Security
information about companies’ vulnerable systems, while Ransomware-as-a-Service developers use affiliates to monetise intrusions and get quick payouts. Aſter international law enforcement agencies launched takedown efforts against the LockBit gang in February 2024, they seriously damaged the group’s operation, but did not put it out of business. Other groups like RansomHub quickly emerged to fill the gap and listed more than 300 victims in nine months. Other groups, such as DragonForce and BrainCipher, used the leaked LockBit 3.0 source code to create their own ransomware operations. For channel organisations, understanding the
RaaS model makes it easier to help customers with their security projects. Te primary goal of RaaS is to generate revenue from targets and then cash out aſter exploiting vulnerable security situations. MDR improves a company’s security posture and its ability to defend against these types of attacks, but adding other services such as support for patching critical vulnerabilities and identity management can improve this still further.
Finding other paths to attack Attackers are also seeking new entry points into companies that they can exploit. Rather than relying on vulnerabilities, attackers seek alternative methods to gain access. A good example is ClickFix, where you convince a user to run a PowerShell script that delivers that initial access. To protect against these kinds of attacks, you can help your customers understand who needs access to these kinds of tools and who does not. You can also help them block scripts or services that are not required. Similarly, some attackers deploy remote
management tools to carry out their work. Tese tools are legitimately used for remote support and access, but they can provide the same degree of control and persistence as malware. At the same time, security teams are not always vigilant, allowing attackers to remain undetected within a customer’s network for longer periods. To prevent these kinds of attacks, you can stop any additional remote monitoring and management tool deployments and look out for any usage patterns that are outside normal operations. Attackers also exploit stolen VPN credentials.
Using a valid user account allows them to gain access and then identify other valuable assets on the network to exploit. Tis works where companies don’t monitor that access over time for discrepancies, as an attacker will find it easier to break out from their initial access point. Tis is particularly true where organisations don’t have multi-factor authentication in place. Adding identity
www.pcr-online.biz
management as a service to your mix can help, but this will also need careful monitoring so you can help your customers know what “good behaviour” really looks like.
Prevention is better than cure To help your customers build up their resilience against ransomware, start by auditing their current security approach and assessing its effectiveness in preventing attacks. Even those with good security deployments in place will face challenges because ransomware groups constantly change their tactics. Tey also move extremely quickly from initial access to implementation. In response to this, you can help your customers prioritise real-time threat detection and response. Tis helps you identify any potential breach at a customer and mitigate the damage. You can also collaborate with MDR providers to gain access to a broader range of threat intelligence data and deliver more proactive insights to your customers. When one customer detects an attack, you should be able to use that data to warn others as well. When customers identify potential breaches, they will need assistance to remediate their systems as quickly as possible. You can help them isolate their systems and lock down accounts quickly during an investigation. Once you have done this, you can then work with them to investigate any account activity on other systems that occurred with them, looking for lateral movement or where the attacker attempted to hijack other accounts. Te ideal approach here is to quickly return your customer to a ‘known good state’ by revoking active sessions and resetting compromised credentials. While you might start with reactive security
services, you should also help your customers plan ahead. Incident response planning should be carried out in advance so you and your customer know what to do ahead of time. For customers, define their communications and technology workflows in advance. You can then help your customers maintain that response and notification procedure, so they are ready if and when a real-life incident occurs. As long as ransomware pays out more than the
cost of operating these campaigns, threat actors will continue to target businesses. In response, you can help your customers by identifying and preventing exploitation of potential vulnerabilities. For resellers, this includes training customers on what to look out for, providing proactive information and threat intelligence on campaigns, and pre-emptive incident response support where it can make a difference. By understanding how ransomware groups operate and the opportunities they seek to exploit, you can help your customers manage and respond to these potential threats.
July/August 2025 | 31
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32 |
Page 33 |
Page 34 |
Page 35 |
Page 36 |
Page 37 |
Page 38 |
Page 39 |
Page 40 |
Page 41 |
Page 42 |
Page 43 |
Page 44 |
Page 45 |
Page 46 |
Page 47 |
Page 48 |
Page 49 |
Page 50 |
Page 51 |
Page 52
