• Over the past two and a half years (January 2023 through June 2025), Cisco Talos Incident Response (Talos IR) has responded to numerous engagements that we classified as pre-ransomware incidents.
• Talos looked back to analyze what key security measures were credited with deterring ransomware deployment in each pre-ransomware engagement, finding that the top two factors were swift engagement with the incident response team and rapid actioning of alerts from security solutions (predominantly within two hours of the alert).
• We also classified almost two dozen observed pre-ransomware indicators in these engagements, as the top observed tactics provide insight into what malicious activity frequently preempts a more severe attack. Finally, we analyzed Talos IR’s most frequent recommendations to customers to ascertain common security gaps.
• Aggregation of this data and the follow-on analysis is intended to provide actionable guidance that can assist organizations in improving their defenses against ransomware activity. 

What characterizes an incident as “pre-ransomware?”  

Talos IR associates specific adversary actions with pre-ransomware activity. When threat actors attempt to gain enterprise-level domain administrator access, they often conduct a series of account pivots and escalations, deploy command-and-control (C2) or other remote access solutions, harvest credentials and/or deploy automation to execute the modification of the OS. Though the specific tools or elements in the attack chain vary by adversary, Talos IR has seen these same classic steps in practice for years. These actions, along with observed indicators of compromise (IOCs) or tactics, techniques and procedures (TTPs) that we associate with known ransomware threats without the end result of enterprise-wide encryption, lead us to categorize an incident as “pre-ransomware.” 

It is worth noting that some of the above attack techniques are also often deployed by initial access brokers (IABs) who seek to gain and sell access to compromised systems, and it is possible some of the incidents involved in this case study could have therefore been perpetrated by IABs instead of ransomware operators. While it is often challenging to determine a threat actor’s end goal, we have high confidence that all incidents involved tactics are consistently seen preceding ransomware deployment. If the adversary was instead an IAB, we have seen these types of IAB campaigns very frequently result in a ransomware attack after access has been sold, rendering the activity relevant to this analysis.

Key security actions and measures that deter ransomware deployment 

Talos analyzed incident response engagements spanning the past two and a half years that we categorized as pre-ransomware attacks, identifying actions and security measures that we assessed were key in halting adversaries’ attack chains before encryption. An overview of our findings can be found in Figure 1, followed by a more thorough breakdown of each category to explore exactly how certain actions impeded ransomware execution.

Swift engagement of Talos IR 

Engaging Talos IR within one to two days of first observed adversary activity (though we advise engagement as quickly as possible) was credited with preventing a more serious ransomware attack in approximately a third of engagements, providing benefits such as: 

• Extensive knowledge of the threat landscape: In multiple engagements, Talos IR was able to correlate TTPs and IOCs on customers’ networks with other ransomware and pre-ransomware engagements we had responded to, identifying when the infection was part of a larger, widespread campaign. This insight helped Talos IR anticipate and intercept adversaries’ next steps as well as provide customers additional IOCs to block that were seen in other engagements.
• Actionable recommendations for isolation and remediation: In some engagements, the customers quickly acted on Talos’ pre-ransomware security guide, which Talos IR assessed prevented more catastrophic events.
• Enhanced monitoring: The Cisco Extended Detection and Response (Cisco XDR) team can provide extra vigilance in their monitoring after containment of the pre-ransomware threat to ensure full eradication.

We observed numerous incidents where Talos IR was not engaged by the customer immediately, which enabled the adversary to continue working through their attack chain and conduct data theft and/or ransomware deployment. This often results in consequences such as backup files being corrupted or encrypted, endpoint detection and response (EDR) and other security tools being disabled, disruption to day-to-day operations and more.

