Preparing for Post-Intrusion Ransomware

This evolving and brutally effective threat can have a significant impact on an organization’s resources, finances, and reputation, but it can be stopped

by Counter Threat Unit Research Team, Secureworks Monday, January 11th, 2021
Originally published at

Since 2015, Secureworks® Counter Threat Unit™ (CTU) researchers have observed a massive increase in the number and impact of post-intrusion ransomware incidents. In these attacks, a threat actor gains access to a compromised network, moves laterally to other systems and networks, locates the critical business assets, and then chooses a time (which could be days or months after initial access) to deploy ransomware that encrypts the victim’s files. Around the end of 2019, criminals realized they could gain additional leverage by stealing data before encrypting it and then threatening the victim with public disclosure.

Offline backups are important, but they cannot mitigate increasingly aggressive attacks and ‘name-and-shame’ tactics. Even with backups, recovery will likely take weeks or months, not days. Preventing network breaches before they can be used to deploy ransomware is the best solution. If prevention fails, it is important to quickly detect and respond to the threat.

Secureworks incident responders have helped many organizations recover from post-intrusion ransomware attacks when detection and containment were unsuccessful. The path to recovery can be long and painful, and leave leadership and staff vowing to “never let this happen again.” The disruption caused by the attack leads the organization to prioritize cybersecurity and allocate resources to prevent history from repeating. Organizations typically follow one of two approaches at this critical decision point.

The first approach is to invest heavily in new technology. It can be tempting to buy a shiny box or service based on promises that it can be seamlessly integrated and offer immediate protection. Vendors are quick to claim near-flawless detection accuracy in the lab, where demonstrations show how ransomware is magically blocked from executing.

But the reality is that network defense is hard, and a new product will not make that problem go away. Organizations that are hit hard by ransomware typically possess systemic weaknesses in their networks that made the compromise possible. The techniques used by post-intrusion ransomware operators are generally not that sophisticated. However, they are brutally effective at identifying and exploiting systemic weaknesses. Initial access can lead to enterprise-wide ransomware deployment within days.

The second approach, which is the one that works, is to address those systemic weaknesses. This approach requires network defenders to know their IT environment. What are the organizations’ assets and where are they? Can security personnel enumerate Active Directory domains and the trusts between them? Knowing what to protect is the vital first step for success.

After network defenders understand what to defend, how can they prevent an attack? Typically, a threat actor follows one of three scenarios:

All of these scenarios are preventable. These techniques are not exclusive to ransomware attacks, so removing these attack vectors can protect against a range of threats.

Even with these preventative steps, network defenders should assume that a threat actor could breach a well-understood and hardened (secured) perimeter. Criminals can attempt to steal credentials, escalate privileges, and pivot to domain controllers. They then likely scan the compromised network, build a list of targeted hosts, and prepare to deploy ransomware.

Can security controls detect credential theft events or unusual lateral movement between parts of the corporate network? Are service accounts and local administrator accounts proactively managed to avoid highly privileged accounts with weak and stale passwords? Can network defenders detect reconnaissance tools running within the environment, or threat actors dropping files onto newly created shares on domain controllers?

A compromised organization might have as little as one to five days between the first hands-on-keyboard activity and ransomware deployment. This is the detection window. It is usually too late to stop the attack when ransomware is detected on servers and workstations.

Become a ‘hard’ target

Many organizations have suffered severe financial and reputational damage from post-intrusion ransomware attacks. Ransomware operators are opportunistic and will expend as little effort as possible to monetize their activities. Network defenders should harden the environment to the point where threat actors decide that compromising other targets is easier. It can be done.

Start by assessing the organization’s security controls against these core protections. Then build a roadmap to implement those that are missing. These protections will help an organization prevent or detect these intrusions. By quickly reacting to a compromise, an organization can avoid an enterprise-wide ransomware event.