Ransomware payloads are stylistic and interchangeable (to the extent that attackers are even using Wannacrypt sometimes) but focusing on their initial access, credential theft, and lateral movement techniques can give you a map to mitigation.

Understanding your network,and where credential overlap exists can be the difference between losing one or two less secured machines to an attacker and totally ransomed network. If you’re not sure what accounts are logging in where and why, you can use WEF

Hard truths of things causing tons of damage right now: RDP brute force of systems that is a one stop shop to total infrastructure compromise (and eventual ransomware) due to matching local admin passwords. This is relatively easy, and free, to fix:

Perfect can be the enemy of good - we know it’s not realistic for certain industries to be fully patched, and so do the attackers. But it doesn’t mean you can’t survey your estate to isolate those less secure systems and limit the possible overlap of credentials.

Human Operated Ransomware isn’t slowing down, but payloads are just a stop on a journey attackers are taking through your network. If you focus on the payload you’ll miss actions they performed in your network, and chances to detect and stop them sooner.

Multiple ransomware groups that have been accumulating access and maintaining persistence on target networks for several months activated dozens of ransomware deployments in the first two weeks of April.

Every report on a ransomware payload that digs into encryption methods and code artifacts but neglects the killchain that allowed it to infect an entire network deprives defenders of information to protect themselves. Payloads change, abuse of network configuration can be fixed.

Which Ransomware payload is deployed at the end of a killchain is pretty much a stylistic choice by the attackers. Human Operated Ransomware campaigns overlap in their entry vectors, C2 tools, and lateral movement techniques- and also in viable defenses.

An insufficiently secured network is distributed computing resources to an attacker. If you have no host firewalls, matching local admin passwords, services that log in as highly privileged accounts and haven’t had an attack yet- it’s likely just because you weren’t selected.

Credential theft, lateral movement, data exfiltration -terms many don’t associate with ransomware. But that is what happens during these attacks and the mindset needs to shift. Paying a ransom doesn’t remove the attacker, and formatting a ransomed machine doesn’t undo the attack.

Threat Intelligence reports often ignore ‘commodity’ threats, or fail to explain how a threat can be prevented. We think differently, and want you to know how the most impactful threats work and how you can stop them. Stopping Ransomware is possible, with built in configurations.

An insufficiently secured network is distributed computing resources to an attacker. If you have no host firewalls, matching local admin passwords, services that log in as highly privileged accounts and haven’t had an attack yet- it’s likely just because you weren’t selected.

Credential theft, lateral movement, data exfiltration -terms many don’t associate with ransomware. But that is what happens during these attacks and the mindset needs to shift. Paying a ransom doesn’t remove the attacker, and formatting a ransomed machine doesn’t undo the attack.

Our Human-Operated Ransomware blog is apparently 433 lines of research into threats we have been monitoring for years and advice organizations can use to prevent these attacks. If you need a quick overview before reading, Kevin summarized the key points :

Threat Intelligence reports often ignore ‘commodity’ threats, or fail to explain how a threat can be prevented. We think differently, and want you to know how the most impactful threats work and how you can stop them. Stopping Ransomware is possible, with built in configurations.

Ransomware is an economic problem - attackers use the same techniques of RDP brute force and lateral movement for years because they still work. Increasing operational security is not only possible using native/builtin tools, it’s becoming a new business continuity requirement.

Ransomware is often talked about with the same ‘superpower’ and malware focused narrative APTs are. Both are humans usually using psexec, GPOs, and stolen credentials to move laterally and deploy malware. Mitigations exist and networks can be hardened:

If you want to see if a domain admin has logged in somewhere and exposed credentials (logon types 2,4,5,10) and track down accounts at risk or what might break if you reduce service account privileges you don’t even need fancy tools:

If you want to stop an attacker from RDP brute forcing you and deploying ransomware as a domain admin via psexec or group policy you probably want to start by enabling NLA, randomizing your local passwords, and keeping domain admins from logging in to desktops.

If you want to stop an attacker from installing malware or placing a web shell on your Exhange server, you probably should start with ensuring service accounts and admins who have admin on those servers don’t log in to easily phished desktop class systems.