Becoming Ransomware Ready: Why Continuous Validation Is Your Best Defense - Related to defense, why, threat, best, ransomware

Becoming Ransomware Ready: Why Continuous Validation Is Your Best Defense

Ransomware doesn't hit all at once—it slowly floods your defenses in stages. Like a ship subsumed with water, the attack starts quietly, below the surface, with subtle warning signs that are easy to miss. By the time encryption starts, it's too late to stop the flood.

Each stage of a ransomware attack offers a small window to detect and stop the threat before it's too late. The problem is most organizations aren't monitoring for early warning signs - allowing attackers to quietly disable backups, escalate privileges, and evade detection until encryption locks everything down.

By the time the ransomware note appears, your opportunities are gone.

Let's unpack the stages of a ransomware attack, how to stay resilient amidst constantly morphing indicators of compromise (IOCs), and why constant validation of your defense is a must to stay resilient.

The Three Stages of a Ransomware Attack - and How to Detect It.

Ransomware attacks don't happen instantly. Attackers follow a structured approach, carefully planning and executing their campaigns across three distinct stages:

1. Pre-Encryption: Laying the Groundwork.

Before encryption begins, attackers take steps to maximize damage and evade detection. They:

Delete shadow copies and backups to prevent recovery.

Inject malware into trusted processes to establish persistence.

Create mutexes to ensure the ransomware runs uninterrupted.

These early-stage activities - known as Indicators of Compromise (IOCs) - are critical warning signs. If detected in time, security teams can disrupt the attack before encryption occurs.

Once attackers have control, they initiate the encryption process. Some ransomware variants work rapidly, locking systems within minutes, while others take a stealthier approach - remaining undetected until the encryption is complete.

By the time encryption is discovered, it's often too late. Security tools must be able to detect and respond to ransomware activity before files are locked.

With files encrypted, attackers deliver their ultimatum - often through ransom notes left on desktops or embedded within encrypted folders. They demand payment, usually in cryptocurrency, and monitor victim responses via command-and-control (C2) channels.

At this stage, organizations face a difficult decision: pay the ransom or attempt recovery, often at great cost.

If you're not proactively monitoring for IOCs across all three stages, you're leaving your organization vulnerable. By emulating a ransomware attack path, continuous ransomware validation helps security teams confirm that their detection and response systems are effectively detecting indicators before encryption can take hold.

Indicators of Compromise (IOCs): What to Look Out For.

If you detect shadow copy deletions, process injections, or security service terminations, you may already be in the pre-encryption phase - but detecting these IOCs is a critical step to prevent the attack from unfolding.

1. Shadow Copy Deletion: Eliminating Recovery Options.

Attackers erase Windows Volume Shadow Copies to prevent file restoration. These snapshots store previous file versions and enable recovery through tools like System Restore and Previous Versions.

💡 How it works: Ransomware executes commands like:

By wiping these backups, attackers ensure total data lockdown, increasing pressure on victims to pay the ransom.

2. Mutex Creation: Preventing Multiple Infections.

A mutex (mutual exclusion object) is a synchronization mechanism that enables only one process or thread to access a shared resource at a time. In ransomware they can be used to:

✔ Prevent multiple instances of the malware from running.

✔ Evade detection by reducing redundant infections and reducing resource usage.

💡 Defensive trick: Some security tools preemptively create mutexes associated with known ransomware strains, tricking the malware into thinking it's already active - causing it to self-terminate. Your ransomware validation tool can be used to assess if this response is triggered, by incorporating a mutex within the ransomware attack chain.

3. Process Injection: Hiding Inside Trusted Applications.

Ransomware often injects malicious code into legitimate system processes to avoid detection and bypass security controls.

DLL Injection – Loads malicious code into a running process.

– Loads malicious code into a running process. Reflective DLL Loading – Injects a DLL without writing to disk, bypassing antivirus scans.

– Injects a DLL without writing to disk, bypassing antivirus scans. APC Injection – Uses Asynchronous Procedure Calls to execute malicious payloads within a trusted process.

By running inside a trusted application, ransomware can operate undetected, encrypting files without triggering alarms.

4. Service Termination: Disabling Security Defenses.

To ensure uninterrupted encryption and prevent data recovery attempts during the attack, ransomware attempts to shut down security services such as:

✔ Antivirus & EDR (Endpoint Detection and Response).

💡 How it works: Attackers use administrative commands or APIs to disable services like Windows Defender and backup solutions. For example:

taskkill /F /IM [website] # Terminates Windows Defender.

This allows ransomware to encrypt files freely while amplifying the damage by making it harder to recover their data. Leaving victims with fewer options besides paying the ransom.

IOCs like shadow copy deletion or process injection can be invisible to traditional security tools - but a SOC equipped with reliable detection can spot these red flags before encryption begins.

