Welcome to 


This enablement page will explain why a Last Line of Defense is essential for every organisation. You will learn about RansomCare from BullWall, why it is unique, and how to position it with your prospects and customers.

It is key to understand that RansomCare is not another prevention-based security solution like Anti-Virus, behavioral protection or AI based technologies, which customers already have. RansomCare defends an outbreak scenario where the Ransomware has already bypassed all other defenses and starts encrypting the files. RansomCare acts as a Last Line of Defense; a 24/7 automated containment solution to stop any encryption outbreak dead in its track.


Cost of Downtime Calculation: Click here to open.
Video: Live Demonstration of RansomCare: Click here to open.
Video: See a scenario With or Without RansomCare: Click here to open.

Video: See RansomCare in Action: Click here to open.

RC InfoSheet: Click here to open.
Assessment Document: Click here to open.
Price Calculation for RansomCare: Click here to open.

Training Videos

Training Video #1 (Runtime: 10 min.)

Covers topics such as ransomware, the consequences hereof and a discussion on prevention

Training Video #2 (Runtime: 14 min.)

Covers topics such as the RansomCare (RC) solution, how if differentiates and how it complements and integrate to existing offerings

Training Video #3 (Runtime: 8 min.)

Covers topics such as qualifying questions, known objections and the sales cycle

1. What is Ransomware?

Ransomware is a type of malicious software designed to block access to a computer system or computer files until a sum of money is paid. Most ransomware variants encrypt the files on the affected computer, making them inaccessible, and demand a ransom payment to restore access.

Cyber-criminals are now threatening to delete data and even publish stolen data online, to increase the pressure on the victim to pay the ransom fee.  

It is generally delivered using some form of social engineering wherein users are tricked into downloading a malicious e-mail attachment or clicking a malicious link. The ransomware is usually disguised as a legitimate email attachment and sent to unwary users. The most frequently used techniques to deliver ransomware are:

  • Phishing emails
  • Remote Desktop Protocol (RDP)
  • Drive-By Downloads from a Compromised Website
  • USB and Removable Media
  • Trojan, Virus or Worms

The criminals often use code to disable anti-virus engines and other security tools. Many ransomware variants can spread laterally to other computers on the network and mapped network drives. If the system gets infected, there’s a good chance the ransomware will propagate across the network and encrypt the drive that holds the organisation’s backups.

Ransomware can be delivered in a few different ways, though the most common infections come from hijacked websites and email. These files often bypass virus scanners because the actual coding of the infection is encrypted itself, so the scanners cannot open them up to look at the code. In recent months we’ve seen an increase in the threat of insiders, with cyber gangs attempting to recruit internal employees within target organisations to initiate the encryption process and spread the ransomware from within.

Another area that has seen an increase in targeted attacks is the MSP industry, cyber gangs see this as an effective option due to the supply chain effect and the interconnected networks. An outbreak of note was the attack on Kaseya which took place over the 4th July weekend and affected over 1500 organisations.

Ransomware is by far the most expensive and disruptive form of malware to hit organisations today. Below we have identified some key facts around these types of attacks.

  • There were over 304.7 million ransomware attacks in the first half of 2021, already surpassing the total number of attacks in 2020.
  • A Ransomware attack happens every 14 seconds (4 attacks every minute)
  • There are 6000 sites on the dark web selling Ransomware-as-a-service
  • Ransom demands of +1million USD are no longer uncommon
  • Average ransom demand is USD 350,000 to get your data back
  • New and coordinated multi attacks are happening all the time
  • Files are encrypted at a rate of 7,000>10,000 files per minute
  • The largest single confirmed ransom payment, so far in 2021, was $11 million, an increase of $1 million dollars from 2020
  • The initial ransom demands first year average in 2021 was $5.3 million, a jump of 518% on the 2020 average, which was $847,000
  • The highest single demand seen in 2021 was $50 million, up from $30 million the previous year
  • The top five regions hit were the United States, United Kingdom, Germany, South Africa and Brazil. With spikes in the hardest hit verticals being government (917% increase), education (615%), healthcare (594%) and retail (264%).
2. The Aftermath of a Ransomware Outbreak

