A brief outage of a company’s or institution’s website is nothing unusual. This is often caused by a configuration error, an expired certificate or a hardware failure. For one Estonian company that contacted us, however, it was the first sign of something far more serious. They had fallen victim to a ransomware attack.
Weak security policy
What most likely began with a company executive’s password being exposed in a data leak escalated into an organisation-wide incident.
Several factors contributed to the attack. The executive’s home network was part of the company’s internal network, and a Remote Desktop Protocol (RDP) connection to the company’s servers was saved on the desktop of their personal computer. Convenient, but dangerous.
The company’s password policy also proved fatal, as the same passwords were reused across work and personal accounts. Using the same password across all servers no doubt made the attackers’ task significantly easier.
In addition to the executive’s personal network storage, the attackers encrypted the company’s server logs and backups, which were located on the same network. Fortunately, the company was able to continue operating because business-critical processes were not disrupted; however, restoring the systems took weeks.
Outdated software
In the case of another company that fell victim to ransomware last year, we identified the cause as a vulnerability in server software. This flaw allowed malicious code to be executed, enabling the attackers to create a new user account and maintain continued access to the server.
Although the software was later updated to a secure version and malicious scripts were removed, the attackers retained access and subsequently sold that access on. The new attackers entered the system using remote administration software, encrypted the data and left a ransom demand on the victim’s desktop.
Due to backups, the server could be restored, and the company’s operations could resume.
A repeat incident
An Estonian logistics company first encountered a ransomware attack a few years ago. It is said that lightning does not strike the same place twice, but in 2025 they once again fell victim to a similar attack.
The attack method followed a familiar pattern. The intrusion was possible because a remote desktop application was openly accessible from the internet. A weak password was also in use and was cracked using a brute-force attack. The attackers then deployed a tool that harvested passwords and user data, allowing them to access other systems as well.
Finally, the attackers encrypted the data stored on the company’s server. Because critical processes were unaffected, the company was able to continue its work.
An attack paralysed a medical centre
At the end of the year, a family medical centre reported having fallen victim to a ransomware attack. During the incident, attackers encrypted backups and data on two servers. The most recent backup they could access dated back to 2021. As the attackers managed to lock patient data, medical records and appointment schedules, the medical centre’s operations were brought to a halt.
While several hypotheses exist regarding how the attack became possible, the most likely explanation is that a former employee’s account was not closed after their departure. The attackers were able to act so extensively because all users in the system had administrator rights. Experts were able to restore only part of the encrypted data.
How to protect yourself
To avoid falling victim to an attack and to minimise damage, use unique passwords and, where possible, implement multi-factor authentication. Hide remote desktop connections from the public network and from personal devices. Review your data backup arrangements. Regularly update device software to prevent the exploitation of vulnerabilities.
Consult the cybersecurity quick guide for companies.
Three roots of evil
Although each case is different, ransomware attacks share common characteristics. The following factors commonly increase exposure to attacks and make system recovery more difficult:
- Remote Desktop Protocol (RDP) applications are visible and accessible to the entire internet via public IP addresses.
- Weak password policies are in place. Passwords such as Admin, Password123, and qwerty are commonly used and can be easily guessed via brute-force attacks.
- Backups are missing or are located in the same network. When attackers encrypt a company server, the backups can be encrypted as well.
Last updated: 11.02.2026
