Ransomware in 2024: Lateral Movement Techniques and Prevention Strategies

Introduction: The Growing Threat of Ransomware and Lateral Movement

Ransomware continues to be a significant threat to organizations across all industries. One of the most concerning trends is the increasing use of lateral movement techniques by ransomware actors to spread their malicious payloads across networked environments. This tactic allows attackers to maximize the impact of their campaigns, potentially encrypting data on thousands of endpoints and exfiltrating sensitive information.

For CISOs, Security Architects, and IT leaders in manufacturing, industrial, and healthcare organizations with large device footprints, understanding these evolving tactics is crucial. This blog post will explore seven prominent ransomware variants observed in 2024, their lateral movement techniques, and actionable strategies to protect your organization.

Ransomware Variants and Their Lateral Movement Techniques

Fog Ransomware

Fog ransomware, first observed in early 2024, has been targeting educational organizations in the United States.

Detection: Fog ransomware can be detected through monitoring for suspicious PowerShell and batch script execution, as well as unusual SMB activity.

Initial Intrusion: Fog actors typically gain access by exploiting vulnerabilities in internet-facing VPN services or through compromised credentials.

Lateral Movement: Once inside a network, Fog ransomware uses living off the land techniques, leveraging native Windows tools like PowerShell and WMI for lateral movement. It also utilizes the PsExec tool for remote execution.

Data Exfiltration: Fog actors have been observed using the MEGA file storage service for data exfiltration before encryption.

Storm-0501 Ransomware

Storm-0501 is a ransomware-as-a-service (RaaS) operation that has been targeting various sectors, including government and healthcare.

Detection: Look for signs of privilege escalation, unusual administrative tool usage, and unexpected outbound data transfers.

Initial Intrusion: Storm-0501 often exploits vulnerabilities in public-facing applications, such as Citrix ADC and FortiOS.

Lateral Movement: This group leverages compromised domain admin credentials and tools like Cobalt Strike for lateral movement. They've also been observed using AnyDesk for remote access.

Data Exfiltration: Storm-0501 uses tools like Rclone to exfiltrate data to cloud storage services before encryption.

Mimic Ransomware

Mimic ransomware has been observed targeting multiple sectors, including manufacturing and healthcare.

Detection: Monitor for unexpected PowerShell commands, suspicious use of system utilities, and attempts to disable security software.

Initial Intrusion: Mimic often gains initial access through phishing emails or by exploiting unpatched vulnerabilities.

Lateral Movement: This ransomware uses a combination of legitimate remote administration tools and custom scripts for lateral movement. It's known to leverage RDP and PsExec extensively.

Data Exfiltration: Mimic employs a double extortion model, exfiltrating data using tools like WinSCP before encryption.

RansomHub Ransomware

RansomHub is a relatively new player in the ransomware landscape, targeting various critical infrastructure sectors.

Detection: Look for signs of credential dumping, unusual network scanning activity, and unexpected changes to Group Policy Objects.

Initial Intrusion: RansomHub actors often use phishing attacks or exploit public-facing vulnerabilities for initial access.

Lateral Movement: This group leverages both built-in Windows tools and custom scripts for lateral movement. They've been observed using Mimikatz for credential theft to facilitate spread.

Data Exfiltration: RansomHub uses a variety of tools for data exfiltration, including FTP clients and cloud storage services.

Rhysida Ransomware

Rhysida has been particularly active in targeting education and healthcare sectors.

Detection: Monitor for unusual PowerShell activity, attempts to disable security software, and unexpected admin account creation.

Initial Intrusion: Rhysida often gains access through vulnerable VPN services or by exploiting public-facing applications.

Lateral Movement: This ransomware leverages stolen credentials and living off the land techniques for lateral movement. It's known to use PsExec and RDP extensively.

Data Exfiltration: Rhysida employs a double extortion model, exfiltrating data before encryption using tools like Rclone.

BlackBasta Ransomware

BlackBasta has been a prominent threat across multiple sectors, known for its aggressive tactics.

Detection: Look for signs of Active Directory enumeration, attempts to disable endpoint security, and unexpected data compression activities.

Initial Intrusion: BlackBasta often gains initial access through phishing campaigns or by exploiting vulnerabilities in internet-facing systems.