During a ransomware outbreak, stress, downtime, and system recovery can cost users and organisations weeks—even months—of productivity. Small business owners can lose customer trust, intellectual property, vital records, and at times direct reputational damage. Other affected areas include:

  • Revenue loss
  • Reputational damage
  • Supply chain
  • Potential compensatory payment
  • Delay in business operations
  • Data loss
  • Data breaches (and the costs associated)
  • Ransom cost
  • Legal (customers or breach of contracts)
  • Replacement of equipment

 Below we have identified some key facts and figures about the aftermath of Ransomware outbreaks:

  • 80% of organisations that are subject to a ransomware attack, get hit a second time
  • 9% of ransom paying organisations get all of their encrypted data back
  • Average days of downtime following a ransomware outbreak is 23 days as of the end of Q1 2021
  • Average ransom paid in the first half year of 2021 jumped to $570,000, this is a 82% increase from 2020
3. What is RansomCare

BullWall’s multi-layered containment solution, RansomCare (RC), detects and reacts to malicious file corruption and encryption, and stops it in its tracks. The solution is agentless and utilizes more than 20 detection sensors to detect the tell-tale signs of active ransomware. If malicious encryption is initiated by a compromised user or files are corrupted on monitored file shares, RC reacts by isolating the compromised device and user to stop the illegitimate encryption process.

RC is complementary to existing security defenses. Where traditional security defenses focus on preventing malware from executing and protecting your organization, they are not sufficient against ransomware. It has crippled organizations even though they had the best-of-breed security solution in place. Organizations should consider deploying a Last Line of Defense acting as the sprinkler should malicious encryption be active. RC reacts once malicious file encryption and/or file corruption is ongoing on monitored critical file- and cloud shares (e.g. Google and O365). It is crucial during ransomware outbreaks to detect, respond and recover as quickly as possible, as the financial and reputational repercussions caused by downtime can be costly

Learn more on the Bullwall Website, from the training videos or info sheet in the ressources section on this enablement site.

Technical Overview
RC is built on best-in-class technology standards, fully scalable from SMB’s to enterprise customers.

RC is an agentless solution deployed only on a single Virtual Machine or existing server configured according to the predefined requirements. These requirements are sent on request and do not require significant preparation as it takes just two hours and no financial investment. RC is an agentless solution, meaning no agent is deployed to every single endpoint, file share, or server in the organization. As RC utilizes existing file event notifications, it leaves no network overhead as RC does not recursively scan the network. Instead, it analyzes each file’s heuristics when it’s renamed, created, or deleted on the network to ensure that no illegitimate encryption is ongoing.

After the deployment and installation, which takes 1-3 days for smaller organisations and 5-8 days for enterprises, RC utilizes Machine Learning to learn the organization’s data activity and the heuristics of the organization’s files, which only takes a few days. By deploying the Machine Learning and patent-pending File Integrity Assessment, false positives are diminished to a bare minimum. RC utilizes heuristic analysis to detect illegitimate encryption caused by both known and unknown strains of ransomware. RC does not look for signatures, behaviors, and patterns – this is done by the organizations existing security solutions. Instead, RC looks for the effect of ransomware, namely illegitimate encryption of your data files such as docx, exls, pdf, etc. On detection (which happens in milliseconds after a file is illegitimately modified, created or saved/overwritten, RC steps in and isolates the compromised user and device. This is why RC acts as a complementary security layer, bringing organizations a vital Last Line of Defence, stepping in if any existing solutions fail.

On detecting an outbreak of illegitimate encryption, RC utilizes its isolation methods to stop the illegitimate encryption immediately. Organizations can utilize the pre-built isolation scripts that can disable the compromised user in the AD, conduct a forced shutdown, disable VPN, network access, revoke cloud permissions, and many other isolation methods. RC features a RESTful WebAPI that integrates to EDR and NAC solutions to ensure that organizations can unify security management and response over an increasing number of endpoints.

RC includes already proven-to-work integrations to a significant number of existing solutions on the market, such as Microsoft Defender ATP, HP Aruba, IBM QRadar, Rapid7, CISCO ISE, and many more. If an organizations’ current solution has an open 2-way RESTful API, RC’s own, well-documented, API can be utilized for integration, providing you with an even greater confidence level in case your organization is under attack.

