What We Do
How we do it
Oct 18, 2021
Grief Ransomware Gang Claims 41 New Victims, Targeting Manufacturers; Municipalities; & Service Companies in U.K. & Europe
Grief Operators Earned an Estimated 8.5 Million British Pounds in Four Months Key Findings: The Grief Ransomware Gang (a rebrand of the DoppelPaymer Ransomware Group) claims to have infected 41 new victims between May 27, 2021—Oct. 1, 2021 with their ransomware.Over half the companies listed on Grief’s underground leak site are based in the U.K. and Europe. The Grief Ransomware Gang appears to…
Read More
View all Advisories →
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1000+ organizations in 70+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
Oct 12, 2021
eSentire Launches MDR with Microsoft Azure Sentinel Extending Response Capabilities Across Entire Microsoft Security Ecosystem
Waterloo, ON – Oct. 12, 2021 -- eSentire, recognized globally as the Authority in Managed Detection and Response (MDR), today announced the expansion of its award-winning MDR services with Microsoft Azure Sentinel, as part of its integration with the complete Microsoft 365 Defender and Azure Defender product suites supporting Microsoft SIEM, endpoint, identity, email and cloud security services.…
Read More
Our award-winning partner program offers financial rewards, sales and marketing tools and personalized training. Accelerate your business and grow your revenue by offering our world-class Managed Detection and Response (MDR) services.
Learn about our Partner Program
Apply today to partner with the Authority in Managed Detection and Response.
Login to the Partner Portal for resources and content for current partners.
Blog — Mar 01, 2018

How can you fight ransomware? Solutions to 11 common ransomware failure points

Ransomware is an increasingly appealing cyberattack method. Compared to traditional methods, ransomware typically involves fewer steps and a more direct route to payment (which is the goal in this case). And nowadays, with publicly available toolkits, it's easier than ever for cybercriminals to develop effective ransomware. This leads to a continual evolution of ransomware variants, which is what helps them evade the security defenses working to detect them.

Somewhere along the path of attack, ransomware breaks into a network at the point where defenses are down (or weak). This is referred to as a failure point. As we know, successful ransomware and malware-based attacks are crafted to allow them to evade traditional defense checkpoints. Below we list common failure points and their solutions to help you prepare for future ransomware attacks.

Common failure points and their solutions


The firm’s upstream email simple mail transfer protocol (SMTP) provider did not scan attachments for malicious content.


The firm’s next generation firewall did not identify the attachment as malicious (or questionable) content.

#1, #4

The firm’s local email system (e.g. Microsoft Exchange) did not scan attachments for malicious content.


The end user was not sufficiently trained to identify a phishing email (with malicious content).


The user’s workstation (or mobile device) did not flag the malicious content (through anti-virus or other endpoint protection methodology).


If the delivery vector was a macro hidden within an Office document (the most common delivery method), macros were enables within Office (or the user was enticed to enable them manually).

#4, #5

The user’s workstation did not have restrictions places on the execution of downloaded content.


The firm’s next-generation firewall and/or Intrusion Prevention system did not recognize and/or block the command-and-control traffic (including key generation) of the malicious code (particularly important if the remote IP addresses were previously known to be bad).

#1, #4

The firm did not detect (through filesystem analysis) that a specific user was modifying a large number of files rapidly.

#3, #6

Depending on how many files were affected by the infected endpoint, it is a possibility that the end user had more access than they necessarily needed to execute their job.


During the restore process, some newer data/files might have been not backed up due to a gap in backup rigor.


These failure points may seem very specific and hard to avoid – but don’t despair! We’ve provided solutions to help you overcome each of them.

1. Ensure all systems are up to date

This may sound obvious, but it’s extremely important and easy to overlook. “All systems” includes all workstations, servers (including internal and DMZ) and mobile devices. Always perform patches whenever and wherever possible. Use tools like anti-virus, anti-exploit (for ex, EMET), application whitelisting (for ex, AppLocker) and mobile device management software. And finally, restrict downloading of applications and payloads (for ex, Network Application Control).

2. Ensure backups of critical systems and data are successful and available

This solution is two-fold: test regularly for content accuracy and back up important data offline. Do these often. Attacks can (and often will) come when you least expect them, and the more recently you backed up data, the less likely you will have lost data.

3. Restrict access

You can avoid a lot of unnecessary anxiety by following this solution. Very few employees need access to everything. In fact, only select employees with specifically the “need to know” should be able to access highly-sensitive information, and only then, in accordance with the company policy and job function. Knowing this, it would be a good practice to enforce “least privilege” access throughout systems. It’s also important to segment networks. This includes restricting workstation-to-workstation access and utilizing a jump box for important and critical parts of your network. Finally, log and investigate any access attempts to shares that get denied, as this could very well be early signs of an infestation.

4. Reduce susceptibility footprint

Under this solution, there are four practices to consider. First, reduce inbound vectors (for ex, personal email) as these can make the network susceptible to different attack vectors. Second, disable macros within Microsoft Office if they’re not needed; and in a similar vein, use Microsoft Viewer when you don’t need to edit Office documents (especially if/when viewing suspect documents). Finally, investigate options to improve/harden upstream SMTP attachment scanning and quarantine, as this will help flag anything suspicious before it goes any further.

5. Training

Effective training is key. Encourage your employees to be skeptical when it comes to opening emails and clicking on files. One way to do this is through ongoing and interactive security awareness training, in addition to weekly reminders and postings about the importance of data security. Regular phishing tests can’t hurt either – they’re a great way to gauge the overall security awareness and vigilance of your employees, and the success of your training program.

6. Alerting

Although it’s the last solution on the list, alerting is as important as any other tactic you can use. One that is particularly important to implement is behaviour-based alerting when a certain threshold of files is modified. Also, be sure to have a comprehensive Continuous Monitoring/Embedded Incident Response methodology. Alerts must be investigated; it doesn’t help if the warnings fall on deaf ears.


While these solutions by no means guarantee you’ll never experience a ransomware attack, they’re a step in right direction. Applying these solutions to any failure points you’ve identified will reduce the chance of ransomware getting into your network and disrupting business, which is what we all want.

Between running a business and protecting that business, it’s a lot to keep track of. With Managed Detection and Response, our SOC can be a great resource to monitor operations when you can’t. We’ve got your back. Let us know what we can do to help.

Emily Boden
Emily Boden Content Specialist

Emily is a content specialist on the Marketing team at eSentire. Drawing on her background in journalism and social media, Emily communicates eSentire's mission with compelling and thought-provoking content.