EDR/MDR alert prompted security teams’ rapid containment 

Vigilant monitoring of security solutions and logs allows network administrators to act quickly when a threat is first detected, isolate the malicious activity and cut off threat actors’ ability to escalate their attack. In our case study, action from the security team within two hours of an alert from the organization’s EDR or managed detection and response (MDR) solution correlated with successful isolation of the threat in almost a third of engagements. Some of the observed alerts that prompted swift response in pre-ransomware engagements included, amongst others:

• Attempted connections to blocked domains  
• Brute force activity  
• PowerShell download cradle  
• Deviations from expected baseline activity as determined by the organization 
• Newly created domain administrator accounts  
• Successful connections to an unknown, outside public IP addresses  
• Reconnaissance activity, including shell access and user discovery commands such as whoami
• Modification of multi-factor authentication (MFA) tooling to provide bypass tokens 
• Modification of an account to be exempt from MFA requirements

USG and/or other partners notified on ransomware staging 

In almost 15 percent of engagements, targeted organizations were able to get ahead of the threat to their environment due to notification from U.S. government (USG) partners and representatives of their managed service provider (MSP) about possible ransomware staging in their environment. In particular, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has launched an initiative to provide early warnings about potential ransomware attacks, aiming to help organizations detect threats and evict actors before significant damage occurs. CISA’s intelligence predominately derives from their partnerships with the cybersecurity research community, infrastructure providers and cyber threat intelligence companies.

Security solutions configured to block and quarantine malicious activity  

In over 10 percent of Talos IR engagements, customers’ security solutions actively blocked and/or quarantined malicious executables, effectively stopping adversaries’ attack chains in their tracks.  

Talos often observes organizations deploying endpoint protection technology in a passive manner, meaning the product is producing alerts to the user but not taking other actions. This configuration puts organizations at unnecessary risk, and Talos IR has responded to multiple engagements where passive deployment enabled threat actors to execute malware, including ransomware. A more aggressive configuration impeded ransomware deployment in this case study, underscoring its importance. 

Robust security restrictions prevented access to key resources  

Based on our analysis, organizations’ robust security restrictions were key in impeding ransomware actors’ attack chains in nine percent of engagements. For example, in one engagement, the threat actors compromised a service account at the targeted organization, but appropriate privilege restrictions on the account prevented their attempts to access key systems like domain controllers.   

Also of note, organizations who implemented thorough logging and/or had a SIEM in place to aggregate event data were able to provide Talos with forensic visibility to determine the exact chain of events and where additional security measures could be implemented. When an organization lacks these records, it can be challenging to identify the precise security weaknesses that enabled threat activity.

Most observed pre-ransomware indicators 

Upon categorizing TTPs observed in this case study per the MITRE ATT&CK framework, Talos found that the following in Figure 2 were most frequently seen across engagements.

We dove deeper into some of the top attack techniques and found the following:  

• Remote Services: Talos IR frequently saw remote services such as RDP, PsExec and PowerShell leveraged by adversaries.  
• Remote Access Software: Frequently seen remote access software included AnyDesk, Atera, Microsoft Quick Assist and Splashtop.  
• OS Credential Dumping: Top observed credential dumping techniques/locations included the domain controller registry, the SAM registry hive, AD Explorer, LSASS and NTDS.DIT. Mimikatz was also frequently used. 
• Network Service Discovery: Top observed tools and commands used for network service discovery included netscan, nltest and netview.

The top observed TTPs serve as a reminder to security teams on what malicious activity often preempts a more severe attack. For example, prioritizing moderating the use of remote services and remote access software and/or securing the aforementioned credential stores could assist in limiting the majority of adversaries seen in these pre-ransomware engagements.

Observed security gaps and prevalent Talos IR recommendations 

Talos IR crafts security recommendations for customers in each incident upon analyzing the environment and the adversary’s attack chain to help address any existing security weaknesses. Our most frequent recommendations include:  

1. Bring all operating systems and software patching up to date.
2. Store backups offline.
3. Configure security solutions to permit only proven benign applications to launch and prevent the installation of unexpected software.
4. Require MFA on all critical services, including remote access and identity access management (IAM) services, and monitor for MFA misuse.
5. Deploy Sysmon for enhanced endpoint visibility and logging.
6. Implement meaningful firewall rules for both inbound and outbound traffic to block unwanted protocols from being able to be used by adversaries as part of their C2 or data exfiltration actions.
7. Implement robust network segmentation to minimize lateral movement and reduce the attack surface, ensuring valuable assets such as domain controllers do not connect directly to the internet aside from critical functions.
8. Establish or intensify end-user cybersecurity training on social engineering tactics, including coverage of recently popularized attacks such as MFA fatigue attacks and actor-in-the-middle token phishing attacks.

