{"id":1605,"date":"2026-07-09T20:45:00","date_gmt":"2026-07-09T20:45:00","guid":{"rendered":"https:\/\/blog.scilabs.mx\/en\/?p=1605"},"modified":"2026-07-09T20:49:15","modified_gmt":"2026-07-09T20:49:15","slug":"2026-updated-recommendations-before-during-and-after-ransomware-attack","status":"publish","type":"post","link":"https:\/\/blog.scilabs.mx\/en\/2026\/07\/09\/2026-updated-recommendations-before-during-and-after-ransomware-attack\/","title":{"rendered":"2026 Updated Recommendations: Before, during and after ransomware attack"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\"><strong>Current ransomware landscape in LATAM<\/strong><\/h2>\n\n\n\n<p>Based on SCILabs telemetry and information gathered from public and private security feeds, several attacks were observed in over 23 countries in Latin America during 2025, conducted by at least 74 ransomware variants. The top 5 most active variants during 2025 represent 37.74% of the total threats that affected the region, which are listed below:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong><em>Qilin<\/em>:&nbsp;<\/strong>9.86 %<\/li>\n\n\n\n<li><strong><em>Akira<\/em><\/strong><strong>:<\/strong>&nbsp;7.04 %<\/li>\n\n\n\n<li><strong><em>LockBit<\/em><\/strong><strong>:<\/strong>&nbsp;6.57 %<\/li>\n\n\n\n<li><strong><em>SafePay<\/em><\/strong><strong>:<\/strong>&nbsp;5.87 %<\/li>\n\n\n\n<li><strong><em>The Gentlemen<\/em><\/strong><strong>:<\/strong>&nbsp;5.40 %<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2026\/07\/Fig-1.-e-2026.png\" alt=\"\" class=\"wp-image-1911\" \/><\/figure><\/div>\n\n\n<p class=\"has-text-align-center\"><strong>Figure 1.&nbsp; Ransomware groups present in LATAM during 2025<\/strong><\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/blog.scilabs.mx\/wp-content\/uploads\/2026\/07\/Fig-2.-e-2026.png\" alt=\"\" class=\"wp-image-1912\" \/><\/figure><\/div>\n\n\n<p class=\"has-text-align-center\"><strong>Figure 2. Sectors most affected by ransomware in LATAM during 2025<\/strong><\/p>\n\n\n\n<p>In 2025, Qilin emerged as the most prominent variant in the region, with a significant number of attacks and a high success rate. Meanwhile,&nbsp;<em>Akira<\/em>&nbsp;increased its number of attacks this year and secured second place.&nbsp;<em>LockBit<\/em>&nbsp;(currently&nbsp;<a href=\"https:\/\/www.infosecurity-magazine.com\/news\/lockbit-admins-tease-a-new\"><em>LockBit 5.0<\/em><\/a>) remains active in Latin America as one of the most significant threats; however, during this study period, it dropped to third place.&nbsp;On the other hand, a significant increase was observed in the emergence of new variants, such as&nbsp;<em>SafePay<\/em>&nbsp;and&nbsp;<em>The Gentlemen<\/em>, which have intensified their attack frequency in the region. The following graph shows the sectors and industries most affected by these threats, according to SCILabs telemetry. &nbsp;<\/p>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><\/h2>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>How could a ransomware attack affect organizations?<\/strong><\/h2>\n\n\n\n<p>Operational disruptions, financial losses, the compromise of confidential information, and damage to the organization\u2019s reputation and trust could occur. This could have a profound impact on finances and legal or regulatory outcomes and could lead to a loss of confidence among customers and partners. Therefore, organizations need to be aware of the TTPs (Tactics, Techniques, and Procedures) associated with this type of threat, as well as the recommended measures to minimize the likelihood of infection, and how to act in the event of a ransomware attack. It is important to remember that a ransomware attack is not just about compromising information; part of its repercussions could affect the future of the organization itself.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>How to prevent or reduce the impact of a ransomware attack?<\/strong><\/h2>\n\n\n\n<p>It is vital that organizations have proactive security strategies that allow them to prevent malware attacks or, in certain cases, execute an effective response and recovery process following a cybersecurity incident; SCILabs proposes the following recommendations to prevent or reduce the chances of suffering a ransomware attack:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Response-focused Preparation<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&nbsp;Establish a regulatory framework that dictates the policies to be followed by regular employees when detecting a possible phishing email, as well as the guidelines that system administrators and third parties must follow when responding to and managing the event, thus reducing the possibility of an attack through this means, since multiple threats use phishing as their main distribution method.<\/li>\n\n\n\n<li>Establish a business continuity plan that considers a \u201cransomware-based cyberattack\u201d among its scenarios.<\/li>\n\n\n\n<li>Implement an incident response process that includes a communication plan for all levels of the organization is essential. This plan should focus on managing the crisis during an incident and outline how to handle it with customers, employees, and the public, if necessary. Customers and partners should be informed directly, highlighting the measures being taken to resolve the situation and protect their data, and providing guidance on steps they can take if needed. It is crucial to avoid alarmism, provide regular updates, and ensure that all information communicated is accurate to maintain the organization\u2019s credibility.