Behind the Breach: How Ransomware Gets In

In the second of our of State of Ransomware series with Sophos, Brian Sibley, VCTO at Espria and Jon Hope, Cyber Security Evangelist at Sophos talk about what goes on behind the breach and how ransomware gets in.

In this episode the team explore the major technical and operational root causes that lead to ransomware incidents in the UK, why exploited vulnerabilities are the leading technical cause and what preventative strategies you can put in place. Don’t let your business become a statistic in the next State of Ransomware report.

This podcast episode delves into ransomware, exploring how it infiltrates organisations, its root causes, and the defence strategies for prevention. The discussion highlights the complexity of ransomware attacks, emphasising both technological vulnerabilities and human factors.

Ransomware attacks stem from multiple factors, with the most common cause being exploited vulnerabilities in software, accounting for approximately 32% of successful attacks. These vulnerabilities arise from known software flaws that cybercriminals exploit, often due to inadequate or delayed patching by organisations, influenced by limitations in resources and skills.

Human factors also play a significant role. Compromised credentials, often a result of social engineering tactics like fake help desk calls or fraudulent websites, represent another major vector. These attacks are difficult to detect because stolen credentials enable cybercriminals to log in legitimately, making the intrusion hard to distinguish from genuine user activity.

Phishing and malicious emails further contribute to ransomware entry points. These require user interaction and are becoming increasingly sophisticated due to the use of artificial intelligence (AI) by attackers. AI enables cybercriminals to craft convincing emails that mimic trusted brands, using appropriate language and branding to deceive recipients.

Despite awareness, organisations often struggle with vulnerability management due to operational challenges such as a lack of skilled personnel, insufficient time, and security gaps. Ransomware attacks can also expose previously unrecognised weaknesses within an organisation’s security posture.

Detection technologies face difficulties, particularly with attacks involving stolen credentials and sophisticated phishing. Logs generated by network devices contain valuable information about attack chains, including unauthorised access, lateral movement, data exfiltration, and file encryption. However, interpreting these logs requires skilled threat hunters and continuous monitoring, which many organisations lack due to resource constraints.

Platforms like Extended Detection and Response (XDR) and Security Information and Event Management (SIEM) systems help consolidate logs for analysis, but human expertise remains crucial to identify and respond to threats effectively. Managed Detection and Response (MDR) services offer a practical solution by providing round-the-clock monitoring and expert analysis without requiring organisations to hire full-time specialists.

The discussion underscores the value of human-led threat hunting combined with integrated security tools that provide a holistic view of an organisation’s security posture. Effective protection relies not only on endpoint security but also on data from various sources, including email systems and backup solutions.

Recovery planning, visibility into the IT estate, and early warning systems are critical components of a resilient cybersecurity strategy. Organisations should strive to detect and stop attacks before damage occurs, as recovery, while improving, is a last resort.

This podcast episode offers a comprehensive overview of ransomware infiltration methods, highlighting the interplay of technological vulnerabilities and human factors. It stresses the need for timely patching, user education, advanced detection technologies and human expertise in threat hunting.