Cisco Talos Blog – ​Read More

The internet is now a second home for most kids and teens. Many get their first device in elementary or middle school, while modern education basically runs on technology. Cybercriminals know this, and they can trick kids into revealing personal details, send harmful links, lure them into unsafe chats, or even drain their parents’ bank accounts.

That’s why cybersecurity needs to become a part of everyday life at home. Our guide to reducing your kids’ digital footprint will give you a firm grasp of the risks, and create a safe online environment — while avoiding blanket bans or grudging grievances.

What to watch out for

First, let’s identify the digital “hot spots” where your attention as a parent matters most:

• Group chats for schools or universities on unsecured messaging apps
• Voice chats in video games
• Oversharing on social platforms
• Searching on the web and across global social networks
• Using AI tools and generating content safely
• General safe-use practices for devices and public networks

The best way to protect your kids isn’t through strict controls — it’s through honest conversation. Sure, you can block websites, introduce a phone curfew, and hover over your child every time they use Gemini. But this risks losing their trust: you could end up looking like a villain standing in the way of their freedom. Heavy-handed restrictions always invite attempts to get around them. It’s far better to build understanding, and explaining why the rules exist in the first place.

Here are some practical steps to help your child stay out of trouble and keep their digital footprint under control.

Watch what you post

For Gen Z and Gen Alpha, sharing life online is second nature. But oversharing — being too open online — often opens the door to hacking and even offline risks.

Remind your child never to share their last name, date of birth, school name, or city when signing up for services. Explain the risk: attackers could use that data to find them and build false trust — for example, greeting them by name and posing as a classmate’s relative.

Turn off geolocation in posts and stories by default. If a post needs a location, only publish it after your child has left that place.

Also be careful with places your child visits regularly, and avoid sharing travel plans. The “gold standard” is to teach your child to remove geotags from photos they upload. Why this matters — and how to do it — we covered in our post Metadata: Uncovering what’s hidden inside.

Another taboo is sharing personal info — and in some cases even school uniforms. If the school has a distinctive look, photos or videos of clothing (whether sports or regular) can still give away too much.

Reinforce the first rule of the internet: what goes online, stays online. Everything they post can have consequences — from damaged reputations to data in scammers’ hands. If your child simply wants to share their experiences, suggest starting a blog. We cover how to do this safely here: How to help your kid become a blogger without ever worrying about their safety.

Be careful with the links you click

You probably know what phishing is — but your child may not. Explain that any links they get sent need scanning by a reliable anti-phishing tool for smartphones and computers.

Too-good-to-be-true offers, surprise prizes, and other “incredible deals” should always raise suspicion — and be shown to you before following the link. We’ve covered phishing schemes in detail, for example, in our post How scammers attack young gamers; use the examples there to show your child what can happen if links aren’t checked.

Be careful with who you play with online

Caught up in a multiplayer game with voice chat, teens may let their tongues run wild. The gaming world has become a prime space for grooming — when adults build trust with teens for harmful purposes. So set a clear boundary with your child: voice chat should stick to gameplay only. If someone tries to steer things into personal topics, it’s safer to end the conversation — and if they persist, block them.

Avoid public Wi-Fi

Explain that using public Wi-Fi networks is inherently unsafe: attackers can easily intercept logins, passwords, messages, and other sensitive data. Whenever possible, it’s best to stick to mobile data. If connecting to unsecured Wi-Fi is the only way to stay online, protect the connection with a trusted VPN service. That way your child’s data won’t leak.