RC is also supporting cloud solutions like Google Drive and O365, including SharePoint and OneDrive. The same principles apply by identifying and isolating compromised users, revoking their permissions to access other files on the cloud site.

The IT team and stakeholders will be notified immediately on illegitimate encryption via E-mail, SMS, or the Mobile Dashboard. RC integrates to SIEM solutions for organizations to utilize existing alerting measures. Uptime monitoring can be set up and a redundant RC backup server that will step in if any network issues arise, ensuring that it will always be protected against the evolving threats.

While the other preventative solutions focus on the threats entering the corporate network and block them from executing, RC’s focus is detecting ongoing encryption processes inside the corporate network when files are saved or overwritten. This is why RC acts as a Last Line of Defense, stepping in once ransomware bypasses existing prevention-based solutions.

As RC responds effectively and immediately, the illegitimate encryption is limited to typically 5-30 files (depending on the settings) before the compromised user and its device are isolated, stopping the encryption. Doing this, RC ensures business continuity as downtime is limited to one endpoint instead of, potentially, the whole organization.


4. Key Differentiators

Detection on data files
RansomCare looks at the heuristic of the data files and inside the files to detect if a file is illegitimately encrypted. RansomCare is monitoring the existing traffic that’s already on the network, using SMB and CIFS protocols.

Not looking for the virus itself
RansomCare instead looks at the results the ransomware leaves behind: illegitimately encrypted files. RansomCare is also detecting unknown file headers and extensions, plus known bad extensions from previous ransomware outbreaks.

No detection overlaps with current security solutions
RansomCare is a different layer of protection focusing centrally on data files (not endpoint or perimeter protection) and responding by isolating/taking infected clients out.

RansomCare is a complimentary solution within a multi-layered cyber security set up. RansomCare is in place to provide a critical last line of defence focussing purely on an organisations business critical data, providing peace of mind, should any of the existing perimeter or prevention based tools fail. Once RC has detected the illegitimate encryption, it responds by isolating the user and their devices.

Defending the Critical Time Gap
Many ransomware operations have development teams that monitor updates from antivirus providers so that the threat actors know when their variant has been detected and it’s time to change techniques. With RansomCare, this is not a problem as RansomCare can detect unknown attacks by detecting that files are being encrypted – this makes sure that RansomCare also stops the newest ransomware strains.

The majority of ransomware gangs have developed the ability to monitor Anti-virus and endpoint security solution updates, allowing them to understand when their most recent ransomware variants have been detected, and therefore giving them the ability to change their technique very quickly. As soon as this happens, the cyber security vendors are then potentially vulnerable to the newest variants of attack. They then have to go through a time consuming process of updating the new vulnerabilities within their products and releasing these updates to all customers. With RansomCare, this is not a problem as RC isn’t reliant on knowing the strain of ransomware and therefore can detect unknown outbreaks and zero day threats.

Defends the worst-case scenario
If a virus gets past the organisations first line of defence security tools it has effectively been “whitelisted”, there is nothing left to stop it. However, with RC deployed, you have a last line of defence that can detect the ransomware encryption within your crown jewel data and isolate the affected device, preventing any further encryption from taking place.

Multifunction / IoT devices
How is Anti-Virus installed on Multifunctional devices like printers, IoT devices, cameras, robots, bring-your-own-device (BYOD)? RansomCare will detect no matter what or who encrypts the files.

With the proliferation of devices being used today, including IoT devices, the attack surface has grown exponentially within the last 5 years. This has meant more attack vectors for cyber criminals to utilize and gain entry. The beauty of RansomCare is that it stops the purpose of ransomware outbreaks – illegitimate encryption. It is not attempting to prevent the ransomware from entering the organisation, this is the function of your perimeter and prevention based solutions. Therefore it is not important how the ransomware enters, RC is only concerned with detecting the illegitimate encryption and isolating the affected user.

