In October 2025, a new organized crime group, tracked as Kryptos (alias: KRYPOS LEAKS), surfaced and immediately began executing high-impact ransomware attacks against enterprise targets across North America and Australia. The group’s immediate operational effectiveness, sophisticated business model, and targeting of high-value sectors such as finance, legal services, and professional services signal the arrival of a significant and capable threat actor. Kryptos operates a multifaceted extortion model, combining a Ransomware-as-a-Service (RaaS) platform with data brokerage operations. This allows the group to leverage a network of affiliates for attack execution while maximizing revenue through both direct ransom payments for data decryption and the sale of exfiltrated data on underground markets.

The rapid launch of successful campaigns by Kryptos suggests a level of pre-planning and maturity that is uncharacteristic of a genuinely new entrant. This operational readiness indicates that Kryptos is likely a rebrand or splinter of a more established ransomware syndicate, bringing battle-tested tools and a pre-existing affiliate network to its operations. This assessment necessitates that security teams treat Kryptos not as a nascent threat but as a top-tier adversary from its inception.

Due to the limited availability of direct, end-to-end technical intelligence on Kryptos’s attack lifecycle, this report employs a high-fidelity analogue analysis. The tactics, techniques, and procedures (TTPs) of the Crypto24 ransomware group, a similarly sophisticated actor that emerged in late 2023, provide a robust predictive model for the Kryptos operational playbook. Analysis of Crypto24 reveals a methodical attack chain that prioritizes stealth, persistence, and the complete neutralization of security defenses before the final encryption stage. Key TTPs include the extensive use of legitimate system administration tools and protocols—a “Living-off-the-Land” (LotL) approach—to blend in with normal network activity, coupled with the deployment of custom malware specifically designed to disable Endpoint Detection and Response (EDR) solutions.

This report provides a technical analysis of the Kryptos threat actor, its inferred attack lifecycle mapped to the MITRE ATT&CK® framework, and a consolidated list of Indicators of Compromise (IOCs) to aid in threat hunting and incident response. The findings underscore the critical need for organizations to adopt a defense-in-depth strategy focused on hardening initial access vectors, implementing the principle of least privilege, and enhancing monitoring for the anomalous use of legitimate system utilities. Key defensive priorities include the enforcement of multi-factor authentication (MFA) on all remote access services, rigorous auditing of privileged account creation, enabling EDR agent self-protection mechanisms, and maintaining a resilient, tested backup and recovery strategy to mitigate the impact of a successful intrusion.

Threat Actor Profile: Kryptos (KRYPOS LEAKS)

The emergence of the Kryptos ransomware group represents a notable development in the cybercrime ecosystem. Characterized by its rapid deployment of attacks and a sophisticated, multi-channel extortion strategy, the group has quickly established itself as a formidable threat to organizations globally.

Overview and Emergence

Kryptos was first observed in October 2025 and is categorized as an organized crime group specializing in crypto-ransomware. The group’s name, derived from the ancient Greek word for “hidden,” is a common motif in the world of cryptography and should not be confused with unrelated entities such as the Kryptos sculpture at CIA headquarters, Kriptos Technology, or Kryptos Logic.

What distinguishes Kryptos from many other newly identified threat groups is its apparent operational maturity from day one. The group began launching successful attacks almost immediately upon its appearance in the threat landscape, forgoing the typical ramp-up period required to develop tools, recruit affiliates, and refine TTPs. This “instant maturity” is a strong indicator that the operators behind Kryptos are not newcomers to the ransomware scene. The pattern of established groups rebranding or splintering is well-documented; for instance, the BlackCat (ALPHV) ransomware operation is widely believed to be a successor to developers from the DarkSide and BlackMatter syndicates, while the LockBit Green variant was developed by incorporating source code from the defunct Conti ransomware group. It is therefore highly probable that Kryptos is a new franchise operated by veteran cybercriminals, leveraging a pre-existing, mature toolset and an established network of affiliates. This fundamentally alters the risk calculation for defenders, who must presume from the outset that they are facing a sophisticated and experienced adversary.