How Continuous Ransomware Validation Keeps You One Step Ahead.

With the nature of IOCs being subtle and intentionally difficult to detect, how do you know that your XDR is effectively knipping them all in the bud? You hope that it is, but security leaders are using continuous ransomware validation to get a lot more certainty than that. By safely emulating the full ransomware kill chain - from initial access and privilege escalation to encryption attempts - tools like Pentera validate whether security controls, including EDR and XDR solutions, trigger the necessary alerts and responses. If key IOCs like shadow copy deletion, and process injection go undetected, then that's a crucial flag to prompt security teams to fine-tune detection rules and response workflows.

Instead of hoping your defenses will work as they should, continuous ransomware validation enables you to see if and how these attack indicators were used and stop the attacks before they eventuate.

Here's the reality: testing your defenses once a year leaves you exposed the other 364 days. Ransomware is constantly evolving, and so are the Indicators of Compromise (IOCs) used in attacks. Can you say with certainty that your EDR is detecting every IOC it should? The last thing you need to stress about is how threats are constantly changing into something your security tools will fail to recognize and aren't prepared to handle.

That's why continuous ransomware validation is essential. With an automated process, you can continuously test your defenses to ensure they stand up against the latest threats.

Some believe that continuous ransomware validation is too costly or time-consuming. But automated security testing can integrate seamlessly into your security workflow - without adding unnecessary overhead. This not only reduces the burden on IT teams but also ensures that your defenses are always aligned with the latest attack techniques.

A well-equipped detection and response system is your first line of defense. But without regular validation, even the best XDR can struggle to detect and respond to ransomware in time. Ongoing security validation strengthens detection capabilities, helps to upskill the SOC team, and ensures that security controls are effectively responding to and blocking threats. The result? A more confident, resilient security team that's prepared to handle ransomware before it becomes a crisis.

🚨 Don't wait for an attack to test your defenses. To learn more about ransomware validation attend Pentera's webinar 'Lessons From the Past, Actions for the Future: Building Ransomware Resilience'. 🚨.

Google Cloud has unveiled quantum-safe digital signatures in Google Cloud Key Management Service (Cloud KMS) for software-based keys as a way to bull......

Australia has become the latest country to ban the installation of security software from Russian firm Kaspersky, citing national security concerns......

Cybersecurity researchers are warning of a new campaign that leverages cracked versions of software as a lure to distribute information stealers like ......

Will AI threaten the role of human creativity in cyber threat detection?

Cybersecurity requires creativity and thinking outside the box. It’s why more organizations are looking at people with soft skills and coming from outside the tech industry to address the cyber skills gap. As the threat landscape becomes more complex and nation-state actors launch innovative cyberattacks against critical infrastructure, there is a need for cybersecurity professionals who can anticipate these attacks and develop creative preventive solutions.

Of course, a lot of cybersecurity work is mundane and repetitive — monitoring logs, sniffing out false positive alerts, etc. Artificial intelligence (AI) has been a boon in filling the talent gaps when it comes to these types of tasks. But AI has also proven useful for many of the same things that creative thought brings to the threat table, such as addressing more sophisticated threat actors, the rapid increase of data and the hybrid infrastructure.

However, many companies are seeing the value of AI, especially generative AI (gen AI), in handling a greater share of creative work — not just in cybersecurity but also in areas like marketing and public relations, writing and research. But are these organizations using AI in a way that could threaten the importance of human creativity in threat detection?

Why creativity is significant to cybersecurity.

Creativity isn’t just coming up with new ideas. It is also the ability to see things through a big-picture lens and discern historical data or where to find information you might not know you need to look for. For example, creative thought is required for the following security tasks:

Threat hunting or predicting a threat actor’s move or finding their tracks in a system.

Finding buried evidence in a forensic search.

Understanding historical data in anomaly detection.

Ability to tell a real email or document versus a well-designed phishing attack.

Verifying new zero day attacks and other malware variants found in otherwise unknown vulnerabilities.

AI can augment human creativity, but gen AI gets a lot of things wrong. consumers have found themselves in situations where AI claimed plagiarism on original work or AI hallucinations offered false information that nullified the research of human analysts. AI algorithms are also susceptible to bias that could lead to false positives.

AI’s role in creative cybersecurity and beyond.

While many creative people, cybersecurity professionals and beyond, see gen AI as a mixed blessing, many embrace the technology because it is a huge timesaver.

“Gen AI can help prototype much faster because the large language models can take over the refactoring and documentation of code,” wrote Aili McConnon in an IBM blog post. Also, the article pointed out, AI tools can help customers create prototypes or visualize their ideas in minutes versus hours or days.

