Ransomware is among the most feared of the myriad cyberthreats circulating today, putting critical data at risk and costing some enterprises tens of millions of dollars in damage and ransoms paid. However, ransomware doesn’t occur in a vacuum, according to security startup Lumu Technologies.

A ransomware infection is usually preceded by what Lumu founder and CEO Ricardo Villadiego calls “precursor malware,” essentially reconnaissance malicious code that has been around for a while and which lays the groundwork for the full ransomware campaign to come. Find and remediate that precursor malware and a company can ward off the ransomware attack is the theory.

“The moment you see your network – and by network, I mean the network defined the modern times, whatever you have on premises, whatever is out in the clouds, whatever you have with your remote users – when you see any assets from your network contacting an adversarial infrastructure, eliminate that contact because that puts you in your zone of maximum resistance to attacks,” Villadiego told The Register.

If a company detects their network is contacting what looks like the command-and-control servers of malware, such as Emotet, Phorpiex, SmokeLoader, Dridex and TrickBot, shutting down those contacts right away “is going to eliminate the catastrophic effect, which is the ransomware attack,” he said.

Lumu outlined the idea of the warning signs of an impending ransomware attack in a quick report – what the company calls a “flashcard” – this month. In it the startup outlines what it says is a vicious cycle of ransomware.

Citing statistics from cybersecurity consultancy CyberEdge, Lumu said that victims that pay the ransom are increasingly recovering their data, from 19.4 percent in 2018 to 71.6 percent last year. This has made companies more willing to pay the ransom – 38.7 percent in 2018, 57 percent now – despite recommendations and pleas from the…