Modus Operandi: RaaS and Data Brokerage

Kryptos employs a highly effective and scalable business model built on two core pillars: Ransomware-as-a-Service (RaaS) and data brokerage.

The RaaS model mirrors legitimate Software-as-a-Service (SaaS) offerings. The core Kryptos operators develop and maintain the ransomware payload, the command-and-control (C2) infrastructure, and the data leak site. They then license this platform to third-party cybercriminals, known as affiliates, who are responsible for executing the attacks. This division of labor is incredibly efficient; it allows the core developers to focus on improving their malware’s capabilities and evading detection, while the affiliates concentrate on gaining initial access, moving laterally within victim networks, and deploying the ransomware. This model effectively “democratizes” high-level cybercrime, lowering the barrier to entry and dramatically increasing the scale and frequency of attacks.

Complementing its RaaS platform, Kryptos also operates as a data broker. This indicates a diversified monetization strategy that goes beyond simple extortion. In a typical Kryptos attack, affiliates not only encrypt the victim’s data but also exfiltrate large volumes of sensitive information. This stolen data serves as the foundation for a “double extortion” tactic. The victim is presented with two demands: a payment for the decryption key to restore their files (Direct Extortion), and a separate payment to prevent the public release of their stolen data. The threat of public exposure on the group’s leak site, KRYPOS LEAKS, adds immense pressure, as the consequences of a data breach—including regulatory fines, customer lawsuits, and severe reputational damage—can often exceed the cost of the ransom itself. The data broker model implies that even if a victim pays the ransom, the stolen data may still be sold to other criminal actors, creating multiple revenue streams from a single compromise.

Victimology and Targeting

The initial wave of Kryptos attacks demonstrates a clear and deliberate targeting strategy focused on high-value industries across multiple countries. As of early October 2025, confirmed victims included an architectural services firm in the United States, a legal services provider in Australia, and an organization in the banking and finance sector in Canada.

This victimology is consistent with the financial motivations of top-tier ransomware groups. These sectors are chosen for several strategic reasons:

• High Sensitivity to Downtime: Financial institutions, legal firms, and professional services are heavily reliant on continuous access to data and IT systems. Any operational downtime results in immediate and significant financial losses, increasing the pressure to pay a ransom quickly.
• Possession of Sensitive Data: These industries handle vast amounts of confidential client information, intellectual property, and personally identifiable information (PII). The threat of leaking this data in a double-extortion scenario is a powerful coercive tool.
• Perceived Ability to Pay: Attackers target organizations they believe have the financial resources, or the cyber insurance coverage, to meet substantial ransom demands.

The geographic spread of these initial attacks across three continents underscores the group’s global reach and the borderless nature of its RaaS operation. Affiliates are likely recruited from various regions, bringing local knowledge and language skills that can be used to craft more effective social engineering lures and navigate regional business environments.

Operational Analysis: Inferring the Kryptos Playbook via Crypto24

While direct intelligence on the complete Kryptos attack chain remains limited—a common challenge when a new threat actor first emerges—a proactive defensive posture requires a predictive understanding of their likely TTPs. To construct this, a rigorous analytical approach is necessary, leveraging a high-fidelity analogue to model the adversary’s behavior. The Crypto24 ransomware group, which surfaced in the threat landscape approximately one year prior to Kryptos, serves as an exceptionally well-suited proxy for this analysis due to striking parallels in operational strategy, technical sophistication, and targeting philosophy.

