Your Ransomware Incident Is Predictable. . .
With decades of combined experience in emergency ransomware response, the Recon IR team has repeatedly witnessed the same frustrating patterns unfold time and time again. While victims are often shocked by the suddenness of the ransomware attack and bewildered by how it happened, as incident responders, we’re rarely surprised. These attacks almost always follow a predictable script over a number of days and weeks, exploiting well-known vulnerabilities and common security oversights that could have been addressed earlier. The reality is that without the right defenses, your organization is practically rolling out the red carpet for attackers.
We’ve seen it all before, but you don’t have to. That’s why we’re sharing what we’ve learned from these unfortunately common but devastating incidents—so you can avoid becoming yet another victim who wonders how this could have happened.
If you can't answer the following questions confidently in the affirmative, your organization is at risk of becoming a victim of an entirely predictable ransomware incident. Answering “maybe” isn’t good enough; attackers thrive on exceptions, misconfigurations, and sloppy defenses.
- Do you enforce MFA on all VPNs and remote access tools for all accounts and at all times?
- Do you limit VPN access to only approved user accounts?
- Are malicious emails slipping through to your users? Are you confident in their ability to detect and report phishing and social engineering?
- Would you patch a newly released external-facing vulnerability faster than motivated attackers (who frequently launch new attacks in minutes)?
- Are you actively defending your environment with a team that monitors high-quality alert and telemetry sources across your environment? Is that team prepared to detect, investigate, prioritize, and remediate threats 24x7?
- Have you implemented internal canary systems in places that would trick attackers into revealing themselves early in their attack chain?
- Do you enforce strong, unique passwords for all domain service accounts, ideally 32 characters or more?
- Have you disabled the Windows built-in administrator account? If it's enabled, is its password completely random and distinct across all your systems?
- Would you quickly identify the unauthorized use of legitimate remote access software in your environment (like AnyDesk)?
- Have you developed and tested an incident response plan in the last 12 months? Are you confident in it?
- Have you developed a robust backup and recovery strategy? Have you taken deliberate steps to protect those backups against threats even from a fully compromised network?
- Do you know exactly how your cybersecurity insurance policy works and do you have emergency contacts readily available?
Read on to understand why your answers to those questions matter and how they influence how a ransomware incident is likely to unfold. By implementing the fundamental security controls in this article, aligned with best practices and frameworks, you will dramatically reduce the likelihood of a falling victim to the most frustratingly prevalent and predictable ransomware threats.
1. Initial Access: The Common Culprits
Ransomware attacks begin with gaining unauthorized access to your network. Here’s how it usually happens:
- Misconfigured or Insecure VPNs and Remote Access Tools: Attackers often exploit weaknesses in VPNs or remote access tools (MITRE ATT&CK T1133), especially when Multi-Factor Authentication (MFA) isn’t enforced for every user. All it takes is for a threat actor to guess or steal a user’s password, which is often reused from other services or compromised from a phishing email. Even organizations that think they have consistently implemented MFA often find that it only takes one exception to kick off a disaster. Those exceptions are frequently executives, newly provisioned accounts, or a mis-applied policy to a non-human account.
- Phishing and Social Engineering (T1566): Even with strong technical defenses, humans are often the weakest link. Phishing remains a prevalent method for attackers to gain access, tricking employees into providing credentials or downloading malicious software. For example, tech support scams are a very common technique that is effective at tricking users into providing attackers with remote access to their system.
- Unpatched Servers: Servers exposed to the internet, like web servers or firewalls, are prime targets if not consistently patched quickly (T1190). New vulnerabilities are discovered regularly, and unpatched systems become easy prey for attackers within minutes of a newly discovered vulnerability.
The critical controls to defend yourself:
- Enforce MFA on all VPNs and remote access tools.
- Limit VPN access to approved user accounts only.
- Regularly train employees on the latest phishing and social engineering tactics.
- Conduct frequent vulnerability assessments and ensure timely patching of all internet-facing systems. Better yet, minimize the number of externally exposed services and subscribe to critical vulnerability notifications from your vendors to be ready to mitigate internet-facing risks quickly.
2. Discovery: The Silent Infiltration
Once inside your network, attackers will want to understand the lay of the land. Attackers use tools like Advanced IP Scanner and nmap to map your network (T1016). They will run enumeration tools like Bloodhound (S0521) to deep dive into your Active Directory structure, map your account roles & privileges, and begin to plot a path to take over the rest of your environment. Without proper monitoring, this activity can go unnoticed over the course of several days.