Lateral Movement: This group is known for its extensive use of Cobalt Strike for lateral movement. They also leverage stolen credentials and RDP connections.

Data Exfiltration: BlackBasta exfiltrates data using a variety of methods, including custom tools and legitimate file transfer protocols.

LockBit Ransomware

LockBit remains one of the most prolific ransomware threats, continuously evolving its tactics.

Detection: Monitor for unusual PowerShell scripts, attempts to access LSASS memory, and unexpected use of data compression tools.

Initial Intrusion: LockBit actors often use phishing emails, exploit public-facing vulnerabilities, or purchase access from initial access brokers.

Lateral Movement: This ransomware leverages a wide array of tools for lateral movement, including Cobalt Strike, Mimikatz, and RDP. They're also known to use custom tools to disable security software.

Data Exfiltration: LockBit employs sophisticated data exfiltration techniques, often using custom tools and leveraging cloud storage services.

Common Lateral Movement Tactics and Techniques

Across these ransomware variants, several common lateral movement tactics and techniques emerge:

1. Credential theft and reuse
2. Exploitation of remote services like RDP
3. Use of living off the land techniques
4. Leveraging legitimate remote administration tools
5. Extensive use of PowerShell and WMI
6. Deployment of Cobalt Strike or similar C2 frameworks

Preventing Ransomware: CISA #StopRansomware Recommendations

The CISA #StopRansomware guide provides comprehensive recommendations for preventing ransomware attacks, with a particular focus on mitigating lateral movement. Here are key strategies organizations should implement:

Network Segmentation and Microsegmentation

One of the most effective ways to limit lateral movement is through proper network segmentation. By dividing your network into smaller, isolated segments, you can contain potential breaches and prevent ransomware from spreading across your entire infrastructure.

Microsegmentation takes this concept further by applying fine-grained security policies at the workload level. This approach allows organizations to create secure zones in data centers and cloud deployments, significantly reducing the attack surface.

Implement Least Privilege and Zero Trust Principles

Apply the principle of least privilege to all systems and services, ensuring users only have the access they need to perform their jobs. This limits the potential damage if a single account is compromised.

Adopting a Zero Trust architecture assumes no user or device should be trusted by default, even if they're already inside the network perimeter. This approach can significantly hinder lateral movement attempts.

Enhance Detection and Response Capabilities

Implement robust logging and monitoring solutions across your network. This includes:

• 100% Device discovery and visibility of all users, workloads and devices across networks
• Centralized log management
• Security information and event management (SIEM) tools
• Endpoint detection and response (EDR) solutions

These tools can help you quickly identify and respond to potential ransomware activity, including lateral movement attempts.

Secure Remote Access

Given the prevalence of remote work, securing remote access is crucial:

• Implement multi-factor authentication (MFA) for all remote access points
• Regularly audit and monitor remote access logs

Regular Patching and Vulnerability Management

Many ransomware attacks exploit known vulnerabilities. Implement a robust patch management program to ensure all endpoints, devices, systems and applications are up-to-date with the latest security patches.

Employee Training and Awareness

Human error remains a significant factor in successful ransomware attacks. Regular cybersecurity training for all employees can help reduce the risk of phishing attacks and other social engineering tactics used for initial access.

Build A Proactive Approach to Ransomware Prevention

As ransomware attacks continue to evolve, leveraging sophisticated lateral movement techniques, organizations must adopt a proactive, multi-layered approach to cybersecurity. By implementing the strategies outlined in this post, particularly network segmentation and microsegmentation, you can significantly reduce the risk of a successful ransomware attack.

Read the Forrester Wave™ Microsegmentation, Q3 2024 and learn how modern identity-based microsegmetation platforms like Elisity are enabling enterprises to prevent ransomware and lateral movement. 

Remember, cybersecurity is an ongoing process. Regularly assess your security posture, stay informed about emerging threats, and be prepared to adapt your defenses as the threat landscape evolves. With the right combination of people, processes, and technology, your teams can build a resilient defense against even the most sophisticated ransomware attacks.

To learn more about how the Elisity platform can help protect your organization from lateral movement and east-west attacks while enhancing your overall security posture, contact us for a conversation or a personalized demo.