<\/li>\n\n\n\n<li>Conduct ransomware attack simulations to determine the organization\u2019s response team\u2019s capacity to address the threat. If an internal incident response team is not available, it is important to have a pre-contracted external incident response team that supports the organization according to its needs and ensures that the response process is intelligence-driven, addressing the threat by understanding the actors behind it.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Improvements to Strategy and Processes<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Continuously provide awareness courses to the organization\u2019s employees on social engineering attacks and malware infection prevention to make them aware of the threats they may be exposed to and minimize the risk of being affected by a successful attack.<\/li>\n\n\n\n<li>Conduct ongoing awareness campaigns focused on educating users about ransomware, using targeted phishing tests to provide specific training for those with less knowledge of threats. Based on SCILabs telemetry, the following is suggested:\n<ul class=\"wp-block-list\">\n<li>Verify the legitimacy of the sender of the received email.<\/li>\n\n\n\n<li>Verify that the subject, sender, and content of the email are consistent.<\/li>\n\n\n\n<li>Avoid opening suspicious links or attachments.<\/li>\n\n\n\n<li>Avoid sending sensitive or confidential information to unknown senders.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Establish a well-defined alerting protocol so that members of the organization can report unusual computer activity or a possible cyberattack and know how to act in the event of an emergency.<\/li>\n\n\n\n<li>Avoid opening links or downloading attachments from unknown or suspicious emails or websites, as they may contain malware.<\/li>\n\n\n\n<li>If possible, establish a strict policy using controlled access lists to prevent any threat actor from using legitimate tools with potential malicious use (<a href=\"https:\/\/www.bitdefender.es\/consumer\/support\/answer\/53408\">PUA<\/a>&nbsp;\/&nbsp;<a href=\"https:\/\/www.malwarebytes.com\/es\/cybersecurity\/basics\/what-is-pup\">PUP<\/a>).<\/li>\n\n\n\n<li>Keep all systems and software used in the organization updated with the latest security patches. It is important to perform the necessary tests before applying changes to production environments to ensure they do not affect operations.<\/li>\n\n\n\n<li>Avoid using unauthorized or pirated software, as it may contain malicious artifacts that can serve as an initial attack vector against the organization.<\/li>\n\n\n\n<li>If the organization has servers, legacy systems, or unsupported equipment, it is highly recommended to keep them on an isolated, monitored, and protected network to prevent them from being easily compromised.<\/li>\n\n\n\n<li>Plan and conduct security tests on infrastructure and applications regularly to identify vulnerabilities and mitigate them before a threat actor can exploit them.<\/li>\n\n\n\n<li>Establish a backup process, considering essential information and a schedule of dates, to keep it protected on devices outside the organization\u2019s infrastructure to ensure business continuity.<\/li>\n\n\n\n<li>Limit user and application access to only what is strictly necessary (<a href=\"https:\/\/www.cyberark.com\/es\/what-is\/least-privilege\">principle of least privilege<\/a>).<\/li>\n\n\n\n<li>Avoid enabling content from suspicious documents or those not issued by trusted sources, as this content can easily be executed to carry out malicious activities on the operating system. One example of this is Microsoft Office files containing auto-executing&nbsp;<a href=\"https:\/\/support.microsoft.com\/es-es\/office\/inicio-r%C3%A1pido-crear-una-macro-741130ca-080d-49f5-9471-1e5fb3d581a8\">macros<\/a>.<\/li>\n\n\n\n<li>Disable Microsoft Office macros or allowing only digitally signed macros to run through a Group&nbsp;<a href=\"https:\/\/www.solvetic.com\/tutoriales\/article\/9858-crear-y-administrar-politicas-de-grupo-gpo-windows-server-2022\">Group Policy Object (GPO)<\/a>&nbsp;policy.<\/li>\n\n\n\n<li>Maintain an out-of-band (<a href=\"https:\/\/www.perlesystems.es\/supportfiles\/out-of-band-management.shtml\">OOB<\/a>) management network for the administration of critical services, so that only designated users can access them.<\/li>\n\n\n\n<li>Separate IT and OT networks to prevent the spread of malware resulting from access between the two infrastructures and disabling unnecessary ports or functions.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Governance-focused preparedness<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Establish a cybersecurity governance model, including the creation of a security committee with participation from the Information Technology (IT), commercial, operational, and legal areas.<\/li>\n\n\n\n<li>Integrate ransomware as a strategic business risk, considering its impact on business continuity, reputation, and compliance.<\/li>\n\n\n\n<li>Define the organization\u2019s risk tolerance level (<a href=\"https:\/\/www.ncsc.gov.uk\/blog-post\/a-two-part-blog-about-risk-appetites\">risk appetite<\/a>) and impact scenarios (service interruption, data breach, extortion).<\/li>\n\n\n\n<li>Assign clear roles and responsibilities for governance activities, ransomware incident management, and the assets under their responsibility, including the CISO, SOC\/CSIRT, and other relevant stakeholders.<\/li>\n\n\n\n<li>Implement a formal risk management process based on risk identification, assessment, and treatment.