Skip to content Skip to footer



Loading Results

Ransomware as a business model

How it works and how to respond

Johannes Dohren
Partner, Cybersecurity and Privacy, PwC Switzerland

Even if individual steps differ in detail, the course of a ransomware follows a similar logic. It can be illustrated by being divided into four phases – preparation, attack, spread and infection. In our blog series, we show these phases based on an example scenario from the perspective of a ransomware operator, and show which security measures are truly effective. Finally, we touch on the legal aspects of ransomware payments.

61% of Swiss executives expect a surge in reportable ransomware incidents in 2022.

Source: PwC, 2022 Global Digital Trust Insights
The New Equation

Cybersecurity and Privacy

At PwC, we help clients evaluate their ability to deal with the main cyber risks and threats of the digital world in an easy and understandable way.

Learn more

Phase 3: the spread

If the network of the target company has been hacked, the focus now moves onto accessing the data needed for blackmail. This takes time, and in most cases also requires broader access to several systems. This is where the malware developed by professionals comes into play. It helps cybercriminals to take over and control parts of the system. Malware behaves differently depending on which user authorisations have been hacked; it will either try to take over other accounts or gain access to other computers. In any event, the malware provides the attacker with the first insights into the compromised system.

Cyber incident response and recovery

We have a broad range of flexible solutions, including entire packages, to help you plan and prepare for cybersecurity incidents.

Find out more

What can you do now?

The motto holds true here too: cybercriminals take the path of least resistance. In practice, this often means that vulnerabilities which become known are soon exploited. Ransomware developers will know about the existence of a vulnerability as soon as a patch for it has been released, and will try and target it for an attack before your company has applied the patch.

Patch management and system hardening:

  • Patches and security updates are the most effective way of stopping cybercriminals during this phase. A fully patched system is not an easy target, and forces cybercriminals to look for other targets or more sophisticated methods. If you are affected by a vulnerability and for various reasons cannot apply a patch or other kind of workaround, check whether you can separate the devices in question from the network until a solution becomes available. If this is not possible, you must ensure it is monitored more closely.
  • Harden your system, and prioritise issues in accordance with the findings from your risk management system. Clients generally take priority, followed by the central active directory, the web servers, mail servers and other devices which can be accessed online. This hardening process must be monitored on a regular basis. This also makes it possible for you to identify and deactivate unused system services to reduce the surface of attack.
  • A sophisticated roles and authorisations concept also reduces the options available to attackers. System users should only have the authorisations which they actually need. For example, in many companies developers require an authorisation to install software, but many other user groups do not.


  • Using modern detection technologies and installing them correctly makes it possible to recognise when an attack is ongoing. This way, in many cases the damages can still be prevented or at least be contained. Make sure that your sensor technology is configured to monitor for more than just the traditional Indicators of Compromise (IoCs) such as known IP addresses and domain names. Anomaly recognition also plays an important role. For example, this means triggering an alarm when an Office program makes a PowerShell call.
  • You should regularly test whether the monitoring technology and the alarm triggering system are functional.

Addtional measures:

  • Penetration testing
  • Vulnerability management
  • Monitoring incoming e-mails and blocking executable files
  • Secure configuration of Office products
  • Don’t issue local administrator rights


Vulnerability Management

How to successfully monitor your attack surfaces.

Learn more


Building trust to succeed

At PwC, we are a community of solvers – powered by technology – committed to helping you protect everyone, and everything, you care about.

Explore our offering

Contact us

Johannes Dohren

Johannes Dohren

Partner, Cybersecurity and Privacy, PwC Switzerland

Tel: +41 58 792 22 20

Naveen Shanmugasundaram

Naveen Shanmugasundaram

Cybersecurity and Privacy, PwC Switzerland

Tel: +41 58 792 24 92