Which files are encrypted?
In the event of a Ransomware attack unfolding – how do you tell which files are encrypted and where they reside (On-prem, AWS, AZURE etc.). RansomCare provides automated answers to this question. After every incident that RC detects, it automatically produces a headed GDPR/CCPA report that provides all of the critical information about the incident, including; time stamps, file owner, file location, IP address and user details. The list of encrypted files can also be exported into CSV format for back-up purposes.

Disaster recovery
Relying on Back-up files can be risky as many new ransomware strains can infect and/or destroy backups too.

RC is complimentary and often integrates with back-up solutions to assist with the recovery process, following a ransomware outbreak. We can pinpoint the exact user and files that have been encrypted, export to CSV and then link with whatever back-up strategy may already be in place, meaning this process is made much more straightforward and quick

Hassle-free installation and no computer- or network overheads
As RansomCare is an agentless solution the rollout and implementation can be completed in a matter of days.

Firstly, RansomCare can be installed in a couple of days as it is an agentless solution, therefore we don’t need to deploy any agents to endpoints, file servers or storage devices, so implementation is a very quick process. RC only requires is a lightweight virtual machine that can be spun up in less than an hour. RC monitors existing traffic that’s already taking place on your network, utilising SMB or CIFS protocols, to receive file event based notifications, which has no impact on networks or user performance. If you were to be subject to a ransomware attack, the average downtime following an outbreak is 23 days, do you have over three weeks of resource available to recover?

Support cloud solutions

  • Office 365 (Including SharePoint and One Drive for Business)
  • Google Drive

Device Type and OS Independent
Non-specific to device type accessing the cloud i.e. Mobile Phone, Tablet, MAC or Laptop and OS independent i.e. Windows, Android, IOS and Linux

Isolation of cloud account (Corporate)
Isolate the users’ cloud account when encrypted files are synchronized to the cloud platform whilst on the cooperate network, we can isolate the device/user by using the built-in response scripts i.e. shut down, disable account, etc.

Isolation of cloud account (Non-corporate)
Isolate the users’ cloud account when encrypted files are synchronized to the cloud platform from a non-corporate network i.e. home working, Wi-Fi hotspots, IOS and Linux.


5. Questions to ask

Questions you could ask a prospect:
When ransomware has bypassed all existing security and an outbreak starts to encrypt up to 7000 files per minute:

  • How do you see which files are encrypted and where they reside?
  • How do you identify which user and which device initiated the attack?
  • How do you stop the ongoing encryption immediately before significant damage occurs?
  • How long will it take to restore the encrypted files and at what cost?
  • Can you accurately do GDPR reporting if thousands of files have been lost to illegitimate encryption, but you don’t know which ones?
  • How do stop all users from making mistakes?
  • How do you detect ransomware outbreaks started by IOT-devices and BYOD-device and multifunction printers when you cannot put an Anti-virus agent on them?
  • Can you always monitor your file shares? Reports say that most ransomware outbreaks happen on the weekend, late at night and out-of-office hours.
  • Do you feel that you can rely fully on backup, knowing that some ransomware can also encrypt the backup drives?
  • Can you accurately tell me what a ransomware outbreak would cost your business?
  • How do you overcome the critical time gap until your AV vendor protects against a brand-new threat?
  • How often do you patch all OS and third-party applications on all your endpoints?Other questions to ask could be:
  • Is Ransomware a concern for you and your business?
  • Do you feel that you are 100% protected from ransomware? If no, that’s why you should be speaking with BullWall. If yes, what differentiates you from the global businesses that we have seen get hit by ransomware?
  • Have you seen the recommendations made by the NSA, NCSC, NIST and FBI in relation to ransomware best practises? Multi-layered approach to security practises.
  • Have you suffered a ransomware attack in the past? What impact did this have on your organisation?
  • Are you aware of the different, sophisticated methods that cybercriminals are currently using to execute these ransomware attacks?
6. Frequently used objections

Frequently used objections (FUO) and how to cope with them:

O: I have my files in the cloud:
A: Your files are not safe from encryption attacks because they are in the cloud. Newer versions of ransomware can sit on your file shares until it is aware that it is on a backup drive, encrypting the backup and the active directory at the same time.