<\/li>\n\n\n\n<li>Implement continuous monitoring of governance compliance through internal audits and periodic reviews.<\/li>\n\n\n\n<li>Where applicable, manage the risk and potential impact associated with third-party suppliers in the supply chain, considering how a ransomware incident affecting them could, in turn, affect your organization.\n<ul class=\"wp-block-list\">\n<li>Through periodic security assessments.<\/li>\n\n\n\n<li>By limiting and segmenting external access to critical infrastructure.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Prevention-focused preparation<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Conduct a comprehensive inventory of assets, including platforms, critical infrastructure, applications, and data. Classify these assets by their level of criticality and information sensitivity.<\/li>\n\n\n\n<li>Implement identity protection controls on critical assets such as mandatory&nbsp;&nbsp;<a href=\"https:\/\/www.microsoft.com\/es-mx\/security\/business\/identity-access\/microsoft-entra-mfa-multi-factor-authentication\">MFA<\/a>, privileged level access management (<a href=\"https:\/\/www.microsoft.com\/es-mx\/security\/business\/security-101\/what-is-privileged-access-management-pam\">PAM<\/a>) and monitoring of administrative access or accounts with specific high-level privileges.<\/li>\n\n\n\n<li>Implement critical infrastructure hardening by deactivating unnecessary services, restricting ports, access, and technologies publicly exposed to the Internet, and following best practices for&nbsp;<a href=\"https:\/\/www.ionos.mx\/digitalguide\/servidores\/know-how\/que-es-on-premises\">On-Premises<\/a>&nbsp;and cloud-based technologies, as specified by applicable protocols or recommended by vendors.<\/li>\n\n\n\n<li>Have a vulnerability management plan in place at the organization-wide level, including suppliers with direct connectivity to the organization\u2019s environment, to promptly detect vulnerabilities that could be exploited by attackers and implement necessary remediation measures, minimizing the potential impact of these weaknesses.<\/li>\n\n\n\n<li>Having the ability to detect advanced threats on the network using de&nbsp;<a href=\"https:\/\/www.ibm.com\/mx-es\/think\/topics\/machine-learning\">Machine Learning<\/a>&nbsp;or algorithms that can detect malicious behavior is crucial, as network visibility is key to knowing when malware is moving laterally, whether by attempting to exploit a vulnerability or by reusing weak passwords associated with administrative accounts.<\/li>\n\n\n\n<li>Establish a comprehensive process that ensures any server exposed to the Internet is properly protected.<\/li>\n\n\n\n<li>Limit access to device management interfaces, such as firewalls, to secure networks only, preferably internal private networks, to avoid exposing them to the Internet.<\/li>\n\n\n\n<li>Establish within the organization\u2019s policies the use of a second authentication factor to access critical services and infrastructure, to minimize the possibility of unauthorized access.<\/li>\n\n\n\n<li>Continuously map the equipment that is being insecurely exposed to the Internet, to take the necessary measures \u2014whether to protect or disable services\u2014 paying special attention to Web servers, mail servers, VPN, or SSH services.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Improvements to Critical Operational Tools<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Maintain advanced monitoring on high-access devices to promptly identify suspicious events. The following internet-facing servers should be considered:\n<ul class=\"wp-block-list\">\n<li>Web Servers<\/li>\n\n\n\n<li>Mail Servers<\/li>\n\n\n\n<li>VPN Servers<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>If the organization has&nbsp;<a href=\"https:\/\/docs.citrix.com\/es-es\/citrix-workspace\/overview.html\">Citrix<\/a>, servers, verify that they are only accessible through a VPN or the local network, as they are an access point used by ransomware operators.<\/li>\n\n\n\n<li>Store the logs on a central server so they are readily available for analysis during an investigation or incident response process and ensure they contain the originating IP address of the request.<\/li>\n\n\n\n<li>If remote access via&nbsp;<a href=\"https:\/\/www.cloudflare.com\/es-es\/learning\/access-management\/what-is-the-remote-desktop-protocol\">RDP<\/a>&nbsp;or terminal services is required, ensure that these services are only accessible through a secure VPN (with multi-factor authentication) to the corporate network or through a&nbsp;<a href=\"https:\/\/www.akamai.com\/es\/glossary\/what-is-zero-trust\">Zero Trust<\/a>&nbsp;remote access gateway.\n<ul class=\"wp-block-list\">\n<li>Servers critical to overall operation:\n<ul class=\"wp-block-list\">\n<li>Domain controllers<\/li>\n\n\n\n<li>Authentication servers<\/li>\n\n\n\n<li>Hypervisors<\/li>\n\n\n\n<li>Backup servers<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Servers with privileged access to most of the infrastructure:\n<ul class=\"wp-block-list\">\n<li>Jump Servers<\/li>\n\n\n\n<li>Antivirus Servers<\/li>\n\n\n\n<li>Monitoring Servers<\/li>\n\n\n\n<li>Server Management Equipment<\/li>\n\n\n\n<li>File Sharing Servers<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Reinforcement in the supply chain<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Evaluate and classify vendors based on their level of access to critical systems and sensitive data.