Effectively detect ransomware attacks while preventing damage to local files, folders, removable drives, and mapped network or cloud shares.
Ransomware Mitigation Overview
Preventing ransomware and disruption of service attacks remain a top priority for organizations of all sizes and while EPP and EDR stop most commodity infections, today’s human-controlled ransomware can evade traditional endpoint defenses. These advanced adversaries use APT-like tactics to conduct reconnaissance, steal credentials, elevate privileges, and move laterally. To defend against these advanced attacks, organizations are turning to the Attivo ThreatDefend platform’s ransomware mitigation functions which can derail even the most sophisticated ransomware attacks.
The platform uses cloaking technology to hide and deny access to local credentials and Active Directory objects, preventing an attacker from gaining access and the authority to change policies or do mass distribution of ransomware. Additionally, it can cloak local files, folders, removable devices, and mapped network or cloud shares, preventing the attacker from encrypting or modifying them. It also creates fake network file shares that feed the ransomware limitless data to stall the attack so the organization can promptly isolate infected systems and limit damages.
Protecting Against the Evolving Nature of Ransomware
The ThreatDefend platform addresses both ransomware 1.0 and 2.0 attacks with technology that detects and derails reconnaissance and can protect credentials and Active Directory from privilege escalation activities.
Ransomware attacks look for sensitive or critical data and credentials to target for encryption or use to move laterally. When the ransomware attempts to look for data to encrypt by enumerating the local directories and network shares, the platform cloaks user files, folders, and production network shares, but will show the decoy mapped shares.
As the ransomware spreads to the fake network shares to encrypts the files, the decoys alerts on the activity and feed the malware limitless data to stall the attack so the organization can respond in time. It also hides the removable USB storage drives to keep the malware from encrypting the data or using them to spread to other systems. These ransomware mitigation functions can limit damage that ransomware can inflict on user and network data while delaying its spread and giving the security teams the time to respond to the infection.
The platform also cloaks credentials and AD objects, preventing the attacker from enumerating or stealing these assets to escalate privileges and move laterally to higher value targets. By preventing credential theft and AD recon, the ransomware attack cannot progress.
The State Of Ransomware
Average ransom payments have increased 25x in less than three years
Projected to cost $265 billion worldwide by 2031, with one attack impacting businesses every few seconds
– CYBERSECURITY VENTURES
71% of organizations have been victimized by ransomware
— Cyber Edge Group
Controls did not prevent/detect infiltration or ransomware tactics 68% of the time
– MANDIANT SECURITY EFFECTIVENESS REPORT
Top Ransomware Reads
- Protecting Against Kerberos Golden Ticket, Silver Ticket, & Pass-The-Ticket Attacks
- Protection Against Targeted Active Directory Ransomware
- Ghost in the Shell: Protecting Against Active Directory Lateral Movement
- Lateral Movement Using SMB Session Enumeration
- Preventing Threat Actors from Taking Advantage of Bloodhound 3.0
Organizations choose Attivo Networks because:
- Get substantiated detection of ransomware activity.
- Deny ransomware from escalating privileges or spreading to production network shares and removable media.
- Prevent ransomware from damaging data by denying visibility and exploitation of files, folders, attached storage, and network or cloud shares.
- Broad protection and accurate detection regardless of ransomware strain or attack sophistication
Active Directory Objects
Active Directory Credentials
MOST MISCONFIGURATIONS & WEAKNESSES FOUND IN ACTIVE DIRECTORY:
CONTROLLING PRIVILEGED CREDENTIALS AND LIMITING WHAT ACCOUNTS HAVE THESE PRIVILEGES
LACK OF VISIBILITY TO SEE WHEN PRIVILEGED ACCOUNTS ARE UTILIZED
HOW THEY ARE EXPOSED AT THE ENDPOINTS
— MANDIANT ASSESSING RANSOMWARE PREPAREDNESS