Cybersecurity, Multifactor authentication, Phishing, Ransomware

From phishing to ransomware: Critical learnings from cyber incidents

Table of Contents

In light of recent high-profile cyber attacks, I’ve been reflecting on how learnings from cyber incidents highlight the urgent need to rethink our cybersecurity strategies. The patterns emerging from these incidents such as data exfiltration and sophisticated phishing schemes reveal critical vulnerabilities in many organisations.

From the importance of multi-factor authentication to the need for better integration of security solutions, the lessons are clear.

In this article, I’ll share the key takeaways and offer actionable insights to help you strengthen our defences and stay ahead of evolving threats.

What lessons have we learned from recent cyber incidents?

The vast majority of publicly reported large scale cyber-attacks, in the UK and globally, have involved data exfiltration. Many attacks initially involved impersonation via phishing campaigns and really targeted activity.

Allegedly, the cyber attacks on the London NHS involved 3rd party services where multi-factor authentication (MFA) may not have been enforced. In other attacks, at least the initial autonomy has involved harvested credentials later in the working day which led to onward out of hours activities and account elevations which were not detected.

The cyber attacks on Microsoft Corporation involved Business Email Compromise (BEC) and impersonations.

So what have we learned?

We need to challenge our existing posture, monitoring, processes and analytical rules with the above knowledge to understand how we would perform.

User awareness training, whilst part of continual cybersecurity improvements, also needs to understand how attack autonomy evolves and what additional detections of unexpected activities should be implemented.

Many security point solutions are not closely integrated, which offers exploitable gaps, for bad actors to exploit and they do. In many of the most recent attacks, endpoint security solutions were not closely integrated to network, email and vulnerability management solutions.

Scheduling high-severity security updates to be applied within 28 days creates significant opportunities for bad actors, especially when the average exploitation time is less than a day.

It is not just the over confidence dilemma here, but also the need to recognise the most important metric is, earlier visibility of a security issue with accompanying response.

We speak with many customers who have enhanced their endpoint security and SIEM solutions but are unsure how to respond to alerts and incidents. Just like with Incident Response, having a plan and regularly reviewing it is crucial for continual improvement.

Why is ransomware still so effective?

Let’s remember that we have made some progress in reducing the effectiveness and prevalence of Ransomware. Our ability to respond as quickly as bad actors can change and morph needs to improve.

The basic facts are, Bad actors depend on forcing a position where paying a ransom is the easier and cheaper option to regain access to data OR to stop publication of exfiltrated data. Or both.

Fundamentally, ransomware remains a simple way to make money illegally, especially as access to powerful ransomware tools becomes easier (though eliminating them remains challenging).

Ransomware is designed as a highly damaging tool when combined with data exfiltration, targeting reputation issues from multiple angles.

We are getting internationally more effective at taking down organised entities, but, the ability to reform, unpoliced, in new areas of the dark web as well as tackling some nation state sponsored actors makes policing time consuming and challenging across some borders.

As organisations have become more effective at faster business recovery, the emphasis has shifted to publication of exfiltrated data as the main lever.

Many governments and cyber agencies strongly discourage paying ransoms to cyber attackers. However, companies must balance this with the potential consequences of data publication and fines.

Demonstrating thorough precautions to protect business operations, personal data, and a well-maintained cybersecurity posture is important.

https://youtu.be/kal-_2I1dtQ

Bad Actors are more targeted, and instil fear and panic into victims, using increasingly aggressive tactics. They often issue payment links which are infected with additional malware and use intimating messages and threats to life as well as targeting family members. Personal inclusions increases the emotional involvement!

Vulnerabilities are continually identified, some present high levels of business risk which need to be quickly resolved.

Attackers are extremely automated and targeted on exploiting these weaknesses within hours of identification – just ask yourself how fast does your organisation update devices based on critical or high severity vulnerabilities?

We have to adapt and protect in the same timescales to reduce exploitation opportunities.

Whilst the overconfidence dilemma may not take into account human error or deception from sophisticated phishing attacks, email data exfiltration has remained in the top three causes for the last 15 years.

How many organisations truly review phishing metrics to understand how best to improve phishing protection for the most targeted or vulnerable users and processes?

Over a third of organisations know that setting DMARC and DKIM policies reduces the effectiveness of phishing attacks as email sender domain must be validated and scored yet only enable DMARC or DKIM and do not set active policies – so it will have no protective effect!

