teissTalk: Protecting against sophisticated ransomware attacks

On 20 March 2025, teissTalk host Thom Langford was joined by John Heaton-Armstrong, Experienced Cyber security Leader, Confidential; Edewede Oriwoh, Group IT and Cybersecurity Manager, Zigup Plc; and Seamus Lennon, VP of Operations, ThreatLocker. 

Views on news

Medusa ransomware has claimed over 40 victims in the first two months of 2025, including a confirmed attack on a US healthcare organization. This is almost twice the number of Medusa attacks observed in January and February 2024, according to new analysis by Symantec’s threat hunting team. The primary target of ransomware attacks are healthcare, logistics and finance – some of them are soft targets, although it’s a relative term. Also, criminals are attacking their victim’s insurance policies rather than the companies themselves. Healthcare may be less mature in cyber security, but many healthcare institutions learnt the importance of robust controls through being attacked. 

Ransomware: more sophisticated or only upscaled?

Today, criminals don’t even need the skills to carry out  ransomware attack, just buy it from a ransomware-as-a-service provider. The Digital Operational Resilience Act in the EU has put the onus on the people at the top for security to implement the right security solutions. As for the cost of protection against ransomware, if you have the right security controls in place those will cover you for those types of attacks as well.  

But from a broader perspective, ransomware attackers run ahead of what is a realistic investment for businesses to keep up with them. Sometimes, while all the necessary controls are in place to protect the business from RW attacks, it’s an employee who, nevertheless,  makes the network vulnerable. Companies can deploy Threat Locker, a solution that changes the paradigm of endpoint security from a default “allow” to a default “deny.” 

The purpose of testing is to identify ideas where security needs improvement, therefore testing worst case scenarios that lead to demise of the business don’t make sense. Techniques to decrease the threat surface include micro-segmentation -  cyber-attacks are still overwhelmingly happen through unmanaged devices that are on the network. With 40,000 CVAs published last year alone, the security environment that businesses must operate in is getting rather complex. Zero days, originally the domain of nation states, are now used by other actors as well.

Access is key, as in a Windows environment, every application that runs on the device has access to everything the user can access – which shouldn’t be the case. Uninstalling what you don’t need can go a long way.  But simple devices such as Rubber Ducky USBs, which can emulate a keyboard to inject keystrokes into a computer, are easily available tools for criminals. 

The panel’s advice

• The majority of ransomware attacks still leverages vulnerabilities in unpatched public facing applications and unmanaged devices on the network.
• Some vulnerabilities are easy to take advantage of, while criminals with others take much longer.
• Back up your data with a cloud service provider. It’s safer there than on your machine.
• It’s a challenge for tabletop exercises to be bold enough and simulate attacks that mimics a real attack.