<\/li>\n\n\n\n<li>Implement minimum security controls, such as the implementation of MFA, vulnerability management, continuous monitoring, and other baseline cybersecurity measures.<\/li>\n\n\n\n<li>Limit vendor access by using the principle of least privilege and segmentation.<\/li>\n\n\n\n<li>Implement temporary (<a href=\"https:\/\/www.cyberark.com\/es\/what-is\/just-in-time-access\">Just\u2011in\u2011Time<\/a>) access controls for third parties.<\/li>\n\n\n\n<li>Continuously monitor vendor account activity in internal systems.<\/li>\n\n\n\n<li>Validate and inspect third-party software, libraries, and updates before their implementation in production systems.<\/li>\n\n\n\n<li>Maintain an up-to-date inventory of software dependencies or contracted external services..<\/li>\n\n\n\n<li>Verify the integrity of updates using digital signatures or hashes.<\/li>\n\n\n\n<li>Restrict unauthorized external dependencies in production environments.<\/li>\n\n\n\n<li>Implement isolation between internal systems and third-party services.<\/li>\n\n\n\n<li>Assess supply chain risks through periodic audits.<\/li>\n\n\n\n<li>Prepare contingency plans for security breaches affecting suppliers (access revocation, system or server isolation, etc.)..<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Strengthening Artificial intelligence (AI) Tools<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Monitor AI interactions to detect:\n<ul class=\"wp-block-list\">\n<li>Information extraction.<\/li>\n\n\n\n<li>Abuse of functionalities.<\/li>\n\n\n\n<li>Malicious automation.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Validate and control input data to prevent malicious code, prompt injection and unauthorized commands designed to manipulate AI models.<\/li>\n\n\n\n<li>Restrict access to AI models and APIs to authorized users and systems only.<\/li>\n\n\n\n<li>Avoid using unverified models or&nbsp;<a href=\"https:\/\/openwebinars.net\/blog\/datasets-que-son-y-como-acceder-a-ellos\">datasets<\/a>&nbsp;from unreliable sources.<\/li>\n\n\n\n<li>Secure the model training chain by validating and controlling datasets, pipelines, and storage systems to prevent the manipulation or insertion of malicious data.<\/li>\n\n\n\n<li>Protect the components of artificial intelligence systems, including models, their weights, and configurations, by implementing integrity controls, encryption mechanisms, and continuous monitoring, to prevent unauthorized modifications and ensure the reliability of the systems.<\/li>\n\n\n\n<li>Implement strict access controls in&nbsp;<a href=\"https:\/\/www.ibm.com\/mx-es\/think\/topics\/mlops\">MLOps<\/a>&nbsp;pipelines, limiting who can train, modify, or deploy models and logging all relevant activity..<\/li>\n\n\n\n<li>Limit the privileges of artificial intelligence services, including internal services (models deployed on own infrastructure), external services (consumption of AI APIs), and third-party services integrated into the operation, ensuring that they operate under the principle of least privilege, to prevent them from being used as a pivot point or as a vector for privilege escalation within the environment.<\/li>\n\n\n\n<li>Secure these services through robust authentication controls and strict identity validation, including the use of multi-factor authentication (MFA), secure secrets management, and continuous session verification, to reduce the risk of unauthorized access and misuse.<\/li>\n\n\n\n<li>Integrate AI logs into solutions such as a&nbsp;<a href=\"https:\/\/www.ibm.com\/mx-es\/topics\/siem\">SIEM (Security Information and Event Management)<\/a>&nbsp;system to correlate them with network activity, identity, and Endpoints.<\/li>\n\n\n\n<li>Secure AI dependencies (frameworks, libraries) to avoid supply chain compromises.<\/li>\n\n\n\n<li>Apply segmentation between development, testing, and production environments of models.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Activities for Operational Tools<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Regularly update the security patches of the software used in the organization to mitigate vulnerabilities and reduce the possibility of exploitation.<\/li>\n\n\n\n<li>Maintain monitoring for changes or additions of GPOs that are not scheduled or generated by unauthorized users, to prevent them from being used in malware distribution or enabling vulnerable services.<\/li>\n\n\n\n<li>Perform additional&nbsp;<a href=\"https:\/\/www.ciset.es\/publicaciones\/blog\/746-hardening\">hardening<\/a>&nbsp;equipment and services exposed to the Internet:\n<ul class=\"wp-block-list\">\n<li>Implement features such as multi-factor authentication (MFA): this way, if a password is stolen, it would not be enough to gain access to the service.<\/li>\n\n\n\n<li>Implement a Web Application Firewall (WAF), which is a specialized filter to reduce the risk of attacks on the organization\u2019s web applications.<\/li>\n\n\n\n<li>Use auditing tools, such as&nbsp;<a href=\"https:\/\/docs.oracle.com\/es\/learn\/ol-auditd\/#introduction\">auditd<\/a>&nbsp;o&nbsp;<a href=\"https:\/\/learn.microsoft.com\/es-es\/sysinternals\/downloads\/sysmon\">sysmon<\/a>,&nbsp;and send the logs to a SIEM system to recognize abnormal behavior on the computers.<\/li>\n\n\n\n<li>Ensure that data stored in operational tools is protected against unauthorized access.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Detection and blocking improvements<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Stay informed about threats affecting the region is crucial. If possible, acquire a specialized threat intelligence service for Latin America is recommended, as it can provide indicators of compromise, countermeasures, and recommendations to support strategic, tactical, and operational decision-making.