Remote Access Abuse: The #1 Sign of a Ransomware Attack
▼ Summary
– Abuses of legitimate remote access software and services are the most common pre-ransomware indicators, including tools like RDP, AnyDesk, and PowerShell.
– Pre-ransomware activities involve tactics like privilege escalation, credential harvesting, and remote access deployment before full encryption occurs.
– Operating system credential dumping is another frequent pre-ransomware technique, often using tools like Mimikatz to extract credentials from locations such as the SAM registry or LSASS.
– Fast response is critical to preventing ransomware, with a 32% prevention rate when incident response occurs within one to two days of initial activity.
– Key mitigations include configuring security to allow only benign applications, requiring MFA on critical services, and deploying monitoring tools for endpoint visibility.
New research from Cisco Talos reveals that abuse of remote access software and services stands as the most prevalent warning sign of an impending ransomware attack. Cybercriminals frequently exploit legitimate tools, including RDP, PsExec, PowerShell, and remote applications like AnyDesk, Atera, and Microsoft Quick Assist, to infiltrate systems. These methods form part of a broader strategy to obtain domain administrator privileges within corporate networks.
This initial phase, known as pre-ransomware activity, involves actions like privilege escalation, credential harvesting, and establishing remote access, all before the actual encryption of files begins. To defend against these tactics, organizations should consider several key mitigations.
Configure security tools to allow only trusted applications to run, blocking the installation of unapproved software. Enforce multi-factor authentication (MFA) across all critical services, particularly for remote access and identity management platforms, while monitoring for any signs of MFA abuse. Deploy monitoring utilities such as Windows System Monitor to enhance endpoint visibility and maintain detailed logs.
Another common technique observed during pre-ransomware operations is operating system credential dumping. Attackers use this method to harvest login details from compromised systems, enabling lateral movement across the network. Frequently targeted locations include the domain controller registry, the SAM registry hive, and files like NTDS.DIT. Tools such as AD Explorer and the open-source Mimikatz application are often employed in these efforts.
Network service discovery also features prominently among pre-ransomware behaviors. Adversaries regularly use commands and tools like netscan, nltest, and netview to map out network resources and identify valuable targets.
According to researchers, focusing on securing remote services and protecting credential storage can significantly reduce the risk posed by most threat actors involved in these early-stage attacks. The study expressed high confidence that all incidents analyzed displayed tactics consistently linked to imminent ransomware deployment.
Speed of response plays a crucial role in preventing ransomware execution. The Talos report emphasizes that when incident response teams were engaged within one to two days of the first detected malicious activity, attacks were thwarted in 32% of cases. Rapid containment, often triggered by EDR or MDR alerts within two hours, proved instrumental in disrupting these incursions.
In 14% of successful preventions, early warnings came from U.S. government partners or managed service providers alerting organizations to possible ransomware staging within their environments. Initiatives like CISA’s pre-ransomware notification program, launched in March 2023, have contributed to these timely interventions.
Additionally, built-in security restrictions within organizations helped break attack chains in 9% of engagements. For example, in one case, threat actors compromised a service account but were blocked from accessing critical systems like domain controllers due to properly configured privilege limitations.
(Source: Info Security)