The Analytical Imperative for a High-Fidelity Analogue

Threat intelligence for a newly designated group like Kryptos is often fragmented in its early stages. Initial reports typically focus on host-based and network artifacts from the final stages of an attack, such as the ransomware executable itself, ransom notes, and communication channels. While valuable for immediate incident response, this information provides little insight into the earlier, stealthier phases of the intrusion, such as initial access, persistence, and lateral movement. To build effective, threat-informed defenses, security operations teams must understand the entire attack lifecycle. By analyzing the deeply documented playbook of a highly similar contemporary, Crypto24, it is possible to forecast the TTPs that Kryptos affiliates are most likely to employ, enabling defenders to shift from a reactive to a proactive stance.

Justification for Analogy: Overlapping Operational DNA

The selection of Crypto24 as an analogue for Kryptos is based on a confluence of shared characteristics that suggest a common operational doctrine, if not a shared origin.

• Temporal Proximity and Sophistication: Crypto24 was first observed in late 2023 and became highly active in 2024, while Kryptos emerged in late 2025. Both are recent, modern ransomware operations. Crucially, both groups exhibited immediate operational maturity, deploying a sophisticated blend of legitimate “Living-off-the-Land” tools and custom-built malware from the outset of their campaigns. This shared trait of bypassing a novice development phase points to experienced operators.
• Targeting Philosophy: The victimology of both groups is remarkably similar. They focus on large, enterprise-level organizations in financially critical sectors. Kryptos’s initial targets include finance, legal, and professional services, while Crypto24’s documented victims span finance, manufacturing, technology, and entertainment across North America, Europe, and Asia. This shared preference for high-value targets underscores a common strategic objective: maximizing ransom payouts from organizations with a low tolerance for disruption.
• Business Model: Both Kryptos and Crypto24 are structured as RaaS operations and practice double extortion. The RaaS model allows for rapid scaling, and the double-extortion tactic has become the standard for maximizing pressure on victims. Crypto24 was observed actively recruiting affiliates on the RAMP underground forum, a behavior typical of RaaS providers seeking to expand their network of attackers. This aligns perfectly with the RaaS model attributed to Kryptos.
• Technical Doctrine: The core technical strategy of Crypto24—blending into the target environment by abusing legitimate administrative tools while using custom payloads to disable security controls—is the hallmark of a modern, advanced persistent threat. This focus on stealth, long-term persistence, and defense evasion prior to encryption is precisely the kind of sophisticated approach expected from a group with the “instant maturity” of Kryptos.

The striking convergence of these strategic, operational, and technical characteristics suggests that the TTPs observed in Crypto24 intrusions provide the most accurate available blueprint for the Kryptos attack methodology. The emergence of multiple, highly similar, and operationally mature RaaS platforms like Crypto24 and Kryptos within a relatively short period may point to a broader evolution in the cybercrime economy. Rather than a series of coincidental developments, this could represent a “franchising” or “white-labeling” of a core operational playbook and toolset. In this evolved model, a central, highly skilled group of developers could be selling not just their ransomware payload, but their entire business-in-a-box: the affiliate recruitment and management strategy, the target selection framework, the proven TTPs for intrusion and evasion, and the customized toolset, such as the EDR-disabling malware. This would allow the core developers to profit from the establishment of multiple, seemingly independent ransomware brands. This model complicates attribution, diversifies the developers’ “brand portfolio” against law enforcement takedowns, and creates a consistent, repeatable, and highly effective template for attacks. Therefore, defending against Kryptos requires understanding this broader attack template, for which Crypto24 serves as the most detailed and well-documented case study.

Technical Deep Dive: The Kryptos Attack Lifecycle
(Mapped to MITRE ATT&CK®)

Based on the high-fidelity analogue of the Crypto24 operation, a Kryptos affiliate’s attack is expected to be a patient, multi-stage intrusion focused on deep network infiltration and the systematic neutralization of defenses before the final deployment of the ransomware payload. The following section details this inferred attack lifecycle, mapping the observed TTPs to the MITRE ATT&CK® framework.

Initial Access (TA0001)

Kryptos affiliates likely employ a variety of methods to gain their initial foothold, often leveraging the path of least resistance into a target network.