Watch what you download

Android smartphones are tempting targets for scammers of all stripes. Although malicious apps exist for iPhones too, it’s still easier to sneak onto Android. Teach your child that malicious files can take many forms. They may arrive through messengers or email disguised as photos or documents — even forwarded “homework assignments” — and can also hide behind links in their favorite Discord channels. By default, all attachments should be treated with caution and scanned automatically with a reliable antivirus.

Use AI wisely — and think for yourself

Unsupervised chatbot use isn’t just an ethical or psychological issue — it’s a security risk. Recently, Google indexed tens of thousands of ChatGPT conversations, making them accessible internet-wide.

Explain to your child not to treat AI as a best friend for pouring out their soul. AI tools often collect large amounts of personal data — everything your child types, asks, or uploads in the chat. Make it clear they also shouldn’t share real names, school information, photos, or private details with AI.

And emphasize that chatbots are tools and helpers — not “wizards” that can think for them. Explain that AI can’t think, so any “facts” offered must be double-checked.

Help with content filters and parental controls

Start by enabling parental controls on all devices your child uses: smartphones, tablets, computers — even smart TVs. Most operating systems offer built-in features to block explicit websites, restrict certain apps, and filter search results.

On streaming platforms, enable “Restricted” or “Kids” mode to prevent access to adult content. For more fine-tuned control, your best option is Kaspersky Safe Kids, which filters content in real time, allows you to set screen-time limits, and monitors installed apps. It detects and blocks unwanted content that standard filters might miss — especially in browsers — and even shows your child’s physical location and phone battery level.

Watch and discuss together

The most effective filter isn’t a program — it’s you. Make time to watch shows, surf the web, and play games together with your child. This will help you understand what’s going on in their life and create a space to discuss values, feelings, and real-life situations.

To further minimize your child’s digital footprint and reduce the risks of cyberattacks and cyberbullying, use:

• Unique passwords and a handy tool to manage them.
• A digital ecosystem to protect your entire family built on Kaspersky Premium.
• A full-featured parental control suite — Kaspersky Safe Kids. Speaking of which, a free one-year subscription to Kaspersky Safe Kids is included with Kaspersky Premium.

For more advice on keeping your kids safe online, explore our Digital Schoolbag: A Parent’s Guide for the School Year.

Further reading on threats targeting children and teens online:

• The Phantom Menace: how gamers of different ages are being attacked
• Back to School Security Tips
• Back-to-school threats: social networking
• How to help your kid become a blogger without ever worrying about their safety
• Do Apple’s new child safety initiatives do the job?

Kaspersky official blog – ​Read More

The flaws and vulnerabilities of cellular networks are regularly exploited to attack subscribers. Malicious actors use devices with catchy names like IMSI Catcher (Stingray) or SMS blaster to track people’s movements and send them spam and malware. These attacks were easiest to carry out on 2G networks, becoming more difficult on 3G and 4G networks through the introduction of security features. But even 4G networks had implementation flaws that made it possible to track subscriber movements and cause other information leaks. Can we breathe a sigh of relief when we upgrade to 5G? Unfortunately not…

An upgrade in reverse

Many practical attacks, such as the aforementioned SMS blaster, rely on a downgrade: forcing the victim’s smartphone to switch to an older communication standard. Legacy standards allow attackers more leeway — from discovering the subscriber’s unique identifier (IMSI), to sending fake text messages under the guise of real companies. A downgrade typically uses a device that jams the signal of the legitimate carrier’s base station, and broadcasts its own. However, this method can be detected by the carrier, and it will become less effective in the future as smartphones increasingly incorporate built-in protection against these attacks, which prevents the switch to 2G and sometimes even 3G networks.

Researchers at Singapore University of Technology and Design have demonstrated a SNI5GECT attack, which works on the latest 5G networks without requiring easy-to-detect actions like jamming legitimate base station signals. An attacker within a 20-meter radius of the victim can make the target device’s modem reboot and then force-switch it to a 4G network, where the subscriber is easier to identify and track. So how does this attack work?

