A ransomware attack stopped in its tracks
Figure 4. Methods commonly used by ransomware attackers, as confirmed by the Trend Micro response support team. The ones highlighted in blue were observed in the case discussed.
The behaviors observed in our investigation are similar to the attack methods often seen in ransomware cases for which Trend Micro provides response support. Of the eight common methods threat actors often use to orchestrate and carry out a ransomware attack, five were executed in the case discussed in this feature.
We asked the victim organization to promptly implement the appropriate defense measures.
We investigated the gaps, or defense vulnerabilities, that allowed the security breach by closing in on each stage of the attack. In this section, we compare the ideal defense system with that of the victim organization at the time of the attack.
Figure 5. Defense vulnerabilities found in the victim organization’s system
Table 1 lists the five defense vulnerabilities that were exploited in this breach and shows the security measures that should be implemented to reduce the risk of such attacks.
|Communications that do not occur in normal operations were not restricted.
|An unattended VPN account was stolen by exploiting a known vulnerability.
- Check all the versions of devices that the organization uses and apply necessary security patches.
- Adopt a multifactor authentication (MFA) so that the VPN cannot be solely accessed using account information.
|Unnecessary ports (RDP) not used in normal operations were not restricted.
|An RDP service not used in normal operations was exploited.
- Stop the RDP service entirely if it is no longer necessary.
- If it is necessary, use a function such as a firewall to perform access control. This means that only specific IP addresses and administrator privileges will be granted access.
|There were inadequate measures to patch and secure technical vulnerabilities.
|There were credentials stolen by exploiting the Zerologon vulnerability.
- Update OS and software to the latest versions and apply security patches.
- Consider applying virtual patches if the application of security patches hinders business operations.
|There was a server terminal that did not have security software installed.
|Mimikatz was executed on a server terminal that did not have security software installed.
- Install security software on all terminals used in operations.
|There was inadequate log management.
|Server logs were deleted to make tracking difficult.
- Maintain logs in a safe location to make them readily available for investigation in case of an emergency.
- Introduce an EDR solution that transfers logs.
Table 1. Defense vulnerabilities and countermeasures
Ransomware actors do whatever it takes to profit from their victims. This means that they exhaustively search for gaps in a system, look for vulnerabilities to exploit, and expand their scope of attack without being noticed to then steal information and encrypt important files.
Implementing any of the previously mentioned measures does not necessarily mean that the security of the organization is guaranteed. Rather, reducing the number of vulnerabilities will eventually contribute to the reduction of the total risk that an organization inevitably has to contend with.
Organizations can implement extended detection and response (XDR) to mitigate the risks associated with vulnerabilities and increase an enterprise’s overall security level. XDR supports the protection of the entire organization’s system by continuously monitoring it using sensors placed in various layers, including endpoints, servers, and networks.
XDR helps detect any suspicious behavior at an early stage, such as the ones we reviewed in this case. It also helps determine the extent of an attack’s impact and acquires the information necessary for quick countermeasures and recovery.
Moreover, the following measures can be useful in reducing the risk of being on the receiving end of a similar attack in the future:
- Review your organization’s password management rules, such as those pertaining to expiration periods or password complexity requirements.
- Enforce the principle of least privilege. Delete unnecessary local administrator privileges and disable domain administrator privileges for normal operations.