How to Prepare Your Company for Ransomware Attacks

Scattered Spider just rewrote my ransomware playbook. They didn’t just break in. They didn’t just move laterally. They fought back. Incident response started closing doors and Scattered Spider pried them back open, countered security moves in real-time, and actively sabotaged the organization’s operations on their way out. This isn’t the future of ransomware. It’s here. A few painful lessons: - Social engineering is faster than brute force. Scattered Spider impersonated a CFO and convinced the help desk to reset MFA.. and it worked! - Over-privileged executive accounts remain soft targets. They offer maximum access and minimum resistance. - Cloud misconfigurations and virtual machines are blind spots. The attackers moved through virtual desktops, spun up new machines, and operated without endpoint detection visibility. - Persistence matters. Even after discovery, the attackers leveraged administrator-level control to claw back access and delay eviction. - Real-world tug-of-war is now part of the threat landscape. They weren’t afraid to burn the environment down. Here is how we (Incident Response) can start to prepare: - Strengthen identity verification, especially for help desk resets. Voice-based verification is not enough. - Audit executive accounts for unnecessary privileges. Just because it’s the CFO doesn’t mean they need domain-wide access. - Segment and actively monitor your virtual environments. Treat VDI and VMware ESXi like critical infrastructure. - Plan for post-discovery adversaries. Assume they’ll fight to stay. Build recovery and containment playbooks for hostile evictions. Scattered Spider showed us what the next generation of attackers looks like. They don’t just steal data. They disrupt. They linger. And they’re watching how you respond. You get what you rehearse, not what you intend, start rehearsing now.

I think 90% of companies couldn't pull their own plug.  Here are some ideas... ICYMI, Co-op avoided a more severe cyber attack by disconnecting its own network and choosing a self-imposed short-term disruption to prevent a longer-term one caused by criminals. We've all read stories about that "critical moment at 2 AM" when some security leader has to make the call to take the entire company offline to apply a digital tourniquet. But how many companies could "pull the plug" even if they wanted to? The interconnected "plugs" are all virtual in today's IT landscape. And what else do you need to do quickly when faced with impending cyber doom? Here are some quick tips to ponder: 1⃣ Practice "pulling the plug" as a part of your BCDR preparedness. • What is the business disruption impact? • How do you notify users? • Can you still log in? • How are customers affected? • What middleware comms will function? • Do you need out-of-band comms? 2⃣ Consider using access control instead of a full disconnect. • Can you block all egress or ingress with a few firewall or router rules? • What about SaaS and cloud? • Could you push some ready-to-go emergency endpoint hardening rules instantly (assume your endpoint management/orchestration platform is not compromised, and if it was, you could switch to a backup method, such as using EDR command & control). 3⃣ Think about identity - lots of ways to slow an attacker or prevent new login sessions using identity controls. • Would blocking all user logins except a few designated, safe logins all for a more limited disconnect? • Maybe you only need to block egress, or some egress. • Maybe you only need to block RDP and NetBIOS internally. • Do you have a trusted business-critical allowlist that could have precedence above an all-block rule?   • If yes, is the allowlist translated into discrete source/destination/protocol access policies that could be deployed quickly? 4⃣ Can you reset all privileged credentials quickly? • Most companies do this manually, but you need to be able to do it with push-button automation. • What if access was obtained via API keys? Can you reset API keys quickly? • What about currently active sessions? • What about SaaS and cloud? "Pulling the plug" is a lot more complicated than most realize until you start planning and practicing for scenarios that may require it. My message to all is not only to practice pulling the plug, but to define the different scenarios and degrees of emergency access changes to deploy so you can be more surgical and limit business impact. This list is just the tip of the iceberg. What am I missing? 

Some thoughts on ransomware stemming from a discussion this morning: Key Levers of a Ransomware Attack Ransomware attacks rely on two main factors: the speed to encrypt data and the speed of propagation. 1. Speed to Encrypt: Once attackers gain network access, their goal is rapid encryption. Splunk research shows encrypting 100 GB can take under five minutes, leaving little time for defenders to respond. This speed necessitates real-time detection and fast response mechanisms (see: https://lnkd.in/gGBKejGD). 2. Speed of Propagation: Beyond a single machine, ransomware’s effectiveness depends on how quickly it spreads across networks. Rapid propagation compromises multiple systems swiftly, complicating recovery. Attackers use vulnerabilities, weak credentials, and lateral movement to spread fast. Impact of Ransomware Ransomware’s impact extends beyond data encryption, affecting: 1. "Crown Jewels" Data: Ransomware threatens critical data—intellectual property, customer information, or strategic assets—whose compromise could lead to severe business or reputational damage. Protecting these assets is vital. 2. Critical Business Systems: Ransomware can disrupt essential systems like Oracle, SAP, and mainframes. Even with disaster recovery, restoring operations can be time-consuming and costly. Regularly tested recovery systems help mitigate this risk. 3. Worker Productivity: Ransomware disrupts productivity by encrypting end-user devices, halting daily operations. Fast propagation worsens this, as seen in incidents affecting school districts where productivity comes to a standstill. 4. Critical Workflows: Ransomware can force automated processes to revert to manual operations, which are slower and error-prone. This is particularly concerning in healthcare, where disrupted systems can risk patient safety, such as when hospitals switch to manual blood bank workflows, causing ER shutdowns. Mitigation Strategies Given these factors, organizations need a multi-layered approach to mitigate ransomware: 1. Immediate Response: Rapid detection and response are critical, as organizations may only have minutes or hours to intervene. Continuous monitoring, automated alerts, and prepared response teams are essential. 2. Manual Process Readiness: Regular drills to switch to manual processes can help maintain operations during disruptions. These exercises identify weaknesses and train staff to handle critical workflows when systems are down. 3. Protecting Crown Jewels: Organizations must identify and consolidate critical data in secure, restricted repositories. Implementing append-only backups ensures data restoration to a safe state. Creating specific threat models for crown jewels can drive security-by-design, helping prioritize SOC detection and response based on business impact. #infosec #ransomware #cybersecurity Horizon3.ai