Hacker’s Corner: How Ethical Hackers Thwart Threat Actors

When Ransomware Came Knocking in 2024

In February 2024, Change Healthcare — a UnitedHealth unit that handles medical claims for much of the U.S. — found itself in a digital hostage crisis. The ALPHV/BlackCat gang slipped in using stolen credentials and a remote access portal with no multi-factor authentication (MFA). Within hours, billing and pharmacy systems across the country were disrupted. To restore critical functions, Change Healthcare reportedly paid a substantial ransom. The attack underscored how even a single missing safeguard — like MFA — can trigger nationwide consequences.

The incident wasn’t a one-off anomaly; it reflected how modern ransomware operations work. Attackers move quietly through networks, study their targets, and prepare their payloads before striking. Industry analysis shows nearly half of ransomware attacks are detected during this “lateral movement” phase — before encryption begins. For businesses, that window is both a danger and an opportunity.

While news headlines focus on the chaos of cyberattacks, the quiet victories often happen behind the scenes. Ethical hackers and cybersecurity analysts act as the digital equivalent of detectives and firefighters, watching for the faint signs of intrusion. They analyze behavioral anomalies — a sudden admin login at 3 a.m., a spike in file access, or an internal system pinging places it shouldn’t. Those subtle indicators often surface days before an encryption event.

1. Catching Intruders in Motion: Advanced monitoring tools and managed security operations centers (SOCs) are now trained to spot unusual patterns that precede ransomware deployment. These include lateral movement indicators, privilege escalations, and rapid file changes. When these triggers appear, automated containment can isolate affected systems — halting attackers mid-prowl before they cause real damage.

2. Shutting Down Open Doors: The Change Healthcare breach is a textbook case of why MFA and credential hygiene are non-negotiable. A single compromised account gave the attackers nationwide leverage. Ethical hackers regularly perform credential audits, scan for exposed remote desktop or VPN endpoints, and enforce MFA across every access point — from cloud dashboards to on-premise servers. In smaller businesses, these measures dramatically reduce risk for minimal cost.

3. Deception as Defense: Honeypots and decoy assets — fake servers, bogus admin accounts, and digital “bait files” — are now common in modern defense. If an intruder interacts with one, the system raises an immediate red flag. Far from gimmicks, deception technologies are endorsed by researchers and major cybersecurity vendors as effective early-warning systems. They transform the attacker’s curiosity into the defender’s advantage.

4. Learning from the Field: Law enforcement and research communities continue to strike back. In 2024, an international operation seized LockBit ransomware servers, freeing up decryption keys and restoring data for countless victims. Around the same time, South Korean researchers discovered a cryptographic flaw in the Rhysida ransomware code, publishing a free decryptor tool that allowed victims to unlock files without paying. These victories show that even the most sophisticated ransomware can be countered when ethical hackers, governments, and researchers collaborate.

Small and mid-sized businesses face the same sophisticated threats as multinational corporations — but without their budgets or internal security teams. Managed Security Service Providers (MSSPs) like Flat Earth Networking bridge that gap by deploying enterprise-grade defenses scaled for smaller environments.

These are not theoretical exercises — they are the same tactics that prevented countless SMEs from joining the ransomware statistics of 2024. As attacks evolve, ethical hackers evolve faster, turning every breach post-mortem into the blueprint for the next defense.

Cybersecurity isn’t about paranoia — it’s about preparedness. The smartest move isn’t reacting to ransomware; it’s never giving it the chance to strike. Whether that means testing your MFA coverage, setting up a decoy share, or having experts watch your network in real time, every proactive step compounds your resilience.

If you’d like to see how Flat Earth Networking helps SMEs apply these battle-tested strategies — from intrusion detection to crisis recovery — we’d be happy to talk. No pushy sales pitch, just practical insights and real-world examples. Because when it comes to cybersecurity, the best headline is the one you never make.

Sources:

https://apnews.com/article/9e2fff70ce4f93566043210bdd347a1f  https://www.reuters.com/business/healthcare-pharmaceuticals/unitedhealth-confirms-190-million-americans-affected-by-hack-tech-unit-2025-01-24/  https://www.bleepingcomputer.com/news/security/change-healthcare-lists-the-medical-data-stolen-in-ransomware-attack/https://www.helpnetsecurity.com/2024/08/27/ransomware-attacks-lateral-movement/https://www.mdpi.com/2227-9709/12/1/14https://www.justice.gov/archives/opa/pr/us-and-uk-disrupt-lockbit-ransomware-variant  https://www.bleepingcomputer.com/news/security/free-rhysida-ransomware-decryptor-for-windows-exploits-rng-flaw/