Before a device and a 5G base station connect to each other, they exchange some information — and the initial stages of this process aren’t encrypted. Once they establish a secure, encrypted connection, the base station and the smartphone exchange handshakes, but coordinate the session parameters in a plain, unencrypted format. The attacker’s device monitors this process and selects the precise moment to inject its own information block before the legitimate base station does. As a result, the victim’s modem processes malicious data. Depending on the modem and the contents of the data packet, this either causes the modem to switch to a 4G network and refuse to reconnect to said 5G base station, or to crash and reboot. The latter is only good for temporarily disconnecting the victim, while the former brings all known 4G-based surveillance attacks into play.

The attack was demonstrated on the OnePlus Nord CE 2, Samsung Galaxy S22, Google Pixel 7, and Huawei P40 Pro smartphones. These devices use completely different cellular modems (MediaTek, Qualcomm, Samsung, Huawei, respectively), but the problem lies in the characteristics of the standard itself — not in the particular smartphones. The differences are subtle: some modems can be rebooted while others can’t; on some modems, inserting a malicious packet has a 50% success rate, while on others it’s 90%.

The practicality of SNI5GECT

In its current form, the attack is unlikely to become widespread since it has two major limitations. First, the distance between the attacker and the victim can’t be over 20 meters under ideal conditions — even less in a real urban environment. Second, if the smartphone and the 5G base station have already established a connection, the attack cannot proceed. The attacker has to wait for a moment when the victim’s movement or changes in the radio environment require the smartphone to re-register with the base station. This happens regularly, but not every minute, so the attacker has to literally shadow the victim.

Still, such conditions may exist in certain situations, like when targeting people attending a specific meeting, or in an airport business lounge, or similar scenarios. The attacker would also need to combine SNI5GECT with legacy 4G/3G/2G attacks to achieve any practical results, which means making some radio noise.

SNI5GECT plays a significant role as a stepping stone toward more complex and dangerous future attacks. As 5G becomes more popular and older generations of connectivity are phased out, researchers will increasingly work with the new radio protocol, and apply their findings to the next stages of the mobile arms race.

Currently, there is no defense against 5G attacks. Disabling 5G for protection is pointless, as the smartphone just switches to a 4G network, which is exactly what hypothetical attackers want. Therefore, we have three pieces of advice:

• Regularly patch and update your smartphone’s OS — this usually also updates the modem firmware to fix bugs and vulnerabilities.
• Turn on airplane mode before confidential meetings; to be super-safe — leave your device at home.
• Consider disabling legacy communication standards (2G/3G) on your smartphone — we discussed the pros and cons of this solution in our post on SMS blasters.

Kaspersky official blog – ​Read More

A recent MIT report, The GenAI Divide: State of AI in Business 2025, brought on a significant cooling of tech stocks. While the report offers interesting observations on the economics and organization of AI implementation in business, it also contains valuable insights for cybersecurity teams. The authors weren’t concerned with security issues: the words “security”, “cybersecurity”, or “safety” don’t even appear in the report. However, its findings can and should be considered when planning new corporate AI security policies.

The key observation is that while only 40% of surveyed organizations have purchased an LLM subscription, 90% of employees regularly use personal AI-powered tools for work tasks. And this “shadow AI economy” — the term used in the report — is said to be more effective than the official one. A mere 5% of corporations see economic benefit from their AI implementations, whereas employees are successfully boosting their personal productivity.

The top-down approach to AI implementation is often unsuccessful. Therefore, the authors recommend “learning from shadow usage and analyzing which personal tools deliver value before procuring enterprise alternatives”. So how does this advice align with cybersecurity rules?

