Post-Intrusion Ransomware Incident Response

Post-Intrusion Ransomware Incident Response

The Secureworks® Incident Response team has recently been very busy helping customers recover after post-intrusion ransomware attacks. In most cases, we see threat actors indiscriminately encrypt all assets they can deploy their ransomware to. Core IT assets like Domain Controllers, software deployment, and backup servers are knocked offline by the encryption process. By the time the dust settles, victims realize that many of the systems they rely on to investigate the breach, rebuild systems, and recover data are unavailable.


The worst-case scenario is having all of your Domain Controllers encrypted. That cripples authentication and name resolution for all Active Directory (AD) integrated services, making the simplest IT administration tasks challenging.


How do you deploy software if your software deployment mechanism can’t authenticate to AD? Does your backup solution still work? Can you recover data from your backups? The flip side of the convenience of Single Sign On reveals itself – once AD is down, it takes a lot of critical services with it.


Using Threat Actor techniques to enable emergency ransomware incident response


Often the threat actors will use AD to distribute their ransomware, just as we would use it for managing the domain on a daily basis. We see them using Group Policy Objects (GPOs) or PowerShell to install an immediate scheduled task on a wide array of systems.


 

The immediate scheduled task has some useful properties for the threat actor. It can run under various levels of privilege, and once executed it deletes itself from the system, leaving few traces.


Using GPOs, the threat actor can run their payload as NT AUTHORITYSystem giving the malware full privileges over the system to install and disable whatever they want t ..

Support the originator by clicking the read the rest link below.