• T1133 External Remote Services: Exploitation of poorly configured or unsecured remote services, particularly Remote Desktop Protocol (RDP), is a primary vector for many ransomware groups, including affiliates of the Phobos RaaS. Affiliates can scan the internet for exposed RDP ports and use brute-force attacks or previously compromised credentials to gain access.
• T1078 Valid Accounts: The cybercrime ecosystem includes a specialized market for “initial access brokers” who sell compromised credentials for corporate networks. Kryptos affiliates likely purchase valid VPN or RDP credentials from these brokers to bypass perimeter defenses and log in as a legitimate user.
• T1566 Phishing: Phishing remains a reliable initial access vector. Affiliates may send spearphishing emails containing malicious attachments (e.g., macro-enabled documents) or links to credential-harvesting pages designed to trick employees into divulging their login information.
• T1190 Exploit Public-Facing Application: Unpatched vulnerabilities in internet-facing systems like VPN gateways, web servers, or collaboration tools provide a direct path into a network. Affiliates continuously scan for and exploit known vulnerabilities to deploy web shells or other backdoors.

Execution (TA0002) and Persistence (TA0003)

Once inside, the attacker’s immediate goals are to execute code and establish a durable presence to survive reboots and evade initial cleanup efforts. This phase is characterized by the heavy use of legitimate system tools to blend in with normal administrative activity.

• Execution: Affiliates rely heavily on built-in Windows utilities, a technique known as Living-off-the-Land (LotL).
  • T1059.003 Windows Command Shell and T1059.001 PowerShell: The command prompt (cmd.exe) and PowerShell are the primary tools used to run reconnaissance commands, create scheduled tasks, modify the registry, and execute other malicious scripts. Their ubiquitous use by system administrators makes it difficult to distinguish malicious activity from benign operations without careful correlation and behavioral analysis.
• Persistence: Kryptos affiliates are expected to establish multiple, redundant persistence mechanisms to ensure long-term access.
  • T1136 Create Account: A key technique observed with Crypto24 is the creation of new user accounts, often with generic names like “admin,” “support,” or “backup” to avoid suspicion. These accounts are then added to high-privilege groups such as “Administrators” and “Remote Desktop Users” using commands like net.exe user <username> <password> /add and net.exe localgroup Administrators <username> /add. This provides the attacker with their own dedicated access credentials.
  • T1543.003 Create or Modify System Process: Windows Service: To ensure their tools run with high privileges and are automatically started, attackers use the Service Control utility (sc.exe) to create malicious services. These services are often configured to run under the context of svchost.exe to appear as legitimate system processes. The Crypto24 analogue was observed creating services with names like WinMainSvc (for its keylogger) and MSRuntime (for the ransomware loader), using a malicious MSRuntime.dll file.
  • T1053.005 Scheduled Task/Job: Scheduled Task: The Windows Task Scheduler is abused to periodically execute malicious scripts or binaries. For example, attackers may create a task that runs a VBScript or batch file from a hidden staging directory, such as %ProgramData%\Update\update.vbs, ensuring their payload is re-executed at regular intervals or upon system startup.

Privilege Escalation (TA0004) and Defense Evasion (TA0005)

After establishing persistence, the focus shifts to gaining higher-level permissions and systematically dismantling the target’s security controls. This phase showcases the technical sophistication of the operation.