<\/li>\n\n\n\n<li>Enable encrypted traffic inspection features on perimeter security devices to improve detection and visibility levels.<\/li>\n\n\n\n<li>Restrict access to websites categorized as malicious, using web filtering tools, to reduce the possibility of a user entering.<\/li>\n\n\n\n<li>Carefully monitor and control outgoing network traffic to detect suspicious behavior and promptly analyze it, checking the following in the logs:\n<ul class=\"wp-block-list\">\n<li>Network traffic directed to malicious or suspicious addresses, according to threat intelligence or anomalous behavior cataloged or identified by the organization.<\/li>\n\n\n\n<li>Network traffic from&nbsp;<a href=\"https:\/\/www.fortinet.com\/lat\/resources\/cyberglossary\/what-is-dmz\">DMZ<\/a>&nbsp;servers to equipment or services outside of server operation.<\/li>\n\n\n\n<li>Naming resolution requests from DMZ servers to domains outside of server operation.<\/li>\n\n\n\n<li>Verify connection requests that are not related to the service, made by web servers, file transfers, or email.<\/li>\n\n\n\n<li>Remain vigilant regarding communications with cloud storage services other than the organization\u2019s officially authorized ones and, if possible, block them.<\/li>\n\n\n\n<li>Review and verify files before downloading from cloud storage sites or services such as Mega, Discord, Dropbox, Google Drive, OneDrive, Pastebin, GitHub, and others. These services are often used by malware operators to host their malware. A monitoring service, in addition to raising awareness, would allow users to avoid downloading files that could be used for malicious purposes.<\/li>\n\n\n\n<li>Configure alerts that are triggered when a device sends a large amount of information, to detect potential data exfiltration associated with malicious activity or attacks.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Implement an&nbsp;<a href=\"https:\/\/www.trendmicro.com\/es_mx\/what-is\/xdr.html\">XDR<\/a>&nbsp;solution on every server or&nbsp;<a href=\"https:\/\/www.cloudflare.com\/learning\/security\/glossary\/what-is-endpoint\">EndPoint<\/a>&nbsp;in the organization. Since not all XDR solutions are created equal, and many designed as antivirus solutions lack the necessary features for incident response, it is recommended to verify that the solution used in the organization has passed various&nbsp;<a href=\"https:\/\/ayuda.acens.com\/hc\/es\/articles\/360018219657--Qu%C3%A9-significa-Anti-Tamper-\">anti-tampering<\/a>&nbsp;tests and includes a centralized monitoring console protected against potential encryption.<\/li>\n\n\n\n<li>Proactively provide security devices with the most up-to-date indicators of compromise (IoCs) to detect and block attacks targeting the infrastructure.<\/li>\n\n\n\n<li>Disable Windows Script Host, if possible, as it can be used to interpret and execute JavaScript (.js and .jse files) and Visual Basic Script (.vbs and .vbe files), which can be leveraged by threat actors during a cyberattack.<\/li>\n\n\n\n<li>Configure an anti-spam filter that blocks emails, both external and internal, containing malicious content, links, or malware.<\/li>\n\n\n\n<li>Verify access permissions for shared folders and file system-level folder security. It is recommended to use \u201cread-only sharing\u201d to prevent malicious files from being uploaded.<\/li>\n\n\n\n<li>Use the principle of least privilege&nbsp;<a href=\"https:\/\/www.cyberark.com\/es\/what-is\/least-privilege\">(PoLP)<\/a>&nbsp;to configure organizational accounts, especially those associated with services exposed to the Internet.<\/li>\n\n\n\n<li>Segment networks to prevent ransomware spread. Network segregation can help prevent ransomware spread by controlling traffic flows, access to multiple subnets, and restricting an adversary\u2019s lateral movement.<\/li>\n\n\n\n<li>Enable system auditing to track login and logout events in Active Directory; this can be used to conduct in-depth investigations into unauthorized access.<\/li>\n\n\n\n<li>Perform compromised credential detection activities and implement alerts on privileged accounts if access attempts are detected from unusual locations.<\/li>\n\n\n\n<li>Conduct threat hunting activities across the organization\u2019s infrastructure to identify unusual processes, unidentified scheduled tasks, suspicious executable files in system paths, and anomalous endpoint resource usage. For example, it is suggested to check logs for&nbsp;<a href=\"https:\/\/latam.kaspersky.com\/blog\/most-used-lolbins\/22977\">LOLbins&nbsp;<\/a>usage, execution of PowerShell commands with suspicious behavior, SMB connections to detect lateral movement, scheduled tasks used to establish persistence, or programs that run at operating system startup.<\/li>\n\n\n\n<li>Use&nbsp;<a href=\"https:\/\/www.microsoft.com\/es-es\/security\/business\/security-101\/what-is-data-loss-prevention-dlp\">DLP<\/a>&nbsp;systems to reduce the likelihood of data leaks from the organization and detect anomalous behavior during the transfer or deletion of large volumes of information. To achieve this, it is recommended to classify all the organization\u2019s information beforehand.<\/li>\n\n\n\n<li>Create offline backups (using magnetic tapes or similar media, or&nbsp;<a href=\"https:\/\/expansion.mx\/tecnologia\/2023\/02\/23\/cold-storage-que-es\">cloud-based cold storage<\/a>) in a location separate from the organization\u2019s data center provides added security. In the event of an infrastructure breach, external storage can help restore operations more quickly.