If you miss the initial access, there’s often still time to stop the ransomware. This section will go over some detection strategies.
In This Section
The Ransomware Seek and Destroy Mission
The Handoff from IABs to Ransomware Affiliates
Many people don’t understand that there’s more than one group involved in most ransomware attacks. The Initial Access Broker (IAB) gains the initial access and either sells or turns over the compromised system to the ransomware group. Understand how this process works and the tools used in these attacks.
Mapping IABs and Ransomware Actors to MITRE ATT&CK
Monitoring for Credentials and Access Being Sold on Underground Markets
Threat Hunting
Ransomware groups use a combination of third-party programs and Windows-native tools for reconnaissance and lateral movement in a ransomware attack. Learn how ransomware groups use these tools and, more importantly, how organizations can detect and stop them.
Distinguishing Legitimate Traffic from Illegitimate
Rapid Response
Ransomware and Your Active Directory
For many ransomware groups, getting access to Active Directory servers is key to deploying their ransomware. Understand why Active Directory access is so key, what to look for on your Active Directory server for signs of a ransomware attack, and how to harden your Active Directory installation to keep ransomware actors at bay.
Segmenting Your Networks and Your Active Directory Domain Controllers
Mimikatz
ADFinder
Using Your Active Directory to Deploy Ransomware
Stealing Credentials
Honeypots and Honeyfiles
When deployed and monitored correctly, honeypots and honeyfiles can provide an added layer of security against ransomware attacks. Honeypots can serve as “canaries” in the coal mine warning victims of an imminent ransomware attack.
If all other defenses fail, there is one last thing an organization can do to protect themselves from a ransomware attack, if they have the right alerting and automation in place. Deleting shadow copies is an important part of a ransomware attack, but it should also be a red flag to the security team that something bad is about to happen. Learn how to take this seeming failure and turn it into at least a partial win.