Ransomware groups are always changing their attack methods, but one thing that remains the same is the role of human error in their success. In most cases, the attackers gain access through staff falling for phishing emails or stolen credentials.
As your staff have constant eyes on your systems and networks, they are a first-line defence to spot irregularities and suspicious activity that might indicate a ransomware attack. This is why it is so important that they know what they are looking for and how to report ransomware threats.
At Solace Cyber, our Cyber Security Incident Response Teams have seen first-hand how immediate reporting of unusual activity can positively impact the success of the recovery, increasing the chance of recovering your data and network swiftly.
In this blog, we share what information your employees need to know so they can effectively spot and report ransomware threats.
Recognising Common Ransomware Attack Tactics
In order to spot a ransomware threat, your staff need to know what they are looking for.
While the signs will vary depending on which ransomware group is attacking, there are common tactics used by most of the groups.
Phishing emails
Phishing emails are scam emails that prompt your staff to click on a link. In completing the action, malware is downloaded onto the computer, giving the group access to your network.
Your staff need to be vigilant regarding what emails they open and the links they follow.
If they aren’t sure about the legitimacy of an email, they should check the email address that sent the email. This will often hint at it being a scam email as it won’t follow a regular domain pattern.
If they still aren’t sure, they should speak to your IT support, who are likely to spot other telltale signs it is a scam.
Malicious Email Attachments
Along the same lines as phishing emails, the ransomware groups might also send emails with a malicious email attachment.
In this situation, the email will encourage your staff to download something. As they download the document, a virus will also be downloaded, which will give the attackers access to the network or personal data to later gain access.
Signs of a malicious attachment will be similar to phishing emails, with unidentifiable email addresses and dubious email content.
Training Employees to Identify Red Flags
Cyber attacks are a serious and increasing risk to businesses in the UK. Therefore, ongoing cybersecurity training for all employees is vital.
The training should cover:
The importance of updating passwords and using unique, strong phrases or combinations of letters and numbers for each profile they might have.
The importance of not sharing login information with others or saving it in an accessible place.
The signs of phishing or scam emails, documents and links.
Signs of an attack in progress.
With this information, your staff are more likely to identify suspicious emails and activity, reducing the chance of human error providing the attackers with access to your network.
As mentioned, part of this training needs to cover the signs of an attack. It is pivotal that your staff know the following:
Unusually slow system performance - slow systems for no obvious reasons could be a sign of the encryption process consuming large amounts of the system's resources.
Unexplained file extensions - encrypted files are often given a new or additional extension such as ".locked," ".crypt," and ".encrypted".
Access denied to files or folders - having an “access denied” message flag up when trying to open a file or folder is a sign of amended file permissions by ransomware groups.
Unusual file modification requests - receiving unusual requests to modify, delete or access large volumes of files at once signals files being encrypted.
Strange behaviour with security software - antivirus or security software suddenly being deactivated or settings being changed is often a signal of an attack starting as groups will often try to disable this software to avoid detection or removal.
Unexpected system or network-wide reboots - system reboots that haven’t been initiated by an employee could signal that the ransomware group has completed their encryption stage.
Once everyone knows what they need to look out for, they will also need to know what to do should they spot one or more of these signs.

Establishing Clear Reporting Channels for Suspicious Activity
If an employee believes your network is under attack, they need to know who to report to and what the next steps are.
It is always a good idea to customise your process to your business and the way you work. The following are common reporting channels used across different sectors.
- Dedicated email address - a simple email address that can be remembered can be set up and used to report a potential threat. Staff should be given a template to follow that includes key details such as what they have spotted, when and any actions taken.
- Integrated help desk ticketing system - tools such as Jira, Zendesk or similar allow employees to open a ticket and report their suspicions. Each ticket is tracked so you have a log of concerns being raised.
- Anonymous reporting systems - sometimes confidentiality encourages people to report their concerns, so offering an anonymous reporting hotline promotes reporting without hesitation, especially if they think they may have downloaded or clicked on something to trigger an attack.
As well as having systems in place, it is important that staff know who is responsible for this information and actioning recovery steps, as this might encourage face-to-face reporting and discussions.
Implementing a Ransomware Response Plan
All companies need a ransomware response plan, which outlines immediate actions to be taken and actions to be avoided.
Employees should have sight of this so that they are able to implement the plan as soon as a breach has been detected.
It is also important that you share the plan once an attack has been reported, potentially giving further step-by-step instructions on certain actions, such as disconnecting from the network.


Protecting Your Business Starts with Your People
Businesses depend on technology, networks and systems, so keeping them secure is crucial for smooth operations.
Cybersecurity comes down to a vigilant workforce, just as much as it does active and suitable malware or security software.
But in order to encourage your staff to look out for signs of an attack and feel empowered enough to report any suspicious signs or behaviours, they need to be educated.
As a business, you need to provide ongoing cybersecurity training which covers:
Ways that ransomware groups gain access
Signals of an attack
Actions to take after spotting a sign of an attack
How to report concerns and suspicions
Had a cybersecurity concern reported and believe you are under attack?
Don’t hesitate to get in touch with our ransomware recovery specialists today.
We have a Digital Forensic Incident Response who will arrive on site as soon as possible to conduct examinations and retrieve data before containing the attack, eradicating the cause of the attack and recovering and restoring the system to normal operation.
Call us now on 01202 308818 or complete our online enquiry form, and we will give you a callback.