• Privilege Escalation:
  • T1078 Valid Accounts: The initial foothold may be a low-privilege account. The attacker will use discovery techniques to find and leverage credentials for an account with administrative rights, effectively escalating their privileges.
  • T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control: To execute processes with administrative privileges without triggering a User Account Control (UAC) prompt on the user’s screen, the ransomware payload may use known UAC bypass techniques. The Crypto24 payload was observed exploiting the CMSTPLUA COM interface, a sophisticated method also used by top-tier ransomware families like BlackCat and LockBit, demonstrating a high level of technical capability.
• Defense Evasion: This is a critical prerequisite for the success of the operation.
  • T1562.001 Impair Defenses: Disable or Modify Tools: The most significant technique in the Crypto24 playbook is the deployment of a custom tool designed to blind EDR and antivirus solutions. This tool, which resembles the open-source RealBlindingEDR, programmatically targets and removes kernel-level monitoring callbacks registered by the drivers of major security products, including Trend Micro, Kaspersky, Sophos, Bitdefender, and SentinelOne. By disabling these hooks, the attacker can perform malicious actions without the EDR agent ever being notified.
  • Attackers also abuse legitimate vendor-provided uninstaller tools. Crypto24 operators were seen using gpscript.exe to remotely execute a Trend Vision One uninstaller script, effectively removing the security agent from endpoints before deploying the ransomware.
  • T1490 Inhibit System Recovery: To prevent easy restoration of encrypted files, attackers use the native Windows utility vssadmin.exe with the command delete shadows /all /quiet to delete all Volume Shadow Copies on the system.
  • T1218 System Binary Proxy Execution: Malicious code is often executed through trusted system processes. For example, the malicious services created for persistence are configured to run via svchost.exe, making them appear as part of the normal operating system functions in process lists.

Credential Access (TA0006), Discovery (TA0007), and Lateral Movement (TA0008)

With defenses down, the attacker maps the network, harvests credentials, and spreads to other systems to maximize the impact of the final payload.

• Credential Access:
  • T1056.001 Keylogging: A keylogger, deployed as a DLL (WinMainSvc.dll) and run as a service, is used to capture keystrokes, including usernames and passwords entered by legitimate users.
  • T1003 OS Credential Dumping: Standard credential dumping tools like Mimikatz are likely used to extract passwords and hashes from memory, particularly from the LSASS process.
• Discovery: Attackers conduct extensive internal reconnaissance using native Windows commands to avoid introducing noisy or easily detectable third-party tools.
  • Account Discovery: net user and net localgroup administrators are used to enumerate user accounts and identify privileged users.
  • System Information Discovery: The Windows Management Instrumentation Command-line (wmic) utility is used to gather detailed information about system hardware (wmic computersystem get TotalPhysicalMemory), operating system configuration, and disk partitions (wmic partition get name,size,type).
• Lateral Movement: The primary goal is to spread from the initial entry point to high-value targets like domain controllers and file servers.
  • T1021.002 Remote Services: SMB/Windows Admin Shares: The Sysinternals tool PsExec is the preferred method for lateral movement. Using previously harvested administrative credentials, the attacker uses PsExec to remotely execute commands and copy the ransomware payload to other systems on the network. The presence of the PSEXESVC.exe service in C:\Windows\ is a strong indicator of this activity.
  • T1021.001 Remote Services: Remote Desktop Protocol: Having already created privileged accounts and added them to the “Remote Desktop Users” group, attackers use RDP for interactive, GUI-based access to compromised systems. They may modify local firewall rules using netsh to ensure RDP traffic is permitted.

Collection (TA0009), Exfiltration (TA0010), and Impact (TA0040)

In the final stages of the attack, the affiliate gathers and steals valuable data before executing the ransomware to encrypt the victim’s systems.

• Collection: Files containing sensitive business data, intellectual property, and customer information are identified and staged for exfiltration.
• Exfiltration:
  • T1567.002 Exfiltration to Cloud Storage: To exfiltrate large volumes of data without triggering alerts for connections to suspicious IP addresses, attackers upload the stolen files to a legitimate, widely-used cloud storage service. Crypto24 has been consistently observed using Google Drive for this purpose, as this traffic can easily blend with legitimate business use of the same service.
• Impact: This is the final, destructive phase of the operation.
  • T1489 Service Stop: Before initiating encryption, the ransomware executable attempts to terminate a list of processes and services that might lock files and prevent them from being encrypted. This list specifically includes processes related to backup solutions and cloud synchronization clients, such as onedrive.exe, dropbox.exe, and googledrivefs.exe, to ensure maximum data destruction.
  • T1486 Data Encrypted for Impact: The ransomware payload is executed across all compromised systems. It systematically traverses the file system, encrypting files in critical user and program directories. While the specific cryptographic algorithm used by Kryptos is not yet publicly documented, modern ransomware invariably uses a hybrid encryption scheme. A fast and strong symmetric algorithm like AES is used to encrypt the content of each file, and the unique AES key for each file is then encrypted with a public key from an asymmetric pair (like RSA). The corresponding private key is held only by the ransomware operators, making decryption without it computationally infeasible.