A complete ban on shadow AI

A policy favored by many CISOs is to test and implement — or better yet, build one’s own — AI tools and then simply ban all others. This approach can be economically inefficient, potentially causing the company to fall behind its competitors. It’s also difficult to enforce, as ensuring compliance can be both challenging and expensive. Nevertheless, for some highly regulated industries or for business units that handle extremely sensitive data, a prohibitive policy might be the only option. The following methods can be used to implement it:

• Block access to all popular AI tools at the network level using a network filtering tool.
• Configure a DLP system to monitor and block data from being transferred to AI applications and services; this includes preventing the copying and pasting of large text blocks via the clipboard.
• Use an application allowlist policy on corporate devices to prevent employees from running third-party applications that could be used for direct AI access or to bypass other security measures.
• Prohibit the use of personal devices for work-related tasks.
• Use additional tools, such as video analytics, to detect and limit employees’ ability to take pictures of their computer screens with personal smartphones.
• Establish a company-wide policy that prohibits the use of any AI tools except those on a management-approved list and deployed by corporate security teams. This policy should be formally documented, and employees should receive appropriate training.

Unrestricted use of AI

If the company considers the risks of using AI tools to be insignificant, or has departments that don’t handle personal or other sensitive data, the use of AI by these teams can be all but unrestricted. By setting a short list of hygiene measures and restrictions, the company can observe LLM usage habits, identify popular services, and use this data to plan future actions and refine their security measures. Even with this democratic approach, it’s still necessary to:

• Train employees on the basics of responsible AI use with the help of a cybersecurity module. A good starting place: our recommendations, or adding a specialized course to the company’s security awareness platform.
• Set up detailed application traffic logging to analyze the rhythm of AI use and the types of services being used.
• Make sure that all employees have an EPP/EDR agent installed on their work devices, and a robust security solution on their personal gadgets. (“ChatGPT app” has been scammers’ bait of choice for spreading infostealers in 2024–2025.)
• Conduct regular surveys to find out how often AI is being used and for what tasks. Based on telemetry and survey data, measure the effect and risks of its use to adjust your policies.

Balanced restrictions on AI use

When it comes to company-wide AI usage, neither extreme — a total ban or total freedom — is likely to fit. More versatile would be a policy that allows for different levels of AI access based on the type of data being used. Full implementation of such a policy requires:

• A specialized AI proxy that both cleans queries on-the-fly by removing specific types of sensitive data (such as names or customer IDs), and uses role-based access control to block inappropriate use cases.
• An IT self-service portal for employees to declare their use of AI tools — from basic models and services to specialized applications and browser extensions.
• A solution (NGFW, CASB, DLP, or other) for detailed monitoring and control of AI usage at the level of specific requests for each service.
• Only for companies that build software: modified CI/CD pipelines and SAST/DAST tools to automatically identify AI-generated code, and flag it for additional verification steps.
• As with the unrestricted scenario, regular employee training, surveys, and robust security for both work and personal devices.

Armed with the listed requirements, a policy needs to be developed that covers different departments and various types of information. It might look something like this:

To enforce the policy, a multi-layered organizational approach is necessary in addition to technical tools. First and foremost, employees need to be trained on the risks associated with AI — from data leaks and hallucinations to prompt injections. This training should be mandatory for everyone in the organization.

After the initial training, it’s essential to develop more detailed policies and provide advanced training for department heads. This will empower them to make informed decisions about whether to approve or deny requests to use specific data with public AI tools.

Initial policies, criteria, and measures are just the beginning; they need to be regularly updated. This involves analyzing data, refining real-world AI use cases, and monitoring popular tools. A self-service portal is needed as a stress-free environment where employees can explain what AI tools they’re using and for what purposes. This valuable feedback enriches your analytics, helps build a business case for AI adoption, and provides a role-based model for applying the right security policies.

Finally, a multi-tiered system for responding to violations is a must. Possible steps:

• An automated warning, and a mandatory micro-training course on the given violation.
• A private meeting between the employee and their department head and an information security officer.
• A temporary ban on AI-powered tools.
• Strict disciplinary action through HR.

A comprehensive approach to AI security

The policies discussed here cover a relatively narrow range of risks associated with the use of SaaS solutions for generative AI. To create a full-fledged policy that addresses the whole spectrum of relevant risks, see our guidelines for securely implementing AI systems, developed by Kaspersky in collaboration with other trusted experts.

Kaspersky official blog – ​Read More