<\/li>\n\n\n\n<li>Mantain&nbsp;<a href=\"https:\/\/docs.oracle.com\/es-ww\/iaas\/secure-desktops\/golden-image.htm\">golden images<\/a>&nbsp;(system templates or images) of critical offline systems. These can help quickly restore server functionality if the affected machine cannot be immediately restored. These images should contain pre-configured operating systems and their associated operating software.<\/li>\n\n\n\n<li>Maintaining encrypted backups increases confidentiality and prevents a threat actor from accessing that information when it is exfiltrated.<\/li>\n\n\n\n<li>Maintain an active&nbsp;<a href=\"https:\/\/www.ikusi.com\/mx\/blog\/threat-hunting\">threat hunting<\/a>&nbsp;program that allows the identification of ransomware precursors, such as download programs, anomalous communication that may indicate communication with attackers within the network, among others, according to the most common attack vectors detected by the cyber intelligence team.<\/li>\n\n\n\n<li>Determine which types of ransomwares are most affecting other organizations in the same sector and what their delivery, distribution, execution, and persistence phases are, etc., to establish preventative measures.<\/li>\n\n\n\n<li>Collaborate with other organizations in the same sector to share information related to ransomware and other threats they have faced.<\/li>\n\n\n\n<li>Implement a&nbsp;<a href=\"https:\/\/www.ibm.com\/mx-es\/think\/topics\/security-orchestration-automation-response\">SOAR (Security Orchestration Automation and Response)<\/a>&nbsp;solution to orchestrate the detection, investigation, and response activities for security events in an automated manner based on use cases, especially those associated with ransomware.<\/li>\n\n\n\n<li>If your organization has a SIEM solution, develop and implement playbooks based on correlated alerts such as anomalous user authentication activity or privilege escalation.<\/li>\n\n\n\n<li>Implement an&nbsp;<a href=\"https:\/\/www.ibm.com\/mx-es\/topics\/ndr\">NDR (Network Detection and Response)<\/a>&nbsp;solution to identify anomalous traffic such as connections to C2 servers, anomalous data transfers on unusual dates or times, and port scanning from compromised machines.<\/li>\n\n\n\n<li>Keep specialized tools updated as the TTPs of ransomware variants active in LATAM evolve, and enrich them with indicators of compromise (IoCs).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Remote administration recommendations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Create a Group Policy Object (GPO) in Active Directory to disable remote access to computers via Remote Desktop Protocol (RDP). This prevents its misuse on network devices.<\/li>\n\n\n\n<li>Avoid the use of software for remote access to organizational devices and monitor installation attempts. If remote administration is necessary, it is recommended to implement a VPN with two-factor authentication and enable RDP only on devices specifically designated for this purpose. This measure reduces the possibility of unauthorized access to these resources.<\/li>\n\n\n\n<li>Implement geolocation-based blocking on remote access services such as VPNs to prevent access from countries where the organization does not operate<\/li>\n\n\n\n<li>Create detection rules that trigger alerts when VPN access occurs from two geographically distant locations within a short period\u2014known as \u201cimpossible travel\u201d\u2014to promptly identify and investigate any users exhibiting this behavior.<\/li>\n\n\n\n<li>Blocking the account upon detecting this behavior can help reduce the impact of an attack.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Audit remote access activities to detect access from abnormal sources or access to critical services by users unrelated to those services, such as SSH.<\/li>\n\n\n\n<li>Change the default port for SSH connections&nbsp;<a href=\"https:\/\/www.ssh.com\/academy\/ssh\/port\">(TCP\/22)<\/a>&nbsp;to a non-standard port and restrict access to only authorized IP addresses.<\/li>\n\n\n\n<li>If using SSH to connect to critical assets, implement SSH key-based authentication instead of passwords, and configure periodic key rotation.<\/li>\n\n\n\n<li>If the operation requires the use of remote access software, the following recommendations should be considered:\n<ul class=\"wp-block-list\">\n<li>Add the software to a whitelist or controlled access list only for the devices that require it and disable it for the rest of the devices on the corporate network so that only a controlled number of devices can access the application.<\/li>\n\n\n\n<li>Implement two-factor authentication in the remote management software. If the application being used does not have this option, it is recommended to use one that does; this reduces the possibility of an attacker guessing the password and taking control of the device.<\/li>\n\n\n\n<li>Enable and centralize application logs for continuous monitoring, ensuring that, as far as possible, they are sent to a Security Information and Event Management (SIEM) system to correlate events, identify anomalous behavior, and promptly detect potential unauthorized access attempts. Additionally, define and adjust specific detection rules to enable the auditing and validation of whether access corresponds to legitimate activities.<\/li>\n\n\n\n<li>Disable or uninstall the software when it is not required, so that it is not inadvertently used.