Creativity married to AI can help identify future leaders. , two-thirds of firm leaders found that AI is driving their growth, with four specific use cases — IT operations, user experience, virtual assistants and cybersecurity — most commonly favored by leaders.

“A Learner will typically copy predefined scenarios using out-of-the-box technologies,” Dr. Stephan Bloehdorn, Executive Partner and Practice Leader, AI, Analytics and Automation-IBM Consulting DACH, was quoted in the study. “But a Leader develops custom innovations.”.

As gen AI becomes more ubiquitous in the workplace and as more creative folks and leaders rely on it as a way to put their ideas in motion, are we also relying on the technology to the point that it could lead to a degradation of other key necessary skills, like the ability to analyze data and create viable solutions?

It is unclear if organizations are over-relying on gen AI, , Field CTO at SlashNext Email Security+, but it is becoming more of a designed feature due to unintended consequences related to resource allocation in organizations.

“While AI excels at processing massive volumes of threat data, real-world attacks constantly evolve beyond historical patterns, requiring human expertise to identify and respond to zero-day threats,” mentioned Kowski in an email interview. “The key is achieving the right balance where AI handles high-volume routine detection while skilled analysts investigate novel attack patterns and determine strategic responses.”.

Yet, Kris Bondi, CEO and Co-Founder of Mimoto, isn’t worried about AI leading to a degradation of skills — at least not for the foreseeable future.

“One of the biggest challenges for cybersecurity professionals is having too many alerts and too many false positives. AI is only able to automate a small percentage of responses. It’s more likely that AI will eventually automate additional requirements for someone deemed to be suspicious or the elevation of alert so that a human can analyze the situation,” Bondi stated via email.

However, organizations should watch out for AI’s role in defining threat-hunting parameters. “If AI is the sole driver defining threat hunting parameters without spot-checks or audits, the threat intelligence approach could eventually be focused in the wrong area. The answer is more reliance on critical thinking and analytical skills,” revealed Bondi.

Embracing creativity in an AI-driven world.

AI overall, and gen AI in particular, are going to be part of the business world going forward. It is going to play a vital role in how organizations and analysts approach cybersecurity defenses and mitigations. But the soft skills that creative thought depends on will still play an essential and necessary role in cybersecurity.

“Rather than diminishing soft skills, AI integration has the opportunity to elevate the importance of communication, collaboration and strategic thinking, as security teams must effectively convey complex findings to stakeholders,” mentioned Kowski. “The human elements of cybersecurity — leadership, adaptability and cross-functional partnership — become even more critical as AI handles the technical heavy lifting.”.

Wired reported this week that a 19-year-old working for Elon Musk‘s so-called Department of Government Efficiency (DOGE) was given access to sensitive......

In cybersecurity, too often, the emphasis is placed on advanced technology meant to shield digital infrastructure from external threats. Yet, an equal......

One month into his second term, President Trump’s actions to shrink the government through mass layoffs, firings and withholding funds allocated by Co......

How red teaming helps safeguard the infrastructure behind AI models

Artificial intelligence (AI) is now squarely on the frontlines of information security. However, as is often the case when the pace of technological innovation is very rapid, security often ends up being a secondary consideration. This is increasingly evident from the ad-hoc nature of many implementations, where organizations lack a clear strategy for responsible AI use.

Attack surfaces aren’t just expanding due to risks and vulnerabilities in AI models themselves but also in the underlying infrastructure that supports them. Many foundation models, as well as the data sets used to train them, are open-source and readily available to developers and adversaries alike.

, CNE Capability Development Lead at IBM: “One problem is that you have these models hosted on giant open-source data stores. You don’t know who created them or how they were modified, and there are a number of issues that can occur here. For example, let’s say you use PyTorch to load a model hosted on one of these data stores, but it has been changed in a way that’s undesirable. It can be very hard to tell because the model might behave normally in 99% of cases.”.

not long ago, researchers discovered thousands of malicious files hosted on Hugging Face, one of the largest repositories for open-source generative AI models and training data sets. These included around a hundred malicious models capable of injecting malicious code onto people’ machines. In one case, hackers set up a fake profile masquerading as genetic testing startup 23AndMe to deceive people into downloading a compromised model capable of stealing AWS passwords. It was downloaded thousands of times before finally being reported and removed.

In another recent case, red team researchers discovered vulnerabilities in ChatGPT’s API, in which a single HTTP request elicited two responses indicating an unusual code path that could theoretically be exploited if not addressed. This, in turn, could lead to data leakage, denial of service attacks and even escalation of privileges. The team also discovered vulnerabilities in plugins for ChatGPT, potentially resulting in account takeover.

While open-source licensing and cloud computing are key drivers of innovation in the AI space, they’re also a source of risk. On top of these AI-specific risk areas, general infrastructure security concerns also apply, such as vulnerabilities in cloud configurations or poor monitoring and logging processes.