The methodical nature of this attack chain reveals a “patient predator” model. The final encryption event is merely the culmination of a much longer and deeper intrusion. By the time a ransomware alert is triggered, defenders must assume that the attackers have had persistent, privileged access to the network for an extended period, potentially days or weeks. Consequently, incident response cannot be limited to restoring encrypted files; it must involve a full-scale investigation to identify and eradicate all persistence mechanisms, reset all compromised credentials, and assess the full scope of the data exfiltration.

Indicators of Compromise (IOCs)

This section provides a consolidated list of Indicators of Compromise (IOCs) to support threat hunting, incident response, and the configuration of security tools. The IOCs are categorized into two groups: those directly confirmed to be associated with the Kryptos group and those identified from the analysis of its high-fidelity analogue, Crypto24. The latter should be treated as high-confidence indicators for proactive threat hunting.

Confirmed Kryptos IOCs

These IOCs are directly attributed to the Kryptos ransomware operation based on initial public reporting.

• Network IOCs:
  • TOR Leak Site: The group’s data leak site, named KRYPOS LEAKS, is hosted at the following onion address. Any communication with this URL from within a corporate network is a strong indicator of compromise or negotiation.
    • http://kryptospnjzz7vfkr663bnqv3dxirmr3svo5zwq7cvu2wdfngujgknyd.onion
• Host-Based IOCs:
  • Communication Identifiers (Tox): Kryptos operators use the Tox peer-to-peer instant messaging protocol for communication with victims. The presence of these specific Tox IDs in ransom notes or system artifacts is a definitive link to the group.
    • 5D16859E0BC70E8830DEB8DE294C7E5AF8BD4D30CB1CB01F3BE17D0F592B3264DB2B6BB15164
    • 8AE76D106C7F34134CAB98E41C5EEEF15B238BC523EC2F09C7765214CB03822866E94D87B25F

High-Confidence Inferred IOCs (from Crypto24)

These IOCs are derived from the technical analysis of the Crypto24 ransomware group. Given the strong operational overlap, these artifacts should be actively hunted for as potential indicators of a Kryptos intrusion.

Defensive Countermeasures and Strategic Recommendations

Countering a sophisticated threat like Kryptos requires a multi-layered defense strategy that combines tactical detection and response capabilities within the Security Operations Center (SOC) with broader, strategic security posture improvements across the organization. The following recommendations are tailored to disrupt the specific TTPs identified in the Kryptos/Crypto24 attack lifecycle.

Tactical Mitigation for the SOC

These actions are designed to be implemented by SOC analysts, detection engineers, and threat hunters to improve the real-time detection of and response to an active intrusion.