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Recommendations related to PowerShell<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Create a Group Policy Object (GPO) in Active Directory to disable PowerShell on computers where it\u2019s not needed, allowing it only for users with specific requirements.<\/li>\n\n\n\n<li>Implement&nbsp;<a href=\"https:\/\/learn.microsoft.com\/es-es\/powershell\/scripting\/security\/remoting\/jea\/overview?view=powershell-7.5\">Just Enough Administration (JEA)<\/a>&nbsp;to delegate specific administrative tasks to users without granting them full administrative privileges.<\/li>\n\n\n\n<li>Apply secure&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/powershell\/module\/microsoft.powershell.core\/about\/about_execution_policies?view=powershell-7.6\">Execution Policies<\/a>&nbsp;(<a href=\"https:\/\/learn.microsoft.com\/es-es\/powershell\/module\/microsoft.powershell.security\/set-executionpolicy?view=powershell-7.6\">RemoteSigned<\/a>&nbsp;or&nbsp;<a href=\"https:\/\/learn.microsoft.com\/es-es\/powershell\/module\/microsoft.powershell.core\/about\/about_signing?view=powershell-7.6\">AllSigned<\/a>) to prevent the execution of untrusted scripts.<\/li>\n\n\n\n<li>Implement&nbsp;<a href=\"https:\/\/devblogs.microsoft.com\/powershell\/powershell-constrained-language-mode\">PowerShell Constrained Language Mode<\/a>&nbsp;to restrict the execution of advanced or unauthorized scripts.<\/li>\n\n\n\n<li>If PowerShell is required on some computers, consider the following:\n<ul class=\"wp-block-list\">\n<li>Update to the latest available version and remove previous versions to prevent attackers from exploiting vulnerabilities and executing their malicious code.<\/li>\n\n\n\n<li>Configure script execution to be limited to scripts that are signed or were generated for internal use by the organization\u2019s functions; this reduces the possibility of unauthorized command execution.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Recommendations related to SMB<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Create a Group Policy Object (GPO) in Active Directory to prevent SMB from being enabled by default and disable access to hard drives via this protocol from administrative accounts, as such configurations allow for lateral movement.<\/li>\n\n\n\n<li>Consider using devices with SMB version 3, as version 1 of this protocol has been affected has been&nbsp;<a href=\"https:\/\/www.proofpoint.com\/es\/threat-reference\/wannacry\">affected<\/a>&nbsp;by ransomware attacks. If you have devices using SMB version 2, isolate them on a segmented networka.<\/li>\n\n\n\n<li>Promote and implement the use of strong passwords that are not easily guessed or cracked using techniques such as&nbsp;<a href=\"https:\/\/www.akamai.com\/es\/glossary\/what-is-credential-stuffing#:~:text=El%20Credential%20Stuffing%20es%20un%20intento%20fraudulento%20de%20obtener%20acceso,sesi%C3%B3n%20en%20un%20sitio%20web.\">credential stuffing<\/a>, brute force, dictionary attacks,&nbsp;&nbsp;<a href=\"https:\/\/www.crowdstrike.com\/cybersecurity-101\/password-spraying\">password spraying<\/a>&nbsp;or&nbsp;<a href=\"https:\/\/www.beyondidentity.com\/glossary\/rainbow-table-attack\">rainbow table<\/a>&nbsp;attacks.<\/li>\n\n\n\n<li>Verify that the devices do not have vulnerabilities such as&nbsp;<a href=\"https:\/\/www.avast.com\/es-es\/c-eternalblue\">EternalBlue<\/a>,&nbsp;<a href=\"https:\/\/unaaldia.hispasec.com\/2020\/06\/vulnerabilidad-critica-en-smb-cve-2020-1206-smbleed.html\">SMBleed<\/a>&nbsp;o&nbsp;<a href=\"https:\/\/www.incibe.es\/empresas\/blog\/historias-reales-smbghost-el-fantasma-los-archivos-compartidos\">SMBGhost<\/a>, also known as&nbsp;<a href=\"https:\/\/trends.inycom.es\/coronablue-o-smbghost-vulnerabilidad-critica-en-windows\">CoronaBlue<\/a>, which have been used by attackers during ransomware incidents.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Recommendations for Active Directory<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Limit or restrict domain administrator access to any device other than a domain controller. If an administrator needs to use their credentials, it is recommended to grant access on an end-user device, audit that access, and log activity in a SIEM.<\/li>\n\n\n\n<li>Acquire a dedicated Active Directory protection solution.&nbsp;<a href=\"https:\/\/www.zscaler.com\/resources\/security-terms-glossary\/what-is-deception-technology\">Deception-type<\/a>&nbsp;solutions, malware traps, or&nbsp;<a href=\"https:\/\/latam.kaspersky.com\/resource-center\/threats\/what-is-a-honeypot\">honeypots<\/a>&nbsp;can help detect an attempted attack early, not only in Active Directory but also on the operational network.<\/li>\n\n\n\n<li>Conduct threat hunting on domain controllers, servers, workstations, and Active Directory, searching for new accounts or accounts whose generation is unrecognized or suspicious.<\/li>\n\n\n\n<li>Change passwords on all computers periodically and use multi-factor authentication for all Active Directory user accounts.<\/li>\n\n\n\n<li>Never run unofficial services with elevated privileges or domain administrator accounts, as these could store credentials that could be used for malicious purposes.<\/li>\n\n\n\n<li>Limit the creation of domain administrator accounts and other privileged groups: the fewer accounts and groups there are, the harder it will be for an attacker to find administrative accounts.<\/li>\n\n\n\n<li>Protect the domain administrator account with strong passwords, MFA, and regular password changes.