Skip to content
VigilGuard Logo VigilGuard
Contact Us
EASM Platform VendorGuard ITRM Platform

Ransomware Prevention

Ransomware Prevention

Section titled “Ransomware Prevention”

5 automated security scanners

EDR Evasion Resilience

Section titled “EDR Evasion Resilience”

Purpose: The EDR Evasion Resilience Scanner is designed to detect sophisticated techniques employed by adversaries to bypass Endpoint Detection and Response (EDR) systems. This includes evasion methods such as disabling, bypassing, or removing EDR software, process injection, installation of rootkits or malware, and communication with command and control servers.

What It Detects:

  • EDR Bypass Techniques: Identifies attempts to disable or bypass EDR systems using patterns like bypass\\s*edr, disable\\s*edr, and remove\\s*edr.
  • Process Injection Indicators: Recognizes signs of process injection, a common tactic used by adversaries to hide their activities within the system.
  • Rootkit and Malware Installation: Detects indicators related to the installation of rootkits or malware that can evade detection.
  • Command and Control (C2) Communication: Identifies any communication with command and control servers, which is crucial for understanding the extent of an adversary’s presence in a network.
  • Defense Evasion Tools Usage: Recognizes the use of specific tools known for evading security measures such as Mimikatz, Cobalt Strike, and other defense evasion tools.

Inputs Required:

  • Domain (string): The primary domain to analyze, which helps in identifying potential malicious activities related to this domain.

Business Impact: This scanner is crucial for enhancing the resilience of EDR systems against sophisticated cyber threats. By detecting early signs of evasion techniques, organizations can take proactive measures to strengthen their security posture and reduce the risk of data breaches or unauthorized access.

Risk Levels:

  • Critical: Findings that indicate a direct bypass of current EDR defenses with high confidence, potentially leading to immediate exposure of sensitive information.
  • High: Significant indicators of evasion techniques that could significantly impact security posture if not addressed promptly.
  • Medium: Weaknesses in configuration or usage patterns that might be exploited by adversaries but do not pose an immediate critical threat.
  • Low: Minor deviations from normal behavior that may require further investigation to confirm their benign nature, such as minor anomalies in network traffic.
  • Info: Routine activities and harmless configurations that are within the expected baseline for the given environment.

If specific risk levels are not detailed in the README, they have been inferred based on the purpose of the scanner and its potential impact.

Example Findings:

  1. Detection of a suspicious process named “bypass_edr” attempting to disable EDR software.
  2. Identification of unusual network traffic directed towards known C2 servers, suggesting possible command and control activity.

Data Protection Controls

Section titled “Data Protection Controls”

Purpose: The Data Protection Controls Scanner is designed to identify and assess shadow copy protection and backup isolation mechanisms on systems. Its primary objective is to ensure that data is safeguarded against ransomware attacks by verifying the presence of robust backup solutions and their accessibility.

What It Detects:

  • Shadow Copy Verification: Checks for the existence of shadow copies on Windows systems, identifying if Volume Shadow Copies (VSS) are enabled and properly configured.
  • Backup Isolation: Ensures that backups are stored in isolated environments to prevent ransomware from encrypting them, verifying that backup data is not accessible from the same network as production systems.
  • Backup Frequency and Retention: Evaluates the frequency of backup operations and checks if backup retention policies comply with best practices (e.g., multiple generations, offsite storage).
  • Encryption of Backups: Verifies that backups are encrypted to protect data confidentiality even if they are compromised.
  • Backup Accessibility and Recovery Testing: Tests the accessibility of backup data and simulates recovery procedures to ensure that backups can be restored successfully in case of a ransomware attack.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com)

Business Impact: Ensuring robust data protection controls is crucial for maintaining the confidentiality, integrity, and availability of critical information assets. Effective backup solutions and shadow copy protections are essential防线 against ransomware attacks, which can lead to significant financial losses and operational disruptions if not mitigated promptly.

