After a long time of doing research and writing, the book is now finally released! which can be found here –> Amazon.com: Windows Ransomware Detection and Protection: Securing Windows endpoints, the cloud, and infrastructure using Microsoft Intune, Sentinel, and Defender: 9781803246345: Sandbu, Marius: Books
Composing a book on a broad subject like ransomware presented numerous challenges, as it had to encompass extensive details on attack vectors, patterns, real-world examples, and offer comprehensive insights into various protection mechanisms for your environment. The persistent issue was striking a balance between in-depth exploration and maintaining a high-level perspective on each topic.
Although the book emphasizes technical aspects, it also delves into the culture and ways to remain informed about the evolving threat landscape, employing cutting-edge tools for gathering intelligence and tracking relevant news sources.
Ransomware may not be as intricate as rocket science; in fact, it’s relatively simple. In the majority of ransomware cases, I’ve worked on, it either began with a brute-force attack on a server lacking security barriers or a basic phishing attack which then was used to compromise a machine, ultimately resulting in full domain admin rights. Attackers achieve this by exploiting weak internal security measures or other existing vulnerabilities to gain access. All the attacks were targeted towards environments that comprised a Windows-based system and utilized Active Directory as the core component.
As a result, implementing security measures ALWAYS involves establishing multiple layers of protection (as discussed in my previous blog post ” Part One: Analyzing the Anatomy of a Ransomware Attack – msandbu.org) concerning attack vectors. It is essential to have security mechanisms for different parts of your infrastructure and services. such as for your email services, safeguard against straightforward brute-force attacks, and defend against the exploitation of vulnerabilities to mention a few. While to many have been focusing on protecting the “perimeter” but having less focus on what is in place on the inside.
Although there has been a general decrease in ransomware attacks over the past few years, the last two months have witnessed a concerning surge in new ransomware victims. This trend has been particularly pronounced in the past month, with one hundred new companies being added to Clop’s data leak site. Clop claims to have extorted these companies after breaching their GoAnywhere services using a zero-day vulnerability.We have also seen new ransomware groups emerging such as Dark Power.
In addition, we have seen many new vulnerabilities as of late, such as for Microsoft Office Outlook with CVE-2023-23397, also new cryptojacking operations targeting Kubernetes –> CrowdStrike Discovers First-Ever Dero Cryptojacking Campaign Targeting Kubernetes, which might also be that attackers are now going to be more interested into attacking Kubernetes based environments.
In the Internet Crime Report from the FBI (https://www.ic3.gov/Media/PDF/AnnualReport/2022_IC3Report.pdf) They reported receiving 870 complaints, indicating that organizations within critical infrastructure sectors had fallen victim to ransomware attacks. Most of these victims were in the healthcare sector, where many systems consist of outdated equipment that cannot be upgraded to newer versions, posing a significant security risk.
Despite this, the threat landscape is constantly changing. For those that purchase this book , I hope it can provide you with an overview of attack vectors and the various countermeasures that can be implemented across different layers to help you.