Abuses of remote access software and services are the most common ‘pre-ransomware’ indicators, according to new research from Cisco Talos.
Adversaries frequently leverage legitimate remote services such as RDP, PsExec and PowerShell, the researchers observed. Additionally, remote access software such as AnyDesk, Atera and Microsoft Quick Assist were often exploited.
Cisco identified these tactics, techniques and procedures (TTPs) as part of efforts by cybercriminals to gain enterprise-level domain administrator access in compromised systems.
Pre-ransomware refers to the stage in an attack where adversaries conduct activities such as privilege escalation, credential harvesting and remote access deployment without yet executing full-scale encryption.
Suggested mitigations against abuse of such remote access software and services include:
- Configure security solutions to permit only proven benign applications to launch and prevent the installation of unexpected software
- Require MFA on all critical services, including remote access and identity access management (IAM) services, and monitor for MFA misuse
- Deploy tools such as System Monitor in Windows for endpoint visibility and logging
Read now: How Forgotten Remote Access Tools Are Putting Organizations at Risk
Another common pre-ransomware TTP was operating system credential dumping. This technique relates to efforts to extract account credentials from a compromised system to enable lateral movement.
The researchers noted that the top credential dumping techniques/locations included the domain controller registry, the SAM registry hive, AD Explorer, LSASS and NTDS.DIT.
The open-source Mimikatz tool is also frequently used to extract credentials.
Network service discovery was also highlighted as a significant pre-ransomware tactic. The top observed tools and commands used for network service discovery included netscan, nltest and netview.
“Prioritizing moderating the use of remote services and remote access software and/or securing the aforementioned credential stores could assist in limiting the majority of adversaries seen in these pre-ransomware engagements,” the researchers noted.
The researchers said they had high confidence that all the incidents included in the study involved tactics consistently seen to precede ransomware deployment.
The Cisco Talos study, published on September 8, highlighted fast response as critical to preventing serious ransomware incidents occurring.
When Talos Incident Response (IR) was engaged within one to two days of first observed activity, ransomware execution was prevented in a third (32%) of cases where attacks were successfully hindered.
An EDR/MDR alert that prompted security teams’ containment within two hours was identified as a contributing factor to the hindering of 32% of attacks.
A notification from US government partners and representatives of their managed service provider (MSP) about possible ransomware staging in their environment prevented ransomware execution in 14% of cases.
This includes alerts from the Cybersecurity and Infrastructure Security Agency (CISA)’s pre-ransomware notification initiative, launched in March 2023.
Organizations’ security restrictions were key to impeding attack chains in 9% of successful engagements. In one example, the threat actors compromised a service account at the targeted organization, but appropriate privilege restrictions on the account prevented their attempts to access key systems like domain controllers.