The critical controls to quickly identify malicious discovery activity:
- Deploy Endpoint Detection and Response (EDR) solutions that can detect and block malicious network scans. Make sure you have a team monitoring that EDR that is qualified to investigate & respond 24/7.
- Implement canary systems to detect unauthorized discovery activities early.
3. Privilege Escalation: Gaining Control
To fully compromise your network, attackers often need to escalate their privileges beyond what they gained access to during the initial access stage. Attackers can leverage techniques like Kerberoasting (#T1558), where they extract and crack service account passwords that are linked to Service Principal Names (SPNs) in Active Directory. Without strong, unique passwords—ideally 32 characters or more—these accounts become easy prey. Or, rather than attacking Active Directory, they may target built-in local administrator accounts that have the same password across multiple systems. Once they gain access to that built-in administrator account, attackers can move fast using techniques like Pass-the-Hash (T1550) or Token Stealing (T1134) to move laterally across the network and cause widespread damage.
You can make it harder for attackers to escalate privileges in your environment:
- Enforce strong, unique passwords for all service accounts, ideally 32 characters or more.
- Implement Microsoft LAPS (a free solution!) to manage local administrator passwords securely. Alternatively, disable the built-in local administrator account.
4. Persistence and Lateral Movement: The Spread
Once attackers have discovered valuable resources within your network, their next objective is to maintain access and expand their foothold. To do this, they often employ a combination of legitimate remote management tools and malicious software (T1219). Legitimate tools like AnyDesk or TeamViewer, which are commonly used for remote IT support, can be misused by attackers to maintain persistence (TA0003) within your environment. These tools are particularly insidious because they blend in with legitimate activity, making them difficult to detect without careful scrutiny. On the more overtly malicious side, attackers might deploy software like Cobalt Strike (S0154), a commercial penetration testing tool often repurposed by cybercriminals to establish command and control (C2) channels, execute payloads, and move laterally within the network. Without continuous, active monitoring, these unauthorized activities can go unnoticed for weeks or even months—a period known as dwell time.
The attacker is on the move! Without active defenses and monitoring you won’t be able to see them.
Shrink the attacker's dwell time and find breaches faster:
- Deploy a high-quality and well-monitored EDR.
- Monitor use of legitimate remote access tools and restrict their use.
- Did you deploy those canaries yet?
5. Data Exfiltration & Destruction: The Nightmare Revealed
Attacks frequently have two goals: data exfiltration and data encryption. Before locking you out of your own systems, attackers typically prioritize stealing as much valuable data as possible. This process, known as exfiltration, involves transferring sensitive data out of your network to external servers controlled by the attackers. Common tools and services like MEGA (T1567), FTP (S0095), or other cloud storage services are often used for this purpose.
The final stage sees the attackers tip their hand and begin causing overt damage. Using the access and knowledge they’ve gained over the last several days and weeks, they deploy ransomware to encrypt your data and demand payment for the decryption key (T1486). In most cases, they will deliberately target any unprotected backups and inhibit your ability to recover (T1490). The impact of this action can be catastrophic. You are then left with a double extortion threat: one to stop the release of stolen information and another to regain access to your systems and data.
This is your last line of defense. Are you prepared?
- Develop and regularly test an incident response plan to ensure quick and coordinated actions during an attack.
- Implement a robust backup and recovery solution that is protected against threats, even from a fully compromised environment.
- Review your cybersecurity insurance policy to ensure adequate coverage and have emergency contacts readily available.
Conclusion
The landscape of ransomware is continually evolving, but the fundamental tactics remain the same. By understanding the likely paths attackers will take and implementing these critical controls today, you can significantly reduce the risk of a successful ransomware attack on your organization. Proactivity in cybersecurity is not just about deploying tools; it’s about understanding the threats, ensuring your defenses are always one step ahead, and having 24/7 expertise to effectively utilize the technology you deploy.
Recon's Managed Security Operations (MSO) solution not only provides the technology but also the experienced professionals who monitor, detect, and respond to ransomware threats before they impact your business. Don’t leave your organization’s security to chance—partner with us to build a proactive and resilient defense strategy. Contact Recon today to talk through any of these controls or learn how we can help you stay ahead of cybercriminals and protect what matters most.