William Ekiss | October 15th, 2021

Ransomware Threat Continues to Evolve

SpearTip consistently looks for experts in the St Louis region to add to our list of technical capabilities. This month, SpearTip’s very own William (Billy) Ekiss wanted to bring to light the many changes happening amongst the ransomware threat. Billy Ekiss puts his years of cybersecurity knowledge to use at SpearTip as he oversees the Incident Response Practice. Billy has a strong desire to continue training and educating himself, adding to his Master of Science degree in cybersecurity. Billy also holds the industry-recognized Magnet Certified Forensics Expert (MCFE) certification. He dedicates himself to improving SpearTip’s security services to save businesses and ultimately allow them to fulfil their own missions.

With years of cyber counterintelligence experience, our firm understands how critical it is for organizations to protect their assets against threat actors. With the growing number of devices connected to the internet, the risk of an incident occurring is swiftly growing and becomes a matter of when rather than if.

The threat landscape can be difficult to navigate, but there are trends we continually analyze to save businesses and prevent breaches. If your organization has never dealt with a breach, it can be hard to understand the risks, so our job is to explain what usually happens during an incident and what you can do to prevent them.

The methods used by threat actors continuously change over time, but lately we’ve observed threat actors using these tactics to maximize the profit they can extort from a business.


After gaining initial access to an organization, threat actors move throughout networks, looking for the most important data to steal and encrypt. Sometimes they will do this immediately, and sometimes they’ll lurk in your network for weeks planning out their attack. Once data is encrypted, you won’t be able to access it without a key provided by the threat actor, which is how the ransomware extortion process begins.

SpearTip’s Security Operations Center monitors networks 24/7, so any unauthorized logins or unwarranted privilege escalation will be detected by our engineers and responded to if we are hired to monitor.

Data Theft

After encryption, threat actors will likely leave a ransom note or a link to contact them. This message usually provides notice of data being stolen and a timeline of when your stolen data will be published if payment is not received. Now, threat actors have your company’s data, usually targeting any financial, personal, or internal documentation depending on their motives. These documents usually trigger the quickest payments, so it makes sense they’ll target your high-value data first.

This, in turn, forces your company to notify every customer who has been impacted by the breach. Even if the threat actors have not published your data on dark web sites, the fact that they’ve accessed it already creates issues of trust between you and your clients or customers. Prevent data theft with SpearTip’s ShadowSpear platform and Security Operations Center as a Service. Then, this issue can be an afterthought.


The last attempt in many cases at getting victims to pay for ransomware attacks comes in the form of leaking data. Not only did cybercriminals have access to your data, but now they’re offering it on dark websites for other malicious actors to use against your organization, or worse, your customers. Typically, the threat actor will publish the most confidential data first, whether this is private company data, employee data, or financial data.

If SpearTip is contacted in this stage of an incident, we can still scan the dark web and investigate exactly what information was stolen and where it was leaked. All of this, while restoring your network and getting your business back up and running as quickly as possible.

When managing a security operations center and leading Incident Response cycles, it’s crucial to be able to delegate cases to experienced engineers with knowledge in diversified areas of cybersecurity. SpearTip has recruited incredible talent from the bottom up, and this allows our team to thrive when providing for partners. I collaborate with extremely intelligent minds to be able to protect businesses daily and keep their businesses from facing the worst. From identifying zero-day vulnerabilities within environments to understanding the methods of threat actors, our team can protect and respond to keep organizations operating as they should.

The decision to invest in cybersecurity can seem difficult for a high-level executive, but if I had one recommendation, it would be to operate proactively when it comes to cyber threats. It’s always better to be in front of threats instead of behind them.