What's Happening?

Consider These 10 Critical Steps to Prevent and Detect Ransomware Threats



Ransomware attacks are a serious global issue and getting worse – in fact, they are often considered the top cyber threat facing businesses today 1. Ransomware statistics are staggering:

  • Damages to businesses and organisations are expected to be $20 billion in 20212
  • Global ransomware reports are up more than 715% from 2019 to 20203
  • Ransomware payments have increased 60% in value since 20194

Aon’s Cyber Security Risk Report found that ransomware is a crisis that will only get worse as threat actors continue to grow in sophistication and expertise. Ransomware attackers often operate with the discipline and approach of a legitimate traditional business, except with criminal intent. Fortunately, there are strategies companies can take to reduce the risk of falling victim to a ransomware attack.

It is critical for organisations to approach cyber risk exposure through the lens of risk mitigation, taking the necessary precautions to prevent and/or minimise the risk if an event takes place. “An organisation’s ability to secure cyber insurance is very much tied to its ability to mitigate cyber security risks such as a ransomware attack. This is achieved by having the correct controls in place. Most of South Africa’s local cyber insurers are either global players or have reinsurance provided for by a global reinsurer, which means that South African companies need to align their IT controls and practices to global standards, if they wish to transfer the risk off their balance sheet,” explains Zamani Ngidi, Cyber Solutions Client Manager at Aon South Africa.

Consider these ten technologies and processes to help prevent and detect a ransomware attack.

Each of these steps aligns closely with how attackers create and consummate their criminal activity. While some are costly, proactively implementing these steps now can mitigate the costs of business interruption, reputational damage, incident response and/or a ransomware payment.

  1. Phishing Awareness Training, to educate employees and end-users on how to spot phishing emails and know the red flags to drive down clicks on the malicious emails many ransomware attackers use to gain a foothold in a network.
  2. Disabling Accessibility of Remote Desktop Directly from the Internet, to prevent ransomware attackers from brute-forcing Internet-facing RDP services to gain entry into a network.
  3. Properly Configured URL Filtering and E-mail Attachment Sandboxing, to prevent malware contained in ransomware emails from executing or going unnoticed.
  4. An Advanced Endpoint Detection and Response (“EDR”) Solution, to detect and potentially quarantine ransomware and other advanced malware, and also to facilitate enterprise forensics in the event of an attack.
  5. An Advanced Malware Detection Tool that Inspects Network Traffic, to identify ransomware and other malicious packets or network traffic flowing over the wire.
  6. 16+ Character Service Account and Domain Admin Passwords, to prevent ransomware and other hackers from cracking weak admin usernames and passwords. Optimally, these strong passwords should be rotated regularly, using a Privileged Access Management (PAM) tool. Ransomware attackers use these cracked credentials to move laterally and deploy their ransomware.
  7. Lateral Movement Detection Tools. After gaining a foothold, ransomware actors typically move laterally using compromised IT credentials. Detecting that anomalous lateral movement normally enables the attack be shut down before ransomware is deployed.
  8. A Properly Configured Security Information and Event Management (“SIEM”) Platform that aggregates event, security, firewall and other logs. Trying to respond to and recover from a ransomware attack without a SIEM is very difficult, as visibility through local, non-centralised logs is often poor.
  9. A Continuous Security Monitoring Function, which provides continuous monitoring and threat hunting using collected logs and alerts.
  10. Locking Down Software Deployment and Remote Access Tools (such as SCCM, PDQ, and PsExec) to a small set of privileged accounts with multi-factor authentication where possible. Once they have secured elevated privileges, ransomware attackers typically commandeer SCCM/PDQ/PsExec accounts to push the ransomware executable across the network.


  1. Ransomware is number one cyber threat this year. Click here for article.
  2. 2019 Cyber Security Almanac. Cisco and Cyber Security Ventures, 2019
  3. Bitfender’s Mid-Year Threat Landscape Report 2020, page 1
  4. Coverware Ransomeware Marketplace Report, August 3, 2020