惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

C
CXSECURITY Database RSS Feed - CXSecurity.com
Stack Overflow Blog
Stack Overflow Blog
月光博客
月光博客
T
Threat Research - Cisco Blogs
小众软件
小众软件
有赞技术团队
有赞技术团队
酷 壳 – CoolShell
酷 壳 – CoolShell
Apple Machine Learning Research
Apple Machine Learning Research
C
Cyber Attacks, Cyber Crime and Cyber Security
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
T
Tailwind CSS Blog
Cisco Talos Blog
Cisco Talos Blog
V
V2EX
博客园 - 【当耐特】
C
Cybersecurity and Infrastructure Security Agency CISA
Hugging Face - Blog
Hugging Face - Blog
The Cloudflare Blog
The Last Watchdog
The Last Watchdog
Simon Willison's Weblog
Simon Willison's Weblog
T
Threatpost
S
Secure Thoughts
O
OpenAI News
P
Proofpoint News Feed
S
SegmentFault 最新的问题
Forbes - Security
Forbes - Security
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
Application and Cybersecurity Blog
Application and Cybersecurity Blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
Last Week in AI
Last Week in AI
宝玉的分享
宝玉的分享
Scott Helme
Scott Helme
T
Tenable Blog
A
Arctic Wolf
L
LINUX DO - 热门话题
爱范儿
爱范儿
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
www.infosecurity-magazine.com
www.infosecurity-magazine.com
V
Visual Studio Blog
Hacker News: Ask HN
Hacker News: Ask HN
Hacker News - Newest:
Hacker News - Newest: "LLM"
腾讯CDC
博客园 - Franky
WordPress大学
WordPress大学
Know Your Adversary
Know Your Adversary
博客园_首页
雷峰网
雷峰网
IT之家
IT之家
PCI Perspectives
PCI Perspectives
L
LINUX DO - 最新话题
H
Heimdal Security Blog

Ransomware – ThreatDown by Malwarebytes

Prinz Eugen ransomware: a deep dive into a new Go-based encryptor - ThreatDown by Malwarebytes The anatomy of an Akira ransomware attack AI-orchestrated cyberattacks Ransomware in April 2025—RansomHub is gone Ransomware in March 2025 Living Off the Land (LOTL) Attacks: Detect Ransomware Gangs - ThreatDown by Malwarebytes One in five Fortune 500 companies had leaked credentials in the past 30 days - ThreatDown by Malwarebytes Ransomware group Mora_001 targets Fortinet applications - ThreatDown by Malwarebytes Ransomware in February 2025—Cl0p and RansomHub run riot - ThreatDown by Malwarebytes Infighting brings down the Black Basta ransomware group
Tracking remote ransomware attacks at their source
ThreatDown Writer · 2025-12-09 · via Ransomware – ThreatDown by Malwarebytes
Network

When ransomware strikes, many are watching it happen through the wrong lens.

February 2025 marked a grim milestone: 1,000 known ransomware attacks in a single month, the worst on record. Behind that number sits a technical reality that IT teams don’t see coming. When ransomware strikes, many are watching it happen through the wrong lens.

The missing insight? EDR solutions show you the victim of the encryption, not the attacker. That difference matters when seconds count.

The blind spot that can cost millions

A DFIR Report investigation documents how this plays out in real attacks. BlackCat operators compromised an organization through a Nitrogen malware campaign, then used PsExec to remotely execute ransomware across network systems. Security teams saw encryption activity on victim endpoints, but the attack was being orchestrated remotely from a different machine.

This is exactly the attribution gap that delays containment. When ransomware encrypts files over network shares, the victim endpoint’s logs record the activity as if it were initiated on that machine. In reality, the encryption is being triggered remotely from another system on the network. IT teams see symptoms on dozens of endpoints without realizing that a single infected host is causing the damage.

CISA’s 2025 advisory on Play ransomware highlighted PsExec and other legitimate tools used “to assist with lateral movement and file execution.” This “living off the land” approach leverages the same administrative tools IT teams use every day. Attackers abuse them to move laterally through networks and remotely encrypt files across SMB shares. 

Traditional EDR captures the file modifications on victim machines but misses the critical detail: which system initiated the attack. Without that attribution, security teams can’t isolate the source, stop the spread, or understand the full scope of compromise.

ThreatDown EDR closes this gap with network ransomware rollback.