Risk Levels:

  • Critical: Failures in detecting or verifying shadow copies or backups could result in immediate exposure of sensitive data to potential ransomware threats without any recovery options available.
  • High: Inadequate backup frequency or encryption levels can significantly increase the risk of data loss and compromise during a ransomware attack, potentially leading to substantial business impact.
  • Medium: Suboptimal backup isolation might allow limited access for recovery purposes, which could be considered acceptable but still carries some inherent risks depending on specific organizational tolerances.
  • Low: Minimal impact is expected from informational findings regarding the presence of shadow copies and basic backup configurations, unless these are part of a larger compliance or audit requirement.
  • Info: These findings pertain to standard configurations and practices that do not pose immediate risk but contribute to overall security posture enhancement through continuous monitoring and improvement initiatives.

Example Findings:

  • A system detected with active shadow copies enabled but no backup solutions in place, posing a high risk of data loss during a ransomware attack.
  • An organization using outdated encryption methods for backups that do not meet current industry standards, which could be considered medium risk depending on the sensitivity and criticality of the backed-up data.

Initial Access Vector Analysis

Section titled “Initial Access Vector Analysis”

Purpose: The Initial Access Vector Analysis Scanner is designed to detect and analyze potential vulnerabilities in phishing resilience, remote service hardening, command and control activities, unauthorized access points, and known exploited vulnerabilities. It utilizes threat intelligence feeds to identify patterns associated with malware, ransomware, trojans, phishing, credential harvesting, exposed services, leaked data, and CVE identifiers to prevent ransomware attacks and safeguard against unauthorized access to sensitive information.

What It Detects:

  • Phishing Resilience Indicators: The scanner identifies patterns related to malware, ransomware, trojan, phishing, and credential harvesting within the domain exposure analysis.
  • Remote Service Vulnerabilities: It detects vulnerabilities such as CVE numbers associated with exposed services, leaked data breaches, and unauthorized access points.
  • Command and Control (C2) Activity: The scanner identifies any indicators of command and control server activities that may indicate malicious intent or unauthorized access to sensitive information.
  • Unauthorized Access Indicators: It flags potential unauthorized access attempts through the detection of sensitive data dumps from compromised systems.
  • Known Exploited Vulnerabilities (KEV): The scanner cross-references identified vulnerabilities with those reported by CISA as known exploited, providing critical insights into potentially vulnerable systems and networks.

Inputs Required:

  • domain (string): A primary domain to be analyzed for potential threats and vulnerabilities. This input is essential for the scanner to perform its functions effectively.

Business Impact: The effectiveness of this scanner in identifying and mitigating potential security breaches can significantly impact an organization’s cybersecurity posture, helping prevent costly data breaches and ransomware attacks by providing early detection and analysis of compromised systems and unauthorized access points.

Risk Levels:

  • Critical: Conditions that directly lead to significant damage or loss, such as the exposure of sensitive data through known vulnerabilities exploited in recent incidents (e.g., CVE-2019-1486).
  • High: Conditions where high risk is posed by potential unauthorized access points and command and control activities indicative of malicious intent (e.g., identified phishing resilience indicators or exposed services).
  • Medium: Conditions that may lead to moderate risks, such as the presence of vulnerabilities without immediate exploitative conditions but still requiring attention for mitigation (e.g., unpatched systems with known CVE numbers).
  • Low: Informative findings indicating low risk unless accompanied by other indicators of compromise (e.g., isolated instances of phishing resilience patterns that do not align with recent threat intelligence).
  • Info: Non-critical findings providing background information but without immediate security implications, such as routine exposure to known vulnerabilities in non-sensitive services.

Example Findings:

  • “Malware detected on our network” - Indicates potential compromise through malware detection within the domain’s exposure analysis.
  • “CVE-2021-44228 vulnerability found” - Highlights a critical vulnerability that has been exploited in recent incidents, posing high risk to system security and integrity.

Lateral Movement Controls

Section titled “Lateral Movement Controls”

Purpose: The Lateral Movement Controls Scanner is designed to detect and analyze network segmentation and credential protection weaknesses by identifying potential lateral movement vectors within a domain. It focuses on detecting exposed services, known vulnerabilities, malware indicators, command and control (C2) activity, and signs of credential harvesting attempts.

