The Root Causes of Ransomware: Logic, Not Magic

Sam Reed

Cyberattacks are not magical events.

Logic is used to breach and navigate through environments. For security teams, this is good news.

It means that same logic can be applied to security in order to proactively defend against attacks.

In this article, we'll cover this logic in the context of ransomware.

The Root Causes of Ransomware

There are many ways an attacker can take over an environment.

But not an infinite amount.

In fact, in nearly all* ransomware events, at least one of three security gaps is present.

  1. Missing or misconfigured multi-factor authentication (MFA)
  2. Inadequate vulnerability management
  3. Excessive user permissions

*There is no data on the exact percentage. In a recent conversation with an expert involved in over a thousand ransomware cases, he believed it to be 100%.

The Perspective of an Attacker

There is a misconception that once an attacker breaches an environment, it’s game over.

In reality, there are multiple steps. In the case of ransomware, the steps leading to a takeover can be distilled into three primary activities:

  1. Initial access
  2. Escalation
  3. Encryption (i.e. deployment of ransomware)

Initial access: Social engineering and vulnerabilities are a couple of examples of the many ways an attacker can breach an environment.

Escalation: An attacker will escalate privileges, or control, in a network using identities (e.g. Active Directory misconfigurations; overly permissive user accounts).

Encryption: Once an attacker has escalated to the necessary privileges, they can then deploy the ransomware, encrypting the victims data until the ransom is paid.

Defending with Logic

Think of your network as an escape room.

But rather than exiting, the goal is to get to the control room (domain admin). To do this, an attacker will search for information in a network, leverage that information to get more information (escalate privilege), and continue doing this until they have total network control.

By understanding the access and escalation points in a network, security teams can efficiently remove the attack paths leading to the most critical assets.

To learn how you can defend from the perspective of an attacker, book a demo at

Never miss an article

Thank you! Your submission has been received!
There's been an error

Don't just take our word for it.

"Shield will enable us to increase our vulnerability management services 4-fold over the next 12 months. It’s the only solution that combines the security features we require with the automations and user-friendliness to scale the business at our target rate."

Vince Mazza

Chief Executive Officer, Guard Street Cybersecurity

"Shield has dramatically improved our ability to report to non-technical stakeholders. We can easily show our clients their environment in real time. We can point out where and how an attack could happen. And we can instruct them on how to prevent an attack. All automatically produced within the Shield platform."

Doug Miller

Chief Executive Officer, Brightworks

"We were looking for a vulnerability management solution that was both security-focused and intuitive. Shield checks both boxes. The support and attention to detail from the Shield team is a huge added bonus."

Nathan Welch

IT Manager, Intrasect

"Shield Cyber allows you to see your network as an attacker would see it. You can gain visibility into the connected vulnerabilities across all your assets, and understand how they can be exploited by attackers."

Ben Card

Chief Information Security Officer, Webcheck

Read the full review →

Starting with Shield is simple, fast, and free.

Book a demo