• Building resilience against ransomware
    • Introduction
    • Licence
    • Lexic
    • Illustration
    • Problematic
    • Some key challenges
    • Building resilience in an organization
      • Undestand the trade-offs
      • Implicate staff early
      • Adopt a holistic approach
      • Do threat modeling


This short document gives some ideas on how to improve resilience against ransomware attacks within an organization.

It is meant as an introduction to the topic.

It starts with a lexic, outlines the problematic around ransomware, introduces some of the challenges and finally gives a few generic preliminary suggestions.

How can organizations build resilience against ransomware? Let’s find out!

If you are are already familiar with the topic, please feel free to jump to section Building resilience in an organization


Building resilience against ransomware by Lukas à Porta is licensed under a Creative Commons Attribution 4.0 International License.

You are free to:

  • Share — copy and redistribute the material in any medium or format
  • Adapt — remix, transform, and build upon the material for any purpose, even commercially,

As long as you:

  • Give Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use.


  • Alice & Bob: two fictional characters used to illustrate scenarios in information security.
    • Example : How can Alice send a important letter to Bob through an untrusted channel network, like the Internet ? She could decide to use public-key cryptography and help Bob do so too.
  • Cleartext: text or content that can be read / is not encrypted.
  • Disk encryption: encryption scheme which protects the data of an entire disk. Disk encryption only protects data when the computer is off or when the user is logged out. If one of these conditions is met, data will remain unreadeable even if the computer is lost or stolen.
    • Example : Bitlocker for Windows ; dm-crypt and LUKS for Linux
  • Encryption at rest: when the data is encrypted where it resides, typically on a storage device such as a disk or on a local filesystem.
  • Filesystem or file-based encryption: when a folder or file residing on a system is encrypted. Typically, ransonmware only encrypt folders that are likely to host valuable data (i.e. on Windows-based systems, it would be c:\users\bob\Documents or c:\users\bob\Dropbox).
    • Example : Veracrypt for Windows, macOS and Linux ; fscrypt for Linux
  • Metadata: information about a piece of information. In many cases, encryption tools to not encrypt metadata, but only the data itself.
    • Example : The title of a file or document or its size. For emails, it would be the sender or the object of the message.
  • Payload: some amount of executabe code, or a series of automated commands.
  • Supply-chain attacks: rather than targeting a particular user or company directly, supply-chain attacks target providers to those companies. In this case, the payload would be delivered through a legitimate channel such as a compromised software update. It is by definition more difficult to defend against these attacks, as they are using channels that are often considered trustworthy by default.


What does it look like when files are in cleartext?

  • See the content of file test.txt with the cat command line tool:
[alice@linux /home/alice/]$ cat test.txt

hello world!

What does it look like when files are encrypted?

  • See the same file test.txt encrypted:
[alice@linux /home/alice]$ cat *

cat: aYTiPrY3QvrOgYEPafjw5lHibEchDHzjiiTTR7kObWWgeedvX3Tu1A: 
Required key not available

Here, not only the content of the file is encrypted, but also part of the metada: the title of the file is not known, nor its type.

In the event of a ransomware attack, the data is encrypted against the will of the user and the key to unlock it is in the hands of the attackers.

Encryption is a good thing if it is implemented by choice and if the user holds the key to unlock the data.


Instead of infecting software and altering their normal behavior as traditional computer viruses do, ransomware attacks target users’ or organizations’ data.

Ransomware are often delivered to the target using inconspicuous email (so-called phishing attacks). In some situations, simply opening an email can trigger the infection.

Attackers encrypt the valuable data with a private key only they possess, making it inaccessible to the user. They then ask the user to pay a ransom to retrieve the private key to decrypt their data.

As is the case with many cyber-attacks, ransomware attacks are cheap to deliver and hard to defend against.

Some key challenges

  • Most users on a system have access to a lot of company data, which may be stored on the local disk or accessible on a network drive.
    • This data is directly accessible by most software installed on the computer, including the email client and the internet browser, two potential vectors of infection.
  • In most cases, no elevated privileges are needed to encrypt files : a regular user account can do so, at least for files it can modify.
    • Locked-down user accounts are not enough to thwart an attack, i.e : accounts without the ability to install or modify software won’t do much against ransomware.
  • Emails are only one way nefarious payloads can hit organizations.
    • There are multiple vectors for infection, such as supply-chain attacks, which are even harder to defend against.

Building resilience in an organization

Undestand the trade-offs

  • Will users and the organization accept to trade some usability for more security ?
    • For example, a very effective way to protect against most, if not all, ransomware attacks would be to disallow downloading or storing any files locally or on network-accessible drives. One would only be allowed to work using Software-as-a-Service (SaaS) software, or software that can be accessed through a web-browser (i.e. Office 365; Google Suite; etc).
    • As a result of this approach, any software that doesn’t provide a web-based version won’t be available anymore.
    • Offline access may not be possible. Using a computer is likely to require a permanent Internet connection.
    • Web-based software have increased latency and thus often feel slower to use than their desktop counterparts.

Implicate staff early

  • Ultimately, any decision to enforce new security measures will affect the entire organization
    • If stakeholders do not comprehend the reason behind the new set of security measures and if they weren’t able to have a say during the process that led to adopting those measures, they are likely to misundertand them or even straightout reject them.
    • Moreover, the quality of those measures is likely to increase as a result of consulting users throughout the whole process.
    • Users shouldn’t be considered a liability but the the first line of defense against attacks, and should therefore be trained and given the right tools to (mostly automatically) defend their systems and themselves.

Security is a process, not a final state. Continuous or recurring training should take place.

Adopt a holistic approach

  • Ransomware are one of the most publicized threats today, but they are only one part of the picture.
    • There are physical threats, other cyber threats, economic threats… etc. Those classes of threats may interact with one another in some unforseen ways.
    • A new measure to reduce exposure to one threat may increase exposure to another threat.

Do threat modeling

  • What are you trying to defend your organization against ? Advanced Persistent Threats (APTs) or untargeted automated attacks ?
    • It is important to clearly define threats that the organization would like to defend itself against to make sure measures will be effective.

Thanks for reading this article until the end! Do you any suggestions? If so, please feel free to drop me an email at please@refre.ch

Categories: EnglishInfosec