Due to reduced monitoring capabilities, it is entirely possible that attackers have remained undetected in organisations’ networks, waiting for the perfect time to strike. Ultimately, the objective of an organised criminal group is to maximise its profits. Attackers may have been holding off on deploying ransomware simply because they feel that organisations didn’t have the cash flow reserve to pay out during COVID-19.

Another way to increase the likelihood of a business paying a ransom is by maximising the ransomware’s impact on the targeted business. One tactic for achieving this is to ensure that the ransomware spreads across as much of the victim’s network as possible. However, spreading the ransomware in this way typically requires access to highly privileged credentials or administrator accounts.


Technically Speaking: Tactics for Spreading Ransomware Through a Network

A common propagation technique involves using native Microsoft tools to launch processes on other systems, which requires special privileges that are only granted with administrator accounts. An alternative (and also commonly observed) technique uses Active Directory Group Policy (ADGP), which provides centralised management of operation systems and applications in most environments, to schedule tasks – such as the installation of ransomware – within an organisational domain. This provides malware with the ability to write to all computers and users in an organisation, rendering the technique the perfect native delivery vehicle to reach an entire organisation. However, depending on the victim’s IT policy, ADGP can usually only be edited by highly privileged accounts, known as “Domain Admins” or “Enterprise Admins”, which are difficult to come by.


Once an attacker establishes a foothold in an organisation through the compromise of a device, they will typically perform reconnaissance to get a feel for the lay of the land. This involves moving laterally through the network, locating critical servers, compromising more devices, and harvesting user credentials (with the objective of obtaining privileged credentials).

The longer the dwell time, the more time an attacker has to enumerate file shares and exfiltrate additional data, which can be used to leverage a larger ransom or simply sold on the dark web.

It is possible that due to the reduction in the size of IT teams, fewer IT administrators have been logging in to devices to perform administrative tasks during the lockdown period. This would make privileged credential harvesting more challenging for attackers. However, as teams rebuild and return to work, these opportunities will present themselves again and the likelihood of a successful privileged credential harvesting attack will become significantly more likely for attackers that have compromised a network and are eagerly waiting for an IT administrator to sign in. Furthermore, as the economy begins to recover, organisations will have more cash available to pay ransoms. Threat actors who achieved initial access during lockdown may therefore be highly incentivised to lurk undetected until they are able to maximise the impact of a ransomware attack – by exfiltrating more data and compromising privileged credentials.

Increasing dwell time, the emergence of big game hunting, and a reduction in organisational IT activity imposed by COVID-19 are likely to contribute to a rise in ransomware cases as businesses ease out of lockdown.

Focus on prevention

The most effective form of defence is prevention. Here are six questions to help your organisation reduce the likelihood of a successful ransomware attack:

  1. Have your employees been made aware of the risk from phishing and clicking on suspicious links?

Generating a strong security awareness culture and enhancing the vigilance of employees within your organisation can be achieved by regularly providing phishing training and information on the latest campaigns being used by attackers.

  1. Do you have systems in place to monitor or block employees accessing malicious files or links?

Implementing technical controls to help prevent phishing and other social engineering attacks is imperative. This can be achieved by quarantining suspicious emails or blocking access attempts to potentially malicious websites.

  1. Has RDP been secured with Multi Factor Authentication (MFA) and a Remote Desktop (RD) gateway?

Enforcing MFA on RDP services significantly reduces the likelihood of a successful brute force attack, given the additional steps an attacker would have to go through to gain access. Implementing an RD gateway enables users to connect using a secure encrypted connection and acts as an intermediary, through which all traffic must traverse prior to reaching the resources, providing an additional layer of defence.

  1. Do you have systems in place to monitor your IT estate?

Monitoring suspicious activity on your estate can provide the tell-tale sign that an intrusion has occurred, and an attacker is inside your network. Ensuring the correct process is in place for security teams to manage alerts and prevent suspicious activity from falling through the cracks is vital to detecting malicious behaviour.

  1. Has access to privileged accounts been locked down?

Securing key accounts through the use of Privileged Access Management (PAM) solutions makes the life of any attacker significantly more challenging, given the additional systems they would need to comprise in order to harvest the credentials of these accounts. Extra care must be given to monitor the use of privileged accounts through auditing activity. 

  1. Do you have secure offline backups that are tested regularly?

Preventing a cyber security incident is not always possible and you should maximise the chances of getting your operations back up and running as quickly as possible in the event that your organisation falls victim to a ransomware attack. Maintaining secure offline backups which are regularly updated and tested facilitates a swifter recovery.

To discuss this article or other industry developments, please reach out to one of our experts.

Lukas Weber
Lukas weber Associate Email Lukas
Billy Gouveia
Billy gouveia Senior Managing Director, Cyber Security Email Billy


In our latest report, we examine a cyber incident from the perspective of several key stakeholders.

Download Report