We see cybercriminals target the crown jewels data of an organisation, whether that resides on-premises or in cloud based solutions. Using RansomCare’s built in cloud connectors we can monitor the synchronization traffic between the users and those platforms, allowing the RC console to quickly detect the upload and spread of encryption.

O: I am already protected: (Antivirus, Firewall, behavioural, AI, email gateway, etc.)
A: That’s great, we recognize the importance of perimeter and prevention based solutions, such as AV, Firewalls etc. to protect the environment from incoming threats. Unfortunately, due to the nature and sophistication of ransomware attacks today, these tools are regularly circumvented and therefore you can never be 100% protected, 100% of the time. As can be seen by the increase in ransomware attacks globally, even impacting organisations that have spent millions of dollars on best of breed perimeter and prevention based solutions. RC is complimentary to these existing solutions and provides a critical last line of defence, should these existing security tools fail or miss an incoming threat.
Please refer to point 8. Backup and Existing Solutions Argument.

O: I cannot get the budget for yet another security solution!
A: You may not have the budget: but do you have the budget for a ransomware outbreak, which could cost millions? We can calculate the cost together. We frequently go through the process of calculating the potential cost of downtime with businesses and due to the nature of the sophisticated attacks we are seeing at this point in time, it’s important to make the case to your senior management teams that you can never be 100% protected, 100% of the time. Therefore it is necessary to deploy a multi-layered security approach. The cost justification and risk mitigation associated with RC can be seen very clearly when using the cost of downtime calculator – https://bullwall.com/dollars – The calculator provides an accurate estimated revenue loss based on loss of productivity and additional costs such as; external recovery cost, GDPR/CCPA related fines, reputational damage and legal ramifications. We have access to industry averages to help build out your internal business case.


O: I already have the best of breed security solutions in place!
A: That’s great, we recommend having these perimeter and prevention based tools in place as they provide a critical layer of security for your organisation and there are many effective solutions in the market today. However, due to the nature of the ransomware attacks we are regularly seeing, these solutions are often circumvented and you can never be 100% protected 100% of the time. This is the exact reason that a tool like RC is required, to provide a critical last line of defence. Some of the 304.7 million ransomware attacks so far this year have impacted global organisations, with the best of breed perimeter and prevention based solutions in place.

O: I have a backup in place!
A: Excellent, RC is complimentary and often integrates with back-up solutions to assist with the recovery process, following a ransomware outbreak. We can pinpoint the exact user and files that have been encrypted, export to CSV and then link with whatever back-up strategy may already be in place, meaning this process is made much more straightforward and quick. It is also important to note that cybercriminals will frequently target back-up solutions and disable them, before beginning the encryption process on the file shares. Therefore it is critical to isolate the affected device and user before the encryption process can spread throughout the file shares. Although back-up solutions are a key part of the security set-up, they do not have the ability to detect and isolate the encryption once it is in progress.

O: It’s too expensive!
A: It is the best and the cheapest of the three alternatives you are faced with when you have a Ransomware outbreak: You can either: 1. Pay the ransom. 2. Restore and rebuild everything. 3. Have RansomCare – Last Line of Defence in place.

See answer for question 3 as all the points are relevant.

We have other projects, this isn’t a priority.
A: We regularly see that the C Level focus of organisations is securing the business from a cyber security point of view, most notably against ransomware attacks due to the damaging effect and increased frequency of these outbreaks. All we require is one hour of your time to demonstrate the value and importance of deploying a last line of defence, we can accommodate any time that suits you, before or after working hours.

We haven’t got the time!
A:Firstly, RansomCare can be installed in a couple of days as it is an agentless solution, therefore we don’t need to deploy any agents to endpoints, file servers or storage devices, so implementation is a very quick process. RC only requires is a lightweight virtual machine that can be spun up in less than an hour. RC monitors existing traffic that’s already taking place on your network, utilising SMB or CIFS protocols, to receive file event based notifications, which has no impact on networks or user performance. If you were to be subject to a ransomware attack, the average downtime following an outbreak is 23 days, do you have over three weeks of resource available to recover?

