What we can learn ransomware victims

When you are running a business, you do not want the additional stress of an imminent data breach. Yet, we all know that criminals are actively searching for weak spots in private and corporate networks. You cannot afford just waiting for your organization to be their next target – to ease your mind, you need proactive action.

We recently witnessed a string of ransomware attacks. From running platform Garmin, to a major US hospital chain and earlier, the University of Maastricht in the Netherlands. All attacks have a few things in common, this article breaks it down. Let’s take the last as our case study. What happened? At the university, an employee opened an Excel file that led to the Russian criminals gaining access to the University’s data. The University had no other choice but to pay the requested ransom of $200,000. The situation caused significant damage to the University’s reputation.

Identifying weaknesses

Why was the University an attractive target for internet criminals? According to their own response, the main issues were outdated software and low employee awareness about cyber risks. They have been working hard to improve these areas to prevent future attacks.

Exploiting the criminals’ knowledge

Activities that cannot bear the light of day take place on the dark web, a censor-free internet. A place where criminals get a clear run, for example by exchanging sensitive information such as software vulnerabilities not yet known to the vendor (zero-day vulnerabilities) and credentials. Furthermore, criminals may communicate their plans, sometimes in terms of specific organizations and users. Frightening? Absolutely, but the good news is that we can turn this murky situation to your advantage.

Turn weakness into strength

To prevent attacks, three areas need to be covered: First, what do criminals know about your organization. Second, how cyber aware are your employees? Thirdly, how vulnerable is your technology?
Let’s have a look a these three areas.

See what I see, know what I know

To know what criminals know, you need to take the perspective of an intruder, see what criminals see. To get this perspective, most organizations scan their organization’s assets, like websites. This helps to perceive the opportunities from an attackers perspective. This is only a small step. Attackers see with many different eyes. For example, what sensitive information of employees has been breached and exposed to criminals already? Think of sensitive information like usernames and passwords or hackers already selling access into your organizations. In our experience 4-10% of the employees data can be found on the dark-web. After this stage, what do criminals target? Your employees.

** confidential ** [Name of your company] restructuring plan

Would you open a retracted email with the title ‘** confidential ** [Name of your company] restructuring plan’? You are not alone, I know I would! In order to understand how far an attacker would get, you want to know how cyber aware your employees are. Criminals excel at crafting appealing phishing emails. This technique is used gain access to a device, via malicious content, for example a PDF file. You think you are safe because you have Antivirus? These are very easy to fool. The good part: once you train your employees, the success-rate of phishing emails will drop dramatically. Yet, on a bad day even you can fall victim to a well crafted phishing email. So how do you prepare?

From zero to hero

Ouch, I clicked that email. Luckily nothing happened, or ..? Once the attacker has the user to open an attachment, the malware will try to install itself on the device. This all happens under the radar. A device can be a laptop, smartphone, server or even a smart TV. The malware is designed to exploit flaws on the device. See it as a skeleton key to open an outdated lock. At Skopos we see that 28% of devices are high risk at 0-day assessment. Yet, the moment you update your locks, the attacker’s keys that useless. It requires an understanding of all devices in your organisation and all available software. With this information you can start to patch smartly and effectively. Because, the moment you patch your devices, the malware cannot activate. And then somethings awful has been avoided, the cyber attack that ruined your business never happened. Happy days!

An ounce of prevention

Could this approach have prevented the attack on the Maastricht University? In hindsight it is easy to say yes. If we break down the attack, we know that the user who opened the Excel file was not aware of the risks of attachments. This could have been prevented with a cyber-awareness intervention. The second layer is the device, the user’s laptop. We know the malware used an exploit called EternalBlue, leaked from the NSA. This exploit was able to gain a foothold due to an unpatched Microsoft Office. It wasn’t that they had little time to patch Office, as the solution was available by Microsoft for years. Question is, did the University have visibility on this risk in the first place? Detection and mitigation are usually far apart.


With this insight, you have a clear perspective on what attackers know. You understand where each of your employees are in terms of cyber awareness and you know the key vulnerabilities of your technology. Now, you can start to work on your cyber defenses.