How do you respond to suspected data exfiltration?

The first question most leadership teams seek to understand is, what have they got?

It is often not an easy question to answer quickly, yet the pressure to know is immense. Many bad actors will also indicate that they have a large amount of data which may not be the case.

This is part of increasing the pressure, as attackers can identify if data is tagged or classified. A business’s confidence comes from knowing whether data was detected and what has been exfiltrated.

They will be evasive and may at some point post a sample of exfiltrated data. It is also important to remember that the bad actor demanding a payment may not be the party who undertook the exfiltration. Multiple bad actors are invariably involved with ransoms.

If a business has tagged and classified data, it is invariably easier to understand what data may have been exfiltrated. It is not easy if data has not been classified or operates across multiple data services. Where devices are stolen or lost, remote deletion technology.

Can immutable backups be compromised?

Immutable backups cannot be altered – they are by definition unchangeable, and protected from ransomware and malware attacks in terms of those which seek to change encryption parameters, keys and storage.

You must still consider protecting the immutable backup platform as bad actors are increasing seeking to change access permissions and privileges to prevent access to recover from immutable copies.

Another example is an attacker gaining cloud administrator rights and simply deleting storage or subscription accounts containing data vaults. For example, you should enable the immutability function in Microsoft Azure backup recovery service vaults AND enable Vault Lock.

Immutability cannot be reversed. However, you need to back up all your Storage Vault keys and ensure protection processes against insider threats. A disgruntled employee or internal admin with subscription access could be forced to delete storage subscriptions once resources have been deleted.

What are common security configuration issues we see?

  1. Incorrect, expired or wildcard certificates on key public facing services and protocols
  2. Email security solutions which are not frequently tuned or operate with enhanced analytical rules based on malicious content which evades detection
  3. Non removal of Azure privileged rights or left user accounts
  4. Conflicting Microsoft ENTRA conditional access policies
  5. Monitoring for significant file extension or movement detections
  6. Absence of updated and tested Incident Response plans
  7. Weak privileged account passwords which are known to be weak but remain unchanged
  8. Unrestricted App registration capabilities for users within an organisation which may enabling enhanced rights
  9. Over reliance on MFA as a principle source of security in validating user access
  10. Not ensuring or conflicting policies which disable or do not request MFA for certain users or groups
  11. Unpatched vulnerabilities

DOWNLOAD OUR ACTIONABLE SECURITY CHECKLIST HERE

How do bad actors evade detection in living off the land attacks?

Evasion techniques usually seek to deceive, divert or masquerade malicious intent when attempting to gain unauthorised access to a business.

This initial activity may be through:

  • Impersonation attacks, compromise or use of harvested credentials
  • Vulnerability exploitation attacks using identified and unpatched weaknesses to gain unauthorised access
  • Malware or malicious code creation which creates erroneous connections, accounts or privileges to scan and access an environment
  • Installing malware via browser plugins or bots which collate activity tracking insights and information

How do we prevent future CrowdStrike-like security incidents?

Firstly, these events are very uncommon but there is no avoiding the impact this event had globally.

We now know from Crowdstrike, this was the result of a software bug within the content validation testing process which failed to identify a further software bug within the content released to all endpoints.

There are still considerable questions as to why, testing did not identify the severity of this issue prior to release but Crowdstrike’s review remains ongoing.

Many other cyber providers already complete phased releases which aims to minimise amplification of these more serious content issues. There have been millions of content updates across all cybersecurity platforms over the last few decades which have only served to improve threat protection and detections.

There are several lessons to be learnt from this episode though.

Firstly, and similar to the way many organisations deploy Operating System updates, there is a phased release and assurance to a business over a few days.

Where security products provide such a feature, or release to a test assurance unit, this should be considered. If this is not a feature, perhaps this becomes a product selection criteria at a point of review or renewal.

Ultimately, vendors whose software is permitted or code to interact with Ring 0 or the Kernel, need to introduce more extensive testing.

Undoubtedly, vendor selection and assurances moving forwards as well as liabilities for failure will have to be reviewed given the impact quantum this error created.

Independent testing and assurance should be introduced as a intermediary stage with agreed platforms included to ensure, where possible, any update does not create instabilities or performance issues.

That’s a wrap!

