Safeguard Data Using Ransomware Behavioral Protection
Attivo Networks Blogs

Safeguard Data Using Ransomware Behavioral Protection

Safeguard Data Using Ransomware Behavioral Protection

Written By: Virkram Navali, Senior Technical Product Manager - Ransomware attacks keep showing up in daily cyber-threat bulletins. The State of Ransomware report from BlackFog shows a 17% increase in ransomware attacks in 2021 compared to 2020. The BlackFog’s reports also forecast a rise in ransomware attacks, and newer forms will become more sophisticated and disruptive.

Today’s ransomware attacks have many forms, often combining multiple advanced techniques with real-time attack activities. According to Verizon’s Data Breach Investigations Report 2021, 70% of complex malware attack types are of the ransomware variety.

Traditional ransomware attack types involve blocking users from accessing computer systems and encrypting files, then demanding a ransom from the victim. In modern double extortion ransomware attacks, cybercriminals steal data from victim networks before encrypting files. They subsequently threaten to publish the stolen data if the victims do not meet their demands.

Nation-state threat groups are typically interested in collecting corporate data and looking for different ways to steal and encrypt it. For example, Conti is a professional ransomware gang with a history of conducting discovery activities and moving laterally by querying the Active Directory (AD) to gather data. The gang started exploiting the recent Log4Shell vulnerability in their daily operations to inflict massive damage on business operations.

The Attivo Networks ThreatDefend® platform addresses modern-day ransomware attacks by including three layers of defense: identity compromise, privilege escalation, and lateral movement protection. Each plays a valuable role in detecting and misdirecting Conti and other ransomware attack activities.

Attivo Networks Anti-Ransomware Solution

The Anti-ransomware security feature comes with the Endpoint Detection Net (EDN) license, designed to monitor anomalous behavior and detect malicious activity in real-time. The Anti-ransomware feature consists of the following three modules.

1. The DataCloak function prevents ransomware from accessing critical data. It hides and denies attackers access to local files, folders, removable storage, network or cloud shares, local administrator accounts, and application credentials.

Ransomware operators may leverage file transfer utilities such as Rclone,, and StealBit tools. They use these tools to exfiltrate data for double extortion attacks. According to the Mandiant report, DARKSIDE Ransomware Operations have downloaded the file rclone.exe directly from Rclone downloads and exfiltrated hundreds of gigabytes of data (over SMB protocol) to the pCloud, a cloud-based hosting, and storage service.

Another incident came to light when the LockBit ransomware gang has breached a French defense and aerospace company, Thales. They have exfiltrated and demanded ransom before publishing stolen data. They claimed their fastest encryption software and offered a stealer named StealBit to download the victim’s data.

2. Behavioral-based detection leverages Machine Learning capabilities to identify and track suspicious ransomware behaviors. The solution detects Indicators of Compromise (IoC) such as encryption of files, folders, or decoys documents, entropy changes, file deletion, security product termination, shadow volumes deletion, etc. Defenders can mitigate ransomware by blocking all of its Input-output (I/O) operations and terminating the process.

The ransomware gang may enumerate files and directories from the victim’s endpoint to encrypt or exfiltrate the data files. The solution triggers high-fidelity alerts in alert and protection mode and prevents any suspicious process attempting to access files. It offers the highest level of data protection by hiding away critical data that ransomware gangs are trying to exploit shared resources, files, folders, and storage locations.

Cisco Talos Intelligence Group has also observed two trends emerging throughout 2021 in ransomware engagements: A proliferation of adversaries and an increased reliance on commercially available tools, open-source tools, and living-off-the-land binaries (LoLBins). Some of the most practical tools included are Cobalt Strike, ADFind, ADRecon, Bloodhound/Sharphound, PowerShell, etc.

3. Resilience against ransomware Incidents - Volume backup of endpoint applications and data provides options to take continuous backup of changes on the endpoint using native Microsoft tools. It prevents ransomware from deleting backup files created using Windows Volume Shadow Copy Service (VSS).

Attivo Networks’ concealment capabilities prevent ransomware operators from seeing or gaining access to information, files, and storage they could use to progress their attack with discovery, lateral movement, and privilege escalation activities.

Security Tips and Best Practices

Malicious activities can severely impact business operations, and ransomware attacks can damage an organization’s critical files, folders, removable drives, and mapped network or cloud shares. Applying security tips and following the best practices below can limit the damage.

  • Periodically conduct IT assessments to identify and address vulnerabilities, especially on internet-facing devices, to limit the attack surface.
  • Implement cybersecurity awareness programs and frequently remind employees not to click on suspicious links.
  • Maintain offline and encrypted backups of critical data.
  • Develop and execute incident response plans that include remediating actions if impacted by a ransomware attack.
  • Regularly update software and operating systems with the latest and greatest patches.


Every industry is worried about being hacked from malicious activity, and their data is at risk of being encrypted. To minimize the risk of falling victim to these attacks, organizations must deploy advanced ransomware protection solutions to prevent unauthorized access to critical data, detect suspicious ransomware activities early, and provide robust resiliency.

For more information, please visit


Stop Ransomware | CISA

Share on:

Free Active Directory Assessment

Get Visibility Into Privilege And Service Account Exposure

For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.

Try Our Endpoint Detection Net (EDN) for Free


Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.

ADSecure 90-Day Free Trial


  • Hide and deny access to AD objects
  • Get alerted on unauthorized queries
  • Attack details easily viewable in dashboard
  • Your data remains on-premise


Ready to find out what’s lurking in your network?

Scroll to Top