Ransomware Defense: How External Monitoring Can Enable Intelligent Security

It wasn’t always the case that ransomware attacks resulted in data breaches—traditionally, ransomware strains just blocked access to files or systems unless you paid up. The first double extortion attack in late 2019 signaled a shift in ransomware gangs’ tactics. Recognizing that information is an incredibly valuable asset, threat actors began exfiltrating sensitive data assets from systems and then demanding payments from companies to avoid data being released online. 

Adequately defending against and dealing with ransomware and other data breaches calls for a more intelligent approach to security that provides clear proactive warning signs and accelerates responses. Often, these warning signs stem from sources outside your business on the Internet. Keep reading to find out how monitoring external sources of information and activity enables intelligent security in today’s threat landscape. 

Ransomware, Data Breaches, and External Sources 

Across various forums, marketplaces, content-hosting services, and communities, the Internet is a hive of malicious activity (if you know where to look). Threat actors congregate online in the hopes of finding businesses worth targeting and stealing data from. Other people visit these marketplaces wanting to buy sensitive information, such as customer credit card details stolen in previous ransomware attacks or other breaches. 

So, where exactly does all this malicious activity happen online?

  • Occasionally, signs of malicious intent hide in plain sight on forums and websites accessible using any standard web browser and indexed in search engines. 
  • A huge amount of compromised information resides on deep web sources that search engines don’t index, such as Pastebin. 
  • Most often, bad actors lurk and exchange stolen information on the dark web, which they connect to using special browsers like Tor or I2P that anonymize their activity by passing traffic through decentralized peer-to-peer networks. 

Whether relevant information aiding the prevention of or investigation into an attack on your business ends up on the clear web, dark web, and deep web, these external sources require close monitoring. But being able to manually monitor potentially thousands of external sites requires resources beyond the purview of most security teams. That’s where dedicated external monitoring solutions come in. 

What is External Monitoring? 

External monitoring solutions use a combination of human security expertise, automation, and AI to build a data collection engine that scours external sources for suspicious activity associated with your company. Swift notification about detected employee credentials, internal documents, or customer data provides security teams with intelligence into potential threats or breaches that would otherwise be unavailable. Some platforms only focus on monitoring the dark web while others take a broader view and integrate both clear web and deep web sources into their monitoring capabilities. 

The need for dedicated monitoring solutions becomes quickly apparent when you consider the challenges involved in a manual approach. In the dark underground of the Internet, new forums, marketplaces, and illicit actors constantly emerge. Incriminating evidence pointing to a potential breach on Pastebin might disappear within minutes or hours. And there are thousands of potential sites to monitor, most of which require you to sign up to get access. 

How External Monitoring Works 

Each external monitoring solution has its own design, but the three broadly similar components across these platforms are collection, processing, and alerting. 


The first important step is to mine data at scale from web pages from relevant target forums, marketplaces, paste sites, and other sources. Efficient data collection at the necessary scale calls for high levels of computational power. Target sites might also have rate limits on resource consumption, so some solutions might employ parallel connections to get around those limits. 


The raw intelligence gleaned from the data collectiion step exists in an unstructured format (typically text or HTML files). In order to make any sense of this information, the platform needs to process and analyze it in a way that makes the data easier to sift through in order to get swift intelligence and insights. Typically, frameworks like Apache Spark prove useful here. 


The core of an external monitoring solution from the perspective of your IT and security teams is alerting. Ideally, intuitive user interfaces or dashboards let you set custom alerts when different signals are detected within the gathered data. And alerts should arrive promptly in front of relevant personnel so you can quickly use this intelligence to prevent a data breach or appropriately respond. 

How External Monitoring Helps Prevent and Respond to Ransomware 


Most ransomware attacks require multiple phases of execution starting from an initial network intrusion, establishing a foothold, moving laterally, exfiltrating data, and then encrypting systems or files. The initial intrusion becomes much easier when threat actors get their hands on email addresses, password lists, and other login information that gives access to and control over user accounts. 

The high-profile Colonial Pipeline breach in 2021 started with a login to an employee’s dormant VPN account, and the password protecting that account was available from a previous leak. Knowing about the compromised credentials and acting to de-provision the account on time would’ve prevented the ransomware attack and subsequent fallout. 

Stolen credentials regularly end up on dark web marketplaces or published in Pastebin posts. The visibility into this relevant information that external monitoring facilitates provides invaluable intelligence for preventing ransomware attacks and data breaches. 


The kind of proactive intelligence provided by monitoring externally for leaked passwords and other credentials is nice, but what happens if your business is unfortunate enough to suffer a data breach? Well, external monitoring still contributes important intelligence here. 

It’s almost the norm now for horrified CISOs and other executives to only find out their company has been breached when a news report about it appears in the media. This unpalatable scenario reflects a lack of insight into the type of external activity that signifies data breaches, such as stolen data being offered for sale on forums or uploaded to Pastebin. 

While a data breach from ransomware or any other cyber incident spells a definite crisis moment given average costs of $4,24 million per breach, how you respond plays a significant part in the damage done to your reputation. By informing customers personally (before they hear about it elsewhere) and advising on suitable actions to take following a breach of personal data, you minimize the reputation hit from a mismanaged response. The kind of intelligence powered by external monitoring facilitates better-managed responses to data breaches and helps to protect your brand. 

External Monitoring with Flare

Flare’s AI-driven technology constantly scans the online world, including the dark, deep, and clear web, to discover unknown events, automatically prioritize risks and deliver actionable intelligence you can use instantly to improve security. 

Book your demo today. 

Sign up for a free trial to learn more about ransomware readiness with Flare.

Share This Article

Eric Clay

Marketing Director

Eric Clay has a strong cybersecurity background and significant experience building marketing approaches for SaaS companies. Clay began their career at a B2B marketing agency as an outside consultant for inbound lead gen processes in the cybersecurity and SaaS space and later became CMO at two cybersecurity startups. As Flare’s Marketing Director, Clay works with our marketing team to set and improve marketing strategies and approaches.

Related Content