AI models are the new frontier of intellectual property theft.

Imagine pouring huge amounts of financial and human resources into building a proprietary AI model, only to have it stolen or reverse-engineered. Unfortunately, model theft is a growing problem, not least because AI models often contain sensitive information and can potentially reveal an organization’s secrets should they end up in the wrong hands.

One of the most common mechanisms for model theft is model extraction, whereby attackers access and exploit models through API vulnerabilities. This can potentially grant them access to black-box models — like ChatGPT — at which point they can strategically query the model to collect enough data to reverse engineer it.

In most cases, AI systems run on cloud architecture rather than local machines. After all, the cloud provides the scalable data storage and processing power required to run AI models easily and accessibly. However, that accessibility also increases the attack surface, allowing adversaries to exploit vulnerabilities like misconfigurations in access permissions.

“When companies provide these models, there are usually client-facing applications delivering services to end individuals, such as an AI chatbot. If there’s an API that tells it which model to use, attackers could attempt to exploit it to access an unreleased model,” says Boonen.

Protecting against model theft and reverse engineering requires a multifaceted approach that combines conventional security measures like secure containerization practices and access controls, as well as offensive security measures.

The latter is where red teaming comes in. Red teams can proactively address several aspects of AI model theft, such as:

API attacks: By systematically querying black-box models in the same way adversaries would, red teams can identify vulnerabilities like suboptimal rate limiting or insufficient response filtering.

By systematically querying black-box models in the same way adversaries would, red teams can identify vulnerabilities like suboptimal rate limiting or insufficient response filtering. Side-channel attacks: Red teams can also carry out side-channel analyses, in which they monitor metrics like CPU and memory usage in an attempt to glean information about the model size, architecture or parameters.

Red teams can also carry out side-channel analyses, in which they monitor metrics like CPU and memory usage in an attempt to glean information about the model size, architecture or parameters. Container and orchestration attacks: By assessing containerized AI dependencies like frameworks, libraries, models and applications, red teams can identify orchestration vulnerabilities, such as misconfigured permissions and unauthorized container access.

By assessing containerized AI dependencies like frameworks, libraries, models and applications, red teams can identify orchestration vulnerabilities, such as misconfigured permissions and unauthorized container access. Supply chain attacks: Red teams can probe entire AI supply chains spanning multiple dependencies hosted in different environments to ensure that only trusted components like plugins and third-party integrations are being used.

A thorough red teaming strategy can simulate the full scope of real-world attacks against AI infrastructure to reveal gaps in security and incident response plans that could lead to model theft.

Mitigating the problem of excessive agency in AI systems.

Most AI systems have a degree of autonomy with regard to how they interface with different systems and respond to prompts. After all, that’s what makes them useful. However, if systems have too much autonomy, functionality or permissions — a concept OWASP calls “excessive agency” — they can end up triggering harmful or unpredictable outputs and processes or leaving gaps in security.

Boonen warns that components, such as optical character recognition (OCR) for PDF files and images which multimodal systems rely on to process inputs, “can introduce vulnerabilities if they’re not properly secured”.

Granting an AI system excessive agency also expands the attack surface unnecessarily, thus giving adversaries more potential entry points. Typically, AI systems designed for enterprise use are integrated into much broader environments spanning multiple infrastructures, plugins, data reports and APIs. Excessive agency is what happens when these integrations result in an unacceptable trade-off between security and functionality.

Let’s consider an example where an AI-powered personal assistant has direct access to an individual’s Microsoft Teams meeting recordings stored in OneDrive for Business, the purpose being to summarize content in those meetings in a readily accessible written format. However, let’s imagine that the plugin doesn’t only have the ability to read meeting recordings but also everything else stored in the user’s OneDrive account, in which many confidential information assets are also stored. Perhaps the plugin even has write capabilities, in which case a security flaw could potentially grant attackers an easy pathway for uploading malicious content.

Once again, red teaming can help identify flaws in AI integrations, especially in environments where many different plugins and APIs are in use. Their simulated attacks and comprehensive analyses will be able to identify vulnerabilities and inconsistencies in access permissions, as well as cases where access rights are unnecessarily lax. Even if they don’t identify any security vulnerabilities, they will still be able to provide insight into how to reduce the attack surface.

Charles Owen-Jackson Freelance Content Marketing Writer.

Australia has become the latest country to ban the installation of security software from Russian enterprise Kaspersky, citing national security concerns......

New mobile apps from the Chinese artificial intelligence (AI) organization DeepSeek have remained among the top three “free” downloads for Apple and Google......

In mid-March 2024, KrebsOnSecurity revealed that the founder of the personal data removal service Onerep also founded dozens of people-search companie......