What It Detects:

  • Exposed Services: Identifies open ports and services that could be exploited for unauthorized access.
    • Example patterns: ssh|telnet|ftp|http|https
  • Known Vulnerabilities: Scans for known vulnerabilities using databases like CISA KEV and NVD/CVE.
    • Example patterns: CVE-[0-9]{4}-[0-9]+
  • Malware Indicators: Detects indicators of malware or ransomware presence in the network.
    • Example patterns: malware|ransomware|trojan
  • Command and Control (C2) Activity: Identifies potential C2 servers or command channels.
    • Example patterns: command\\s*(?:and|&)\\s*control|c2|c&c
  • Credential Harvesting Attempts: Looks for signs of credential harvesting activities.
    • Example patterns: phishing|credential\\s+harvesting

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com).

Business Impact: This scanner is crucial for organizations as it helps in identifying potential entry points and vulnerabilities that could be exploited by adversaries during a breach, thereby affecting the overall security posture of the organization. It aids in understanding the current network landscape and taking proactive measures to mitigate risks associated with lateral movement and credential theft.

Risk Levels:

  • Critical: Conditions where critical vulnerabilities are present or highly exposed services (e.g., RDP on port 3389) that could be immediately exploited without any authentication.
  • High: Conditions involving common exploitation vectors such as outdated software, default credentials, and well-known vulnerability patterns.
  • Medium: Conditions indicating potential risks but requiring further investigation or where mitigation might depend on specific circumstances (e.g., less commonly used services with known vulnerabilities).
  • Low: Informal findings that do not pose immediate threats but could be indicators of future risk if left unaddressed.
  • Info: General information about the network environment and detected patterns, which may require further analysis or monitoring.

Example Findings:

  • A server running an outdated version of Apache HTTP Server (HTTPd) on port 80 with no authentication required could be critical as it represents a direct entry point for attackers.
  • Detection of suspicious command and control traffic might indicate active malware or ransomware deployment, which is high risk if not addressed promptly.

Privileged Access Security

Section titled “Privileged Access Security”

Purpose: The Privileged Access Security Scanner is designed to enhance the security posture of organizations by proactively detecting and addressing potential vulnerabilities related to administrative credentials, high-value tokens, and elevated permissions. This tool aims to prevent unauthorized access and mitigate the risk of ransomware attacks by analyzing exposed services, token security, and misconfigured permission settings.

What It Detects:

  • Administrative Credential Protection: Identifies exposed administrative credentials using the Shodan API, checks for weak or default passwords in domain-related services, and detects unauthorized access attempts through AbuseIPDB.
  • High-Value Token Security: Scans for leaked tokens on VirusTotal and the dark web, verifies token encryption and storage practices, and identifies potential token misuse based on CISA KEV data.
  • Elevated Permission Controls: Analyzes domain services for vulnerabilities using the NVD/CVE database, checks for misconfigured permissions that allow unauthorized access, and detects suspicious activities indicating privilege escalation attempts.
  • Threat Intelligence Integration: Utilizes Shodan API to identify exposed services and vulnerabilities, leverages VirusTotal API for domain/IP reputation analysis, and cross-references CISA KEV for known exploited vulnerabilities.
  • Real-Time Monitoring: Continuously monitors domain activities for suspicious patterns, flags potential security breaches based on real-time threat intelligence feeds, and provides actionable insights to mitigate security risks promptly.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com)

Business Impact: This scanner is crucial for organizations looking to secure their digital assets by identifying and addressing vulnerabilities in administrative credentials, token security, and elevated permissions. By detecting and mitigating these risks, the organization can reduce the likelihood of data breaches and ransomware attacks, safeguarding sensitive information and maintaining operational continuity.

Risk Levels:

  • Critical: Conditions that directly lead to unauthorized access or significant data exposure, such as exposed administrative credentials without proper protection or default password usage in critical services.
  • High: Conditions where weak security practices could be exploited by malicious actors, including leaked tokens on the dark web and misconfigured permissions allowing elevated access.
  • Medium: Conditions that indicate potential vulnerabilities but are less severe than those classified as high risk, such as unencrypted token storage or limited exposure through specific services.
  • Low: Informal findings related to standard configurations or practices that do not pose significant security risks but can be improved for better protection.
  • Info: Non-critical issues that provide general information about the environment and may require future attention based on threat intelligence updates.

Example Findings:

  1. Exposed Service: A domain-related service is identified as exposing administrative credentials without proper authentication mechanisms, potentially leading to unauthorized access.
  2. Malicious Activity: The domain exhibits suspicious activities indicative of a potential ransomware attack, detected through VirusTotal’s real-time threat intelligence feeds.