Security awareness

5 ways to prevent APT ransomware attacks

Bianca Gonzalez
January 30, 2023 by
Bianca Gonzalez

Advanced persistent threat (APT) groups have turned ransomware campaigns into an effective business model. In this episode of Cyber Work Applied, Infosec Principal Security Researcher Keatron Evans shows you how to slow down APTs.


APT groups and ransomware


Learn five ways to prevent your organization from becoming the next ransomware victim in this video. Then check out Keatron's free report, The ransomware paper: Real-life insights and predictions from the trenches.

Cyber Work listeners get free cybersecurity training resources. Click below to get your free courses and other materials.


Free Cybersecurity Training


How to prevent ransomware attacks


Below is the edited transcript of Keatron’s APT ransomware attack prevention walkthrough.


What are APT groups?


(0:00-0:29) Did you know that APT groups comprise some of the most elite hacking groups and hackers in the world? They range from small businesses created specifically to profit from stealing data and breaking into organizations to being units of some of the world's most powerful military and intelligence organizations.

Let's break down how they work, why they're so surgically effective and how their involvement in ransomware campaigns has made them nearly unstoppable.

Two year's worth of NIST-aligned training

Two year's worth of NIST-aligned training

Deliver a comprehensive security awareness program using this series' 1- or 2-year program plans.


How do APTs operate?


(0:30-0:54) Advanced persistent threats, or APTs, operate in some cases just like a Fortune 500 corporation or in other cases, the same way as a well-oiled, perfectly disciplined military unit.

Well, in some cases, they actually are military units, and some of them are actually small corporations. It's no secret that most countries with the capability and the budget to engage in offensive hacking indeed have organized groups.


How ransomware has evolved


(0:55-1:57) When ransomware initially became a thing that we had to deal with in the industry, it was mostly the results of wide-cast nets that snagged anyone vulnerable. They were looking for blanket payments, usually in small amounts to increase the likelihood that people would pay.

But what we're seeing now is that ransomware operators are spending more and more time in organizations doing significant recon to discover things such as whether the organization has ransomware or cybersecurity insurance. There's even been a few cases where they went as far as to find out how much the insurance policy paid out and then simply demanded that exact amount in ransom.

Once these groups get ahold of critical files, they are encrypted to the point that makes it virtually impossible for the victims to read their own files without getting the encryption key from the ransomware operator. Most victims are left to either pay the ransom or restore everything from backups. To make matters worse, these groups are now adding the additional habit of threatening to leak stolen inside information to the public if the ransom is not paid.


Ransomware dwell time is 100 days


(1:58-2:17) Keep in mind some of these recon operations that happen before the ransomware is actually launched could last weeks — or even months in some cases. The average time for an intruder to be inside a network before they're detected, what we call dwell time, is about 100 days. This is a lifetime for a skilled hacker to find everything they're looking for.


5 ways to mitigate ransomware attacks


(2:18-2:23) Here are five things you can do to help prevent ransomware attacks and mitigate the damage if they are successful.


1. Have good regular data backups


(2:24-2:36) Make sure you have good regular backups of all your important data. Most importantly, test those backups.

Not only will this likely save your organization, but it will give your incident response teams options.


2. Keep systems updated and patched


(2:37-2:46) Keep all your systems up-to-date and patched.

One of the most common methods of deployment is still via exploitation through unpatched vulnerabilities.


3. Conduct regular phishing tests to educate users


(2:47-2:57 ) Conduct regular phishing tests and keep your users educated.

Social engineering is still at the top of the list of ways ransomware operators get inside.


4. Be vigilant in segmenting your network


(2:58-3:12) Be vigilant in segmenting and segregating your network.

One of the primary goals of ransomware operators is to spread as quickly as they can internally. The more localized you can keep the attacks, the less damage they will usually cause.


5. Disable remote protocols


(3:13-3:24) Disable remote management protocols like Microsoft RDP when it's not needed.

Doing these five things should slow down APT groups as they attempt to infiltrate your organization.

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.


More cybersecurity training resources


Want more free resources? Check out the weekly Cyber Work Podcast for in-depth conversations with cybersecurity practitioners and industry thought leaders.

Cyber Work listeners also get other free cybersecurity training resources. Check out the latest free courses and resources to keep learning!


Free Cybersecurity Training

Bianca Gonzalez
Bianca Gonzalez

Bianca Gonzalez is a writer, researcher and queer Latina brain cancer survivor who specializes in inclusive B2B insights and multicultural marketing. She completed over 400 hours of community service as a college student.