Understanding & Defending Against Ransomware Attacks

What is Ransomware and How Does It Work?

Ransomware is a type of malware (malicious software) that encrypts a victim’s files or locks their computer, effectively rendering them inaccessible to the user. The attacker then demands a ransom payment in exchange for restoring access to the files or device.

Ransomware can infect a computer system through a variety of methods, such as malicious email attachments, fake software updates, or drive-by downloads from compromised websites. Once the ransomware is executed on a victim’s device, it can begin to encrypt files or lock the device.

The Different Types of Ransomware

There are several different types of ransomware, each with their own characteristics and methods of operation. Some of the most common examples include:

Encrypting Ransomware

This type of ransomware encrypts the victim’s files or data, making them inaccessible without a decryption key.

Locker Ransomware

This type of ransomware locks the victim’s computer or device, preventing them from accessing their files or using their device.


This type of ransomware displays fake warnings or pop-ups on the victim’s device, claiming that their computer is infected with a virus or other malware. The victim is then prompted to pay for a fake anti-virus software to remove the supposed threat.


Also known as leakware or extortionware, this type of ransomware threatens to publish or leak the victim’s sensitive information, such as personal files or confidential data, unless the ransom is paid.

Mobile Ransomware

This type of ransomware targets mobile devices, such as smartphones or tablets, and can lock the device or encrypt its data.

RAAS (Ransomware-As-A-Service)

RaaS is distributed through a network of affiliates, who use pre-packaged ransomware kits to launch attacks in exchange for a percentage of the ransom payments.

Common Threat Vectors for Ransomware Infection

Some common sources that can often lead to a ransomware attack include:

  • Internet-Facing Vulnerabilities and Misconfigurations
  • Phishing
  • Precursor Malware Infection
  • Third Parties and Managed Service Providers

Signs of a Ransomware Attack
and How You Can Detect It

Some common signs that may indicate a ransomware attack include:

Best Practices for Protecting Against
Ransomware Attacks

Regularly Backup Your Data

Backup your important data regularly, preferably on a separate device or in the cloud. This will allow you to restore your data in the event of a ransomware attack without paying the ransom.

Keep Your Software Up-To-Date

Keep your operating system, software, and applications up-to-date with the latest security patches and updates. Vulnerabilities in outdated software can be exploited by attackers to launch ransomware attacks.

Educate Employees

Educate employees about the risks of ransomware attacks and provide training on how to identify and avoid phishing emails and other common attack vectors.

Implement Access Controls

Implement access controls to limit access to sensitive data and resources, and consider using multi-factor authentication to add an extra layer of security.

Protecting Business Critical Applications Against Ransomware

Onapsis protects the application layer with the Onapsis Platform and serves an essential part of our clients’ plans to protect their SAP and Oracle applications from ransomware:

  • Onapsis provides automatic visibility into critical vulnerabilities, missing important patches and security updates, misconfigurations–identifying all open doors–which is a crucial component for ransomware prevention. Once all possible entry points are identified, they can be closed/addressed, which reduces an organization’s attack surface.
  • Through continuous monitoring and real-time alerts, Onapsis helps monitor real-time attempts to access critical SAP and Oracle systems.
  • With code analysis prior to moving into production, and in transport, Onapsis can help identify malware or new vulnerabilities before they are released to the public. Code vulnerabilities may appear to be low risk, but we have seen examples like SolarWinds where a small risk can turn into a large security incident. Onapsis generally sees one critical vulnerability per 1,000 lines of code, but our clients generally have millions of lines of custom code. It’s important to close those open doors to prevent any access to business-critical systems.

Developing a Ransomware Incident Response Plan

Protecting against and preparing for Ransomware can be challenging, but the most important best practice is to be prepared and have a plan. According to SANS, there are six steps in order to properly handle a security incident: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned.

  • Preparation: Preparing for a security or ransomware incident begins with research of existing processes, who within the organization should have access to information, and who needs to be involved should an incident occur.
  • Identification: Identifying your most valuable data, where it is located, and how you will operate should this data be inaccessible is the next step.
  • Containment: Developing a plan for how you will contain a given security incident or ransomware attack is the next critical step.
  • Eradication: Planning for how your team will eradicate ransomware is another vital step in your incident response plan.
  • Recovery: If any sensitive or proprietary data was lost or encrypted, this step aims to recover that data and ensure it is no longer in the wrong hands.
  • Lessons Learned: What part of this response plan worked? What didn’t? This is the time to truly evaluate the effectiveness of your response plan and communication.

Annual Tabletop Exercises

CISA Tabletop Exercise Packages (CTEPs) for example, can be a starting point or foundation for your organization’s preparedness. Simulated ransomware attacks enable an organization to identify gaps in incident response plans. This can not only help the IT and security teams feel prepared, but the board and other stakeholders. Practice and preparedness helps teams be measured instead of chaotic in the event of an incident.

Steps Your Organization Can Take to be More Prepared for Ransomware

01. Review your incident response plans (or start developing one) and continuously evaluate whether it is sufficient should a security event arise.

02. Conduct tabletop exercises with stakeholders in your organization at least once a year.

03. Patch known & exploited vulnerabilities and address misconfigurations.

04. Establish visibility for your organization’s full attack surface and anticipate how threat actors may seek to take advantage of any weaknesses.

Steps Your Company Can Take to Recover from A Ransomware Attack

In the event your company has already fallen victim to a ransomware attack, CISA guidance recommends these steps. Here is some high-level guidance to begin to recover:

01. Isolate Infected Systems: Immediately isolate infected systems from the network to prevent the ransomware from spreading to other devices.

02. Assess the Damage: Assess the extent of the attack and determine which systems and data have been affected. Conduct a thorough investigation to identify the source and scope of the attack.

03. Restore Data from Backups: Restore your data from backups, if available. Ensure that the backups are clean and do not contain any malware.

04. Implement Additional Security Measures: Implement additional security measures to prevent future attacks. This may include updating software, implementing access controls, and training employees on cybersecurity best practices.

05. Conduct a Post-Incident Review: Conduct a post-incident review to evaluate the effectiveness of your response and identify areas for improvement. Use this review to update your incident response plan and improve your security posture.

Recent Ransomware Attacks in the News

Ready to eliminate
your SAP cyber security

Let us show you how simple it can be to protect your business applications.