7. Backup and Existing Solutions Arguments

A very frequently asked question is, how does RansomCare compare to existing solutions. Often, these questions come after an argument that the organization already has security tools in place to stop attacks (prevention), and they also have back up in place.

RansomCare does not compare to Prevention or Behavioral-based solutions like Symantec, Cisco Umbrella, McAfee, Carbon Black, Crowdstrike, DarkTrace, Cylance, SentinelOne, Sophos, etc. They are all first line of defense tools and try to prevent malware from executing by looking at the traffic that is coming into the organization. However, these first lines of defenses are ineffective after a malware executes. This is where RansomCare has a different approach: it looks into the actual data of the documents on file-level (xls, doc, pdf, etc.). Every time a file is being created, modified, renamed, or deleted, RC looks into the heuristics of the file and instantly isolates any illegitimate encryption processes which begin.

Unfortunately, no prevention-based technology can stop 100% of threats, which is why you also need a Last Line of Defence solution to deal with the encryption outbreak scenario.

Backups are often taken out in ransomware outbreaks. See the below articles (there are many).




Given the thousands of ransomware outbreaks we see every year, it has become evident that the prevention-based tools and back up tools have limitations. They cannot keep up with the escalation in ransomware techniques used by the criminals. It is an arms race where prevention-based technologies will always lack behind the latest “innovations” from the criminals. There are existing vulnerabilities in all organizations, i.e., missing patches that have not yet been rolled out. Furthermore, we see several targeted attacks and RDP attacks that are tough to stop even with the best prevention-based tools. There is always the possibility of humans making mistakes, no matter how much user awareness training you deliver. RC is not a replacement for your perimeter and endpoint security; it is a value add on top.

No solution today is similar to RansomCare, which is a 24/7 automated containment of actual ransomware outbreaks – and complimentary to all of the solutions above. RansomCare delivers security in an area that the above tools do not help with at all. BullWall’s security offering is unique in the way it deals with Ransomware, not prevention, but Last Line of Defence. It complements all your other prevention-based security solutions and quickly mitigates the outbreak preventing the enormous cost and disruption normally associated with an outbreak.

8. Remote POC & Installations

The RansomCare project cycle is delivered online including Demo, Proof of Concept and Installation. The whole project cycle is completely remote.


The RansomCare POC is named as a “Ransomware Assessment Test”. It is an online and remote two-hour session that requires one hour of preparation in advance by the prospects IT team. The assessment will help the prospect understand its resilience to an outbreak of malicious encryption and file corruption on file shares, typically caused by a ransomware attack. A simple list of pre-requisites will be shared that should be completed before the session. In preparation, the prospect is asked to prepare a virtual server with light specs, set up a service account, and test a client with access to a demo share. The Ransomware Assessment Test is an entirely remote process, typically via Microsoft Teams and TeamViewer. RC will be installed as part of the test.

Test #1: In the first test, we test a scenario where a device is not running active AV/EDR security or where ransomware has disabled the AV/EDR service agents running on the test client. In this worse case scenario, we test what the next reaction point is in the prospects security infrastructure when ransomware behavior is active on the file shares.

Test #2: In the second test, RansomCare is enabled, and the selected simulations are re-run. The scenario is the same; a user is compromised, but now the RansomCare (RC) solution is monitoring the file shares.

Test #3 (Optional): In the third and optional test, the prospect can enable and test their existing security defense’s (e.g., EDR, AV) response to the ransomware simulations. Here the prospect will also experience how well RC complements their existing tools.


If the prospects decide to buy the RansomCare solution, the implementation will be finalized, either on the Proof of Concept server or on a new server.

RansomCare Installation – On existing POC or new Server

  • Adding business-critical shares
  • Whitelisting extensions
  • Configuring alerting channels
  • Adding devices
  • Configuring isolation methods

RansomCare Follow up

  • Additional Whitelisting
  • RansomCare fine-tuning
  • Enabling isolation methods

RansomCare Training
WebEx training to project teams

Go live with RansomCare
After 3-5 days

RansomCare Support
Web-based support

The BullWall Partner Portal is where you can find pricing calculators, access statistics and map overview, track your customers and register opportunities. Access to BullForce can be created on request, contact Rasmus Baekgaard for access.