Practical Guidance for Endpoint Protection, Hardening and Containment

Ransomware is a common method of cyber extortion or disruption for financial gain. This type of attack can instantly disrupt access to files, applications or systems until the victim pays the ransom (and the attacker restores access with a decryption key) or the organization restores and reconstitutes from backups. Once ransomware is invoked within an organization, most variants utilize privileged accounts and trust relationships between systems for lateral dispersion.

Ransomware is commonly deployed across an environment in two ways:

Manual propagation by a threat actor after they have penetrated an environment and have administrator-level privileges broadly across the environment:
  1. Manually run encryptors on targeted systems.
  2. Deploy encryptors across the environment using Windows batch files (mount C$ shares, copy the encryptor, and execute it with the Microsoft PsExec tool).
  3. Deploy encryptors with Microsoft Group Policy Objects (GPOs).
  4. Deploy encryptors with existing software deployment tools utilized by the victim organization.
Automated propagation:
  1. Credential or Windows token extraction from disk or memory.
  2. Trust relationships between systems — and leveraging methods such as Windows Management Instrumentation (WMI), SMB, or PsExec to bind to systems and execute payloads.
  3. Unpatched exploitation methods (e.g., EternalBlue — addressed via Microsoft Security Bulletin MS17-010). Read More

iTM covers all aspects of cybersecurity from Home cyber security managed solutions to automated, manage threat intelligence, forensic investigations and cyber security training. Our objective is to support organisations and consumers at every step of their cyber maturity journey. Contact Us for more information.