Network ransomware rollback

ThreatDown EDR‘s network ransomware rollback fills this detection gap with four specific data points:

  1. IP address and hostname of the attacking endpoint reveal the source machine initiating remote encryption.
  2. Remote port used in the connection enables security teams to identify the exact network session and potentially spot command-and-control (C&C) channels.
  3. Remote user ID and username shows which compromised account the attackers used to authenticate across network shares.

ThreatDown captures these details in file activity logs, the same audit trail that tracks how files are accessed, modified, or encrypted across the system. And ThreatDown network ransomware rollback enriches those logs with the network-layer context that other endpoint monitoring doesn’t record.

The technical implementation matters here. When a remote system accesses files over SMB, the Windows kernel on the victim machine handles the I/O operations. Standard EDR sees kernel-mode activity. ThreatDown’s network ransomware rollback intercepts and logs the network authentication and connection metadata before the kernel processes the file operations. That’s the mechanism that reveals the true attack source.

From detection to recovery

The real power of ThreatDown’s network ransomware rollback is in how it transforms the entire response process. ThreatDown EDR reveals where an attack was initiated and provides a direct path to recover impacted systems. By integrating network-layer visibility with endpoint rollback, ThreatDown bridges the gap between detection and recovery, so teams can contain faster, restore smarter, and maintain business continuity even when backups fail.

ThreatDown’s network ransomware rollback delivers operational impact in three areas:

Faster root-cause analysis 

Security teams immediately identify which endpoint launched the attack, and don’t waste hours correlating logs across 50 infected machines trying to find patient zero. ThreatDown’s file activity logs show you the source IP and hostname in the first alert.

Targeted containment

Isolate the attacking machine from the network, not just the victims showing encryption activity. This stops the spread before the attacker pivots to additional shares or systems. ThreatDown’s 2025 State of Ransomware Report highlights that attackers exploit “blind spots” like unknown computers, under-protected endpoints, and ESXi hypervisors without EDR. ThreatDown’s network ransomware rollback makes those blind spots visible when they start attacking other systems.

Rapid recovery

ThreatDown turns detection into resilience. Its rollback capability maintains a seven-day cache of file states for data modified through remote access. When you identify the attacking source, you can restore files that were encrypted or modified by that specific remote system, without relying on Windows vssadmin, which attackers routinely disable or delete.

This capability matters because traditional backup strategies often fail under real attack conditions. ThreatDown research shows that an increasing number of organizations lack reliable or accessible backups during ransomware incidents. Attackers frequently target backup servers and repositories to increase leverage. Network ransomware rollback gives defenders a self-contained recovery layer that remains intact even when external backup systems are wiped or encrypted.

Why this matters now

Ransomware attacks increased 25% year-over-year from July 2024 to June 2025, while the number of active groups doubled in just three years, surpassing 60 for the first time. Once dominated by a few major players, the landscape has fractured. The ten most active groups account for only half of all attacks, down from nearly 70% the year before. This fragmentation changes the defensive calculus. 

You’re no longer defending against a handful of predictable groups with well-documented TTPs. You’re facing a constant churn of new crews, new tools, and new playbooks. 

And they’re attacking after hours. Most intrusions begin between 1 AM and 5 AM, when few people are watching. Attackers move quietly through legitimate utilities like PowerShell, WMI, and RDP to avoid detection. They breach ESXi hypervisors that lack endpoint protection and exploit forgotten or unmanaged systems that fall outside routine visibility. 

ThreatDown EDR closes these gaps.

Network ransomware rollback extends visibility to the attacker’s bridgehead. It captures the source attribution that turns a confusing multi-endpoint incident into a targeted response with clear containment steps and a defined recovery path.

ThreatDown EDR collects the metadata that standard Windows audit logs miss. Its file-activity logs record remote system details, while the rollback mechanism preserves pre-encryption file states. So when an attack hits your network shares at 3 AM, every data point you need to respond and recover already exists in those logs.

That’s the difference between spending hours hunting for patient zero while ransomware spreads to additional systems and immediately isolating the source machine with enough forensic evidence to understand the full attack chain. It’s the difference between paying a ransom or restoring from the seven-day cache the attackers didn’t know existed.

Ransomware cannot thrive in the daylight that EDR creates. ThreatDown’s network ransomware rollback ensures that daylight reaches the places where attackers think they’re invisible.