Detection of ransomware in network traffic

Ransomware has existed for many years, yet it remains the most destructive cyber threat to organizations. The reason is simple: attackers have developed deep expertise in crippling IT infrastructures — precisely at a time when these infrastructures have become mission-critical for business operations.

In 2017, the WannaCry attack quite literally spread across the entire globe. And in 2021, the Colonial Pipeline incident demonstrated how a single campaign can paralyze critical infrastructure and cause widespread disruption at a national level.

Ransomware has evolved significantly in recent years.

This evolution is fueled by the rise of the Ransomware-as-a-Service (RaaS) model. Attack kits are now available for purchase on underground markets, making it easy for anyone to launch an attack. Competitors, political actors, or anyone seeking quick profit can run “professional-grade” attacks without deep technical expertise.

For cybersecurity professionals, the conclusion is clear: ransomware is no longer a passing trend — it has become a sustainable business model. Early detection is possible only when analysis happens where attackers cannot hide — within network traffic, which always contains indicators of their presence.

Limitations of traditional security systems

Most organizations rely on firewalls and endpoint protection platforms (EPP/EDR) as their main defense tools. These solutions block known threats, detect malicious activity on laptops and servers, and help analysts respond quickly. For many types of attacks, they are effective.

The problem begins with everything endpoint agents cannot cover. Printers, scanners, IP phones, cameras, or industrial OT/IoT devices run specialized software that is harder to monitor, update, or maintain. Since agents cannot be installed on such devices, they become weak points in the infrastructure. Attackers know this — and actively exploit these unprotected endpoints to move deeper into networks.

This is where traditional defenses reach their limits: they protect systems with agents but leave “blind spots” elsewhere — mobile devices, office peripherals, IoT equipment, video surveillance or telephony systems, Wi-Fi and DMZ zones, etc. These blind spots become ideal entry points for ransomware campaigns.

Why network visibility matters

Ransomware can enter an organization in many ways, but it cannot operate without leaving traces in network traffic. Unusual data transfers, connections to atypical external servers, or the sudden use of new protocols — all these are signs of potential compromise.

Unlike EDR tools, network monitoring covers everything — workstations and servers, printers, cameras, IoT devices, legacy systems unsupported by EDR, mobile devices, and specialized equipment, regardless of OS or hardware. This creates a single, comprehensive view that attackers cannot evade.

Ransomware: step-by-step attack based on the MITRE ATT&CK model

Ransomware attacks develop gradually through specific stages. Nearly every stage involves data transmission and leaves traces in network traffic that can be used for early detection.

Stage: Initial Access

The attacker gains initial access to a device — exploiting a vulnerability, misconfiguration, brute-force attack, or stolen credentials. In all cases, a new or unusual communication channel appears, visible in the network.

Stage: Execution

The attacker runs scripts to advance the attack — often loaders or exploit kits. This is accompanied by anomalous network traffic that stands out from normal activity.

Stage: Persistence

To maintain access, the attacker may modify code, create new accounts, enable RDP, or change SSH keys. Each action introduces new services or connections, leaving clear traces in the network.

Stage: Privilege Escalation & Credential Access

Attackers attempt to gain higher privileges and harvest credentials, often on a compromised host. When tokens, NTLM hashes, or domain admin accounts are used for authentication, these activities can be tracked in network traffic.

Techniques like Man-in-the-Middle, LLMNR poisoning, or dictionary attacks also leave characteristic network markers.

Stage: Discovery & Lateral Movement

The attacker explores the environment to identify new targets — scanning networks, checking open ports, identifying services, then moving laterally via SMB, remote code execution, or RDP. Each of these steps produces distinct traffic patterns.

Stage: Command & Control (C&C)

Establishing communication with the command server is critical. This may involve connecting to suspicious IPs or legitimate services that bypass blacklists. Typically, periodic beaconing or disguised communications are used — but even these leave detectable behavioral patterns.

Stage: Exfiltration

The final stage is data theft. It appears as abnormal data volumes, unusual destinations, or use of legitimate cloud services such as Dropbox or OneDrive. This activity indicates the extraction of confidential or corporate information.

Detecting ransomware with Mendel

Almost every ransomware attack stage leaves traces in network traffic — and GREYCORTEX Mendel is built precisely to detect them. Mendel monitors the behavior of all devices connected to the network, not just endpoints. It combines machine learning with behavioral analysis, modeling the activity of each device, each service, and even the behavior of subnets as a whole. Based on this analysis, Mendel can distinguish between malicious activity, potential threats, anomalies, and legitimate traffic.

This approach is highly effective where EDR agents cannot be deployed. That’s why Mendel has become an essential part of the modern cybersecurity ecosystem. It also integrates easily with XDR platforms, extending their detection and response capabilities through deeper network analytics.

Post-attack security

Stopping ransomware is only half the job. It’s equally important to ensure attackers haven’t left backdoors for future access. Hidden backdoors, beaconing, or keep-alive connections may persist long after the main phase of the attack is blocked.

Mendel helps perform such post-incident assessments, tracking network traffic to identify residual attack traces — from concealed C&C connections to suspicious internal host communications.

Continuous monitoring strengthens the entire security process and ensures infrastructure resilience. As part of a broader cybersecurity ecosystem, Mendel not only detects and stops attacks but also guarantees that, once mitigated, the system remains secure.

Make sure nothing goes unnoticed. Conduct a security audit with GREYCORTEX Mendel and ensure your network’s protection.

For personalized consultation on GREYCORTEX solutions or to request pilot projects, please contact Softprom experts.

Softprom — Value Added Distributor of GREYCORTEX.