Randsomware Protection and containment strategies

Endpoint Protection, Hardening and Containment

Ransomware is a common method of cyber extortion or disruption for financial gain. This type of attack can instantly disrupt access to files, applications or systems until the victim pays the ransom (and the attacker restores access with a decryption key) or the organization restores and reconstitutes from backups. Once ransomware is invoked within an organization, most variants utilize privileged accounts and trust relationships between systems for lateral dispersion.
Ransomware is commonly deployed across an environment in two ways:

  1. Manual propagation by a threat actor after they have penetrated an environment and have administrator-level privileges broadly across the environment:
  • Manually run encryptors on targeted systems.
  • Deploy encryptors across the environment using Windows batch files (mount C$ shares, copy the encryptor, and execute it with the Microsoft PsExec tool).
  • Deploy encryptors with Microsoft Group Policy Objects (GPOs).
  • Deploy encryptors with existing software deployment tools utilized by the victim organization.
  1. Automated propagation:
  • Credential or Windows token extraction from disk or memory.
  • Trust relationships between systems — and leveraging methods such as Windows Management Instrumentation (WMI), SMB, or PsExec to bind to systems and execute payloads.
  • Unpatched exploitation methods (e.g., EternalBlue — addressed via Microsoft Security Bulletin MS17-010)

Do you really know what Ransomware are? Think you know?

Follow the documentary by Sophos in three episodes: Ransomware Documentary