Label

Threat Hunting

If you miss the initial access, there's often still time to stop the ransomware. This section will go over some detection strategies.
Home » How To Prevent Ransomware? » Threat Hunting

In This Section

The Ransomware Seek and Destroy Mission

The Handoff from IABs to Ransomware Affiliates

Many people don’t understand that there's more than one group involved in most ransomware attacks. The Initial Access Broker (IAB) gains the initial access and either sells or turns over the compromised system to the ransomware group. Understand how this process works and the tools used in these attacks.
THE HAND OFF FROM IABs TO RANSOMWARE ACTORS
LEARN MORE
Two Groups, Same Attack
Mapping IABs and Ransomware Actors to MITRE ATT&CK
Monitoring for Credentials and Access Being Sold on Underground Markets

Threat Hunting

Ransomware groups use a combination of third-party programs and Windows-native tools for reconnaissance and lateral movement in a ransomware attack. Learn how ransomware groups use these tools and, more importantly, how organizations can detect and stop them.
THREAT HUNTING - LEARN MORE
A Little Bit About Ransomware and Threat Hunting
Tools Used by Ransomware Actors
Cobalt Strike
Tools Used by Network Defenders
Sysmon: The Best Tool That No One Uses
Distinguishing Legitimate Traffic from Illegitimate
Rapid Response

Ransomware and Your Active Directory

For many ransomware groups, getting access to Active Directory servers is key to deploying their ransomware. Understand why Active Directory access is so key, what to look for on your Active Directory server for signs of a ransomware attack, and how to harden your Active Directory installation to keep ransomware actors at bay.
ACTIVE DIRECTORY - LEARN MORE
Gaining Access to Your Active Directory
Segmenting Your Networks and Your Active Directory Domain Controllers
Mimikatz
ADFinder
Using Your Active Directory to Deploy Ransomware
Stealing Credentials

Honeypots and Honeyfiles

When deployed and monitored correctly, honeypots and honeyfiles can provide an added layer of security against ransomware attacks. Honeypots can serve as “canaries” in the coal mine warning victims of an imminent ransomware attack.
HONEYPOTS AND HONEYFILES - LEARN MORE
Honeypots As an Effective Alerting Tool
Building a Honeypot
Creating a Honeyfile
Taking Action on Alerts

This Is Your Last Chance

If all other defenses fail, there is one last thing an organization can do to protect themselves from a ransomware attack, if they have the right alerting and automation in place. Deleting shadow copies is an important part of a ransomware attack, but it should also be a red flag to the security team that something bad is about to happen. Learn how to take this seeming failure and turn it into at least a partial win.
THIS IS YOUR LAST CHANCE - LEARN MORE
Deletion of Shadow Copies
Starting the Encryption Process
Endpoint Detection and Response + Automation Is Your Friend
Hitting the Panic Button: Stopping a Ransomware Attack NOW!

Want More Ransomware Resources 
Delivered To Your Inbox?

Sign Up To Receive Our 
Monthly Ransomware Newsletter

Don't Worry, We Hate Spam Too!

Download The 
"How To Prevent Ransomware"
Cheat Sheet

Grab this free PDF resource on how to prevent Ransomware
DOWNLOAD THE PDF

Share This Resource With Others

Embed The "How To Prevent Ransomware" resource on your site or blog using this code.

Share this Infographic On Your Site

Want More?

This site is adapted from a book on Ransomware. 
If you would like to learn more keep reading ...
READ MORE ABOUT RECOVERING FROM A RANSOMWARE ATTACK
envelope
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram
Share via
Copy link
Powered by Social Snap