Thank you for taking the time to read this article! We hope these learnings from cyber incidents help you understand how you can better protect your business. If you have any cybersecurity concerns, we offer a range of services to help you strengthen your security measures.

Our offerings include cybersecurity consulting services, security posture assessments, and CISO advisory services. Whether you need to identify vulnerabilities, enhance your security strategy, or receive expert guidance, our team is here to assist you.

Or if you just need some expert advice, we offer no-obligation, 100% confidential cyber clinics. These are free sessions with an expert from our team to help you tackle cybersecurity issues head-on.

Author: Matt Lovell
Share:
Author: Matt Lovell
Share:

Related Resources

two men talking on a podcast posted on linkedin with a red arrow pointing towards a deepfake
Why Social Engineering Always Works: How Hackers Use Phishing & Deepfakes
We’ve all done the training, so why are attackers still getting through? Attackers no longer rely on bad spelling or suspicious links, they use AI-generated deepfakes and psychological profiling to manipulate people with astonishing precision. By exploiting the brain’s emergency response system, they trigger fear, urgency, or authority to override...
Dark purple background with claude logo and words pro, team and enterprise.
Claude Business Security: Choosing the Right Account for SMBs
When I shared my last article, a few people got in touch asking for a more practical follow-up, specifically around how small teams can use Claude Pro without putting business data at risk. This piece goes step by step through exactly that. Understand what you’re actually adopting Claude Pro is...
Two analysts looking surprised. Purple cyber background with phishing hook.
What Happens After a Phishing Attack? A Real Microsoft 365 Incident Walkthrough
If your organisation thinks a password reset or MFA alone are enough, think again. In this phishing attack breakdown by CloudGuard’s SOC team, Conor and Jon reveal the reality behind an actual breach involving a UK law firm, exposing how hackers use four methods to regain access long after initial...
purple background with computer that says threat from the field in cartoon like design
Cyber Threat Trends Q1 2026: Data Theft, AI Attacks and Emerging Risks
Executive Summary Every 90 days, we review the latest cyber threat trends to identify what IT leaders should learn, where resilience gaps are widening, and what practical actions organisations should take next.  The first quarter of 2026 has been intense. The UK threat picture is not defined by one single...
Microsoft Defender for Cloud
Microsoft Defender for Cloud Cloud environments change fast. New workloads, new services and new risks appear daily, often without full visibility or clear ownership. Microsoft Defender for Cloud provides continuous assessment across Azure, hybrid and multi-cloud environments to help organisations understand and reduce cloud security risk. CloudGuard ensures your cloud...
Woman looking at tablet with cyber imagery across the top.
The Limitations of External Penetration Testing (And What to Do About Them)
Core argument  Traditional internal penetration tests gives executives false confidence because it’s typically scope-limited, scheduled, doesn’t reflect real attacker behaviour and ignores the AI threats with user access. Would you feel comfortable boarding a plane if the pilot had practised emergency landings but had never actually simulated an engine failure?  So, why do businesses specifically exclude their...
CloudGuard logo and Stonewater Housing logo on a pastel purple background
Stonewater Housing Achieves 24/7 Security Monitoring Without Expanding Its IT Team
Image of man with half blue face on left and half red face on right. ÂŁ20 notes falling in the background.
Date | Time: 24/03/2026 | 12:00 pm
[On Demand] The AI-Enabled Insider Threat: When Trusted Access Becomes Competitive Advantage
Your most trusted employees can now distil years of institutional knowledge in days, sometimes without realising the risk they’re creating. Insider risk has fundamentally changed. We’re past the days of someone copying files onto a USB stick. Today, trusted employees are using AI tools to summarise reports, analyse strategy documents,...
Continuous Security Validation: How to Prove Your Cybersecurity Controls Actually Work
Core argument CISOs are increasingly measured not by the security they implement, but by the breaches they fail to prevent. Most cybersecurity investments create a false sense of protection because they’re never truly tested under realistic conditions.  Zero trust applied new controls but the new wave of Agentic AI solutions will fundamentally...
Get In Touch

Our Cybersecurity Services Can Instantly Improve Your Business’ Security Posture

Complete the form to find out more about any of our one-off or managed cybersecurity services. Not seeing what you’re looking for? Our cybersecurity consultants and MXDR experts are always on-hand to provide the guidance and support you need.