Ever since the WannaCry attack in 2017, ransomware has remained one of the most significant cyber threats worldwide. Ransomware is a type of malicious software that encrypts data on a victim’s device, rendering it inaccessible. The attacker then demands a ransom, usually in the form of cryptocurrency, to restore the data.

Cisco Talos, one of the largest private threat intelligence teams in world, tracks ransomware trends across all their incident response engagements. Ransomware and pre-ransomware were involved in 20% of Talos engagements in Q1 2023. Pre-ransomware is an attack where ransomware is present but never executes and encrypts data.

There are many different ways to combat ransomware, but Security Service Edge (SSE) solutions have a particular advantage because they can disrupt ransomware activities across numerous points in the kill chain. SSE is a single, cloud-delivered solution centered on providing users secure access to the Internet, cloud services, and private apps. And it can provide these benefits to users regardless of whether they are located remotely, at a branch office, or corporate headquarters.

SSE disrupts ransomware across multiple layers

SSE can help combat ransomware with a range of security features such as

DNS security enforces policies on domain name resolutions, preventing users from accessing domains associated with malicious activities. This blocks malicious websites that trick users into downloading ransomware. It also blocks access at the DNS level to command-and-control (C2) servers, which are used by the threat actor to communicate with their malware. This interruption of the C2 channel hampers the attacker’s ability to control the infected device and can prevent the encryption process from being initiated.

DNS security can also block DNS tunneling, a technique in which the ransomware surreptitiously uses the DNS protocol to communicate with its C2 servers or exfiltrate data. There are a few ways to do this, and detecting the technique typically requires defenders to dig through logs and look for anomalous queries or other indicators. It’s attractive for attackers because it’s relatively simple to do and won’t be detected by many security tools.

In addition to DNS, SWG protects users from ransomware by inspecting web traffic in real-time. This includes SSL decryption, which ensures that ransomware communications cannot hide in encrypted traffic.

Cloud-delivered firewalls inspect traffic at the IP layer, enabling organizations to block traffic to known malicious IP addresses over non-web ports. For example, many ransomware threat actors utilize remote desktop protocol on port 3389 or secure shell protocol on port 22. Famously, the WannaCry variant of ransomware utilized the server message block protocol on port 445. Cloud-delivered firewalls allow defenders to monitor and control traffic on these ports and protocols, and block communication over these ports to malicious IP addresses.

In Q1 2023, Talos also observed for the first time engagements involving Daxian ransomware, a newer ransomware-as-a-service (RaaS) family. This attacker often compromises VPNs to gain initial access to a network and then uses that VPN access to spread ransomware throughout the network, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA). In one instance, the attacker exploited a vulnerability in the VPN. In  another one, they were able to brute force weak VPN credentials to gain access.

This threat actor highlights the shortcomings of VPN. Once an attacker can compromise a corporate VPN, they can gain wide-ranging access to anything on the network, allowing them to extensively spread ransomware. The way to prevent this type of attack is to adopt a zero-trust architecture, where users are given access only to the resources that they need instead of everything on the network.

SSE utilizes ZTNA to create a zero-trust approach to private app access. ZTNA provides secure remote access to private apps based on application-specific access control policies. If an attacker is able to compromise this mechanism, they only get access to that application – not the entire network. This prevents the attacker from spreading ransomware everywhere throughout the network.


Ransomware attacks can have long, complicated kill chains that encompass numerous techniques to gain initial access, achieve persistence, spread the malware, and finally execute the encryption. SSE effectively disrupts this kill chain at multiple points. It blocks users from accessing malicious websites that may infect their machine with malware, prevents the ransomware from communicating with its C2 servers across multiple layers, and limits ransomware spread by enforcing zero trust network access for private applications.

Read more about how Cisco can protect you against ransomware, or learn more about Security Service Edge (SSE).

We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels



Andrew Akers

Product Marketing Manager

Security Product Marketing