The short answer, is that ransomware spreads to other computers the same way we move, edit, and save files from the other machines, via SMB protocols, via exploits for permissions, or all of the above depending on which option(s) are easiest, and which form of ransomware you get. Most malware will use the simplest method possible to do what it does, basically because it's less work than coming up with something novel when a built-in, useful process can be abused instead. There are variants that can use things like RDP, but they're more likely to just use more common file services/permissions than they are to look for less common or more secure methods most times. Again though, there's malware for just about any method you can think of, because where there's a will, there's a way.
The best approach to defending against that kind of stuff in my experience is just to make it more trouble than they want to bother with to get what they want, because their time (like ours) is finite, and they may not actually find the easier target they're looking for while they still have time for their malware to be effective with any luck.
Spice (2)flagReport
1 found this helpful thumb_up thumb_down
Each piece of malware is different and has different capabilities. They can move across the network via zero day exploits, or known exploits that haven't been patched, or by brute forcing credentials, or by elevating privileges, or via pass the hash attacks, or via various attacks against AD and Kerberos such as golden ticket.
The attacker may use human as well as automated reconnaissance and methods for moving through the network before the devastating payload is delivered.
Spice (1)flagReport
1 found this helpful thumb_up thumb_down
Firstly, detect how this first computer was infected.Some malwares indeed use network connection to propagate themselves: they scan the local network generally targeting some defined unpatched OS flaw and take advantage of this to propagate.Also, look for what machines the infected computer had access to. If the infected computer was a domain-joined Windows machine, the infected machine and the users logged into it may very well have had access to other computers on the network, placing them at risk.Constant backups are a must! It’s important to use a back-up location that is not directly connected to the local system, such as a cloud account and an external drive.
It might be good to have a read up about how to detect and prevent the spread of ransomware.
Additionally, have a look at LepideAuditor to spot the symptoms of a ransomware attack in the form of real-time or threshold alerts and take appropriate action.
Spice (1)flagReport
Was this post helpful? thumb_up thumb_down
I would suggest a detailed study of Emotet, TrickBot and RYUK - IMNERHO the nastiest of the bunch. They seem to have found many ways to spread (or not spread, if you're running Linux) to any network-connected computer, even without Admin-level permissions. Even with anti-whatever software installed & running (they can stop & delete most common AV products, including MS' own). Scary stuff, but worth the time to read & understand.
Spice (1)flagReport
Was this post helpful? thumb_up thumb_down
I can speak from some personal experience.
It can be performed through a combination of elevated credentials and remote execution. When the malware gains control of a single system, often with lowered privileges, it can either immediately start encrypting what file shares it can, or it can lay dormant. In the first case it doesn't spread so much as it searches your network for file shares for which it has write privileges and starts encrypting all the files to which it has access. So if you have a file server with shared folders to which that user has write access, it encrypts all those files.
In the second case, the malware can lay dormant looking for ways to elevate its access. This may mean brute forcing the admin credentials, stealing tokens or using a keylogger to get an admin password. Once it has network admin credentials it has the ability to access the built-in admin share folders of all the computers on the network. That access in combination with a remote execution tool like PSEXEC will allow the malware to copy and execute code across all your networked computers.
It's like a damn nightmare.
Spice (1)flagReport
Was this post helpful? thumb_up thumb_down
The main thing you need to concern yourself with is lateral movement through your organization.
It's not the single machine that's the problem, unless it's your file share server or main database or something. It's the propagation to other machines.
Once your pc has ransomware on it, bad guys can run other hack tools with the same permissions.
Those tools can pull hashed passwords out of memory. They can scan for vulnerabilities. Install a key sniffer. etc...
It's why it's a bad idea to use the same local admin password on all your machines. If one pc is infected, now they have the keys to every machine.
Look into LAPS at a minimum.
Spice (1)flagReport
Was this post helpful? thumb_up thumb_down
As has already been pointed out, ransomware, like any malware, can use a number of techniques to move laterally through your network. Typically, it is an unpatched vulnerability that enables this. WannaCry and NotPetya for example, could compromise an entire, vulnerable, class C network in under 40 seconds. More recent strains are not deployed until initial reconnaissance has been performed and an attack strategy refined.
It has been said that "the endpoint is the new perimeter", and that is too true. Against modern threats, traditional perimeter defenses are just not an effective tool. They're still necessary, of course, but they will not protect against the things that your users are allowed to bring into your network.
Spice (1)flagReport
Was this post helpful? thumb_up thumb_down
Ransomware is vicious, which you've already experienced. To support what you've been provided already from everyone here, we have additional information to help with the education. https://www.knowbe4.com/ransomware
We also have a free RanSim tool which can see how susceptible a computer is to Ransomware. (https://www.knowbe4.com/ransomware-simulator)
Spice (2)flagReport
Was this post helpful? thumb_up thumb_down
I love that RanSim tool. Want to see if your security analysts are on their toes? Fire up that little widget. :)
Mapped drives are often the cause of crypto-spread. I try to minimize them and make sure to tell the end-users why they are dangerous.
Also - Learn to embrace the LTO tape. Old school technology I know, but they can't mess with a tape that isn't in the drive.