• Detection Engineering:
  • Monitor Service Creation: Develop and deploy SIEM correlation rules to detect the creation of new Windows services, particularly when sc.exe or PowerShell’s New-Service cmdlet is used. Alerts should be prioritized if the service name matches known malicious names like MSRuntime or WinMainSvc, or if the service binary path points to a non-standard location (e.g., %ProgramData%, %TEMP%).
  • Detect System Recovery Inhibition: Create high-severity alerts for any execution of vssadmin.exe with command-line arguments containing delete shadows. While legitimate uses exist, they are rare in most environments and should be investigated immediately.
  • Track Lateral Movement Tools: Monitor for the execution of PsExec.exe (or psexec64.exe) and the corresponding creation of the PSEXESVC.exe service on any endpoint, especially servers and domain controllers. Legitimate use of PsExec should be documented and allowlisted; all other instances should be treated as suspicious.
  • Audit Scheduled Tasks: Implement detection logic to alert on the creation of new scheduled tasks (schtasks.exe) that execute scripts (e.g., .vbs, .bat, .ps1) from unusual directories.
  • Command-Line Argument Monitoring: Log and analyze command-line arguments for processes like cmd.exe, powershell.exe, and net.exe. Create detections for suspicious command chains, such as the creation of a new user followed immediately by that user being added to the “Administrators” group.
• Threat Hunting:
  • IOC Sweeps: Regularly and proactively hunt for the file hashes, network indicators, file paths, and service names listed in the IOC table across all endpoints and network logs.
  • Anomalous Account Activity: Conduct hunts to identify the creation of new user accounts, especially those with generic names. Investigate any reactivation of dormant default administrator accounts. Correlate this activity with subsequent remote logins from those accounts.
  • Egress Traffic Analysis: Proactively analyze network egress logs for large or sustained data transfers to public cloud storage providers, particularly Google Drive. Establish a baseline for normal traffic to these services and hunt for outliers that could represent data exfiltration.
  • RDP Log Review: Hunt for anomalous RDP sessions, such as logins occurring outside of business hours, connections originating from unusual internal subnets, or multiple failed login attempts followed by a success.

Strategic Recommendations

These are broader, organization-wide security controls that harden the environment against the entire class of threats represented by Kryptos.

• Harden Initial Access Vectors:
  • Enforce Multi-Factor Authentication (MFA): The single most effective control against the use of compromised credentials is to enforce phishing-resistant MFA on all external-facing services, including VPNs, RDP gateways, and cloud applications. This makes stolen passwords significantly less useful to an attacker.
  • Vulnerability and Patch Management: Maintain a rigorous patch management program to promptly remediate vulnerabilities in all internet-facing systems. Prioritize patches for known exploited vulnerabilities in VPNs, firewalls, and web applications.
• Implement a Principle of Least Privilege:
  • Restrict Administrative Tools: The use of powerful administrative tools like PowerShell, PsExec, and RDP should be tightly controlled. Use application control solutions (e.g., AppLocker) or just-in-time access systems to restrict their use to only authorized administrators on specific management workstations.
  • Account Auditing: Regularly audit all user accounts, especially those with administrative privileges. Disable accounts that are no longer needed and enforce a policy of least privilege, ensuring users only have the access required to perform their job functions.
• Enhance Endpoint Protection:
  • Enable Anti-Tampering: Ensure that all EDR and antivirus solutions have their agent self-protection or anti-tampering features enabled and configured to their highest settings. This can prevent or alert on attempts by malware like the RealBlindingEDR tool to disable or uninstall the security agent.
• Backup and Recovery:
  • Follow the 3-2-1 Rule: Maintain at least three copies of critical data, on two different media types, with at least one copy stored offline or in an immutable storage location. This ensures that even if the live network and online backups are compromised, a clean copy of the data is available for recovery.
  • Test Restoration Procedures: The existence of backups is not enough; their viability must be proven. Regularly test the process of restoring data from backups to ensure it works as expected and to identify any process gaps before a real incident occurs. The ability to recover data independently is the most effective way to neutralize a ransomware operator’s leverage.
• Adopt a Zero Trust Mindset:
  • Network Segmentation: Implement network segmentation to limit an attacker’s ability to move laterally. Critical systems like domain controllers and database servers should be isolated in secure enclaves with strict access controls.
  • Assume Compromise: Operate under the assumption that an attacker is already inside the network. This means continuously monitoring for suspicious internal activity, inspecting all network traffic for threats (even traffic destined for trusted services like Google Drive), and requiring re-authentication for access to sensitive resources.