Jessica Payne

Human Operated Ransomware isn’t slowing down, but payloads are just a stop on a journey attackers are taking through your network. If you focus on the payload you’ll miss actions they performed in your network, and chances to detect and stop them sooner. https://t.co/YUpWkHOWKT

Understanding your network,and where credential overlap exists can be the difference between losing one or two less secured machines to an attacker and totally ransomed network. If you’re not sure what accounts are logging in where and why, you can use WEF https://t.co/vwkTaHPZCi

Multiple ransomware groups that have been accumulating access and maintaining persistence on target networks for several months activated dozens of ransomware deployments in the first two weeks of April. https://t.co/VwDK0v42VO

Every report on a ransomware payload that digs into encryption methods and code artifacts but neglects the killchain that allowed it to infect an entire network deprives defenders of information to protect themselves. Payloads change, abuse of network configuration can be fixed.

Which Ransomware payload is deployed at the end of a killchain is pretty much a stylistic choice by the attackers. Human Operated Ransomware campaigns overlap in their entry vectors, C2 tools, and lateral movement techniques- and also in viable defenses. https://t.co/3Vcjnx8PMZ

An insufficiently secured network is distributed computing resources to an attacker. If you have no host firewalls, matching local admin passwords, services that log in as highly privileged accounts and haven’t had an attack yet- it’s likely just because you weren’t selected.

Credential theft, lateral movement, data exfiltration -terms many don’t associate with ransomware. But that is what happens during these attacks and the mindset needs to shift. Paying a ransom doesn’t remove the attacker, and formatting a ransomed machine doesn’t undo the attack.

Threat Intelligence reports often ignore ‘commodity’ threats, or fail to explain how a threat can be prevented. We think differently, and want you to know how the most impactful threats work and how you can stop them. Stopping Ransomware is possible, with built in configurations.

An insufficiently secured network is distributed computing resources to an attacker. If you have no host firewalls, matching local admin passwords, services that log in as highly privileged accounts and haven’t had an attack yet- it’s likely just because you weren’t selected.

Threat Intelligence reports often ignore ‘commodity’ threats, or fail to explain how a threat can be prevented. We think differently, and want you to know how the most impactful threats work and how you can stop them. Stopping Ransomware is possible, with built in configurations.

Credential theft, lateral movement, data exfiltration -terms many don’t associate with ransomware. But that is what happens during these attacks and the mindset needs to shift. Paying a ransom doesn’t remove the attacker, and formatting a ransomed machine doesn’t undo the attack.

Ransomware is an economic problem - attackers use the same techniques of RDP brute force and lateral movement for years because they still work. Increasing operational security is not only possible using native/builtin tools, it’s becoming a new business continuity requirement.

Ransomware is often talked about with the same ‘superpower’ and malware focused narrative APTs are. Both are humans usually using psexec, GPOs, and stolen credentials to move laterally and deploy malware. Mitigations exist and networks can be hardened: https://t.co/TgrthXte7S