<\/li>\n\n\n\n<li>Disable the built-in administrator account and remove users from the local administrator group, if possible.<\/li>\n\n\n\n<li>Enable real-time auditing and correlation rules related to GPO modifications, as some threat actors abuse them for malicious activities.<\/li>\n\n\n\n<li>Restrict the installation of additional software or the configuration of server roles on domain controllers other than those defined in the organization\u2019s security policies.<\/li>\n\n\n\n<li>Perform patch management and vulnerability scanning regularly.<\/li>\n\n\n\n<li>Use secure DNS services to block malicious domains.<\/li>\n\n\n\n<li>Enable and configure the Windows Firewall with the rules defined in the organization\u2019s security policies.<\/li>\n\n\n\n<li>Use a whitelisting application to define which applications are allowed to run in Active Directory.<\/li>\n\n\n\n<li>Implement a&nbsp;<a href=\"https:\/\/www.cyberark.com\/es\/what-is\/privileged-access-management\">PAM<\/a>&nbsp;solution.<\/li>\n\n\n\n<li>Use a Secure Administration Workstation (<a href=\"https:\/\/learn.microsoft.com\/es-es\/azure\/security\/fundamentals\/infrastructure-components\">SAW<\/a>).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Recommendations for hypervisors<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Keep virtualization software updated with the latest patches released by the manufacturer.<\/li>\n\n\n\n<li>Disable root account access, defining accounts with the necessary permissions.<\/li>\n\n\n\n<li>Grant unique CLI permissions to the only authorized users.<\/li>\n\n\n\n<li>Implement an&nbsp;<a href=\"https:\/\/www.microsoft.com\/es-mx\/security\/business\/security-101\/what-is-xdr\">XDR (Extended Detection and Response)<\/a>&nbsp;tool to identify, detect, and prevent attacks on virtual machines contained in the hypervisors.<\/li>\n\n\n\n<li>Isolate the hypervisor from the network, along with the resources necessary for its operation, such as&nbsp;<a href=\"https:\/\/docs.vmware.com\/es\/VMware-vSphere\/8.0\/vsan-planning\/GUID-18F531E9-FF08-49F5-9879-8E46583D4C70.html\">vSANs<\/a>&nbsp;and backups.<\/li>\n\n\n\n<li>Define rules for Veeam, Hyper-V, and VMware (so that these platforms can only be accessed from specific management servers) and restrict access to those servers.<\/li>\n\n\n\n<li>Manage identity and access by decoupling ESXi, vCenter, and other hypervisors from Active Directory to protect the virtualization infrastructure in case of a compromise.<\/li>\n\n\n\n<li>Use dedicated accounts for infrastructure administration, enable multi-factor authentication (MFA), and securely manage credentials.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Restrict access to hypervisors to only the necessary services.<\/li>\n\n\n\n<li>Enable the local firewall to allow administrative access from trusted network segments or hosts.<\/li>\n\n\n\n<li>Send hypervisor logs to the organization\u2019s central SIEM to provide visibility into security events.<\/li>\n\n\n\n<li>Maintain frequent backups that cannot be deleted by an attacker. This can be achieved by using offline backups or specialized services.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Specific recommendations for vSphere and ESXi<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Protect and monitor access to vCenter, as this management plane can be used to deploy ransomware attacks on multiple hosts simultaneously.<\/li>\n\n\n\n<li>Keep ESXi hosts updated and apply security patches as a priority, due to the active exploitation of critical vulnerabilities (such as&nbsp;<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-22225\"><strong>CVE\u20112025\u201122225<\/strong><\/a>) in ransomware campaigns.<\/li>\n\n\n\n<li>It is recommended to consider hardware that includes&nbsp;<a href=\"https:\/\/support.microsoft.com\/es-es\/windows\/habilitar-tpm-2-0-en-el-equipo-1fd5a332-360d-4f46-a1e7-ae6b0c90645c\">TPM 2.0<\/a>&nbsp;when installing virtualization software, which will automatically use the security chip to store authorization keys and help ensure that system files have not been modified.<\/li>\n\n\n\n<li>Secure Boot: verifies that the code executed during server boot is digitally signed and has not been modified, making it more difficult for threat actors to persist and gain initial control.\n<ul class=\"wp-block-list\">\n<li>Or it can be enabled at the following link: \/usr\/lib\/vmware\/secureboot\/bin\/secureBoot.py -c<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>execInstalledOnly: This is an ESXi and vSphere property used to restrict the execution of binaries on the hypervisor, preventing a threat actor from deploying and executing their tools. To check if it is active and to enable it, run the following command:\n<ul class=\"wp-block-list\">\n<li>esxcli system settings kernel list -o execinstalledonly<\/li>\n\n\n\n<li>esxcli system settings kernel set -s execinstalledonly -v TRUE<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p><strong>IMPORTANTE<\/strong>: To avoid problems, the configurations mentioned should be performed in a laboratory or UAT test environment before being implemented in the production environment.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><td><strong>Tool<\/strong><\/td><td><strong>Activity<\/strong><\/td><td><strong>Tool<\/strong><\/td><td><strong>Activity<\/strong><\/td><\/tr><\/thead><tbody><tr><td><a href=\"https:\/\/github.com\/adrecon\/ADRecon\">ADRecon<\/a><\/td><td>Recognition<\/td><td><a href=\"https:\/\/winscp.net\/eng\/download.php\">WinSCP<\/a><\/td><td>Exfiltration<\/td><\/tr><tr><td><a href=\"https:\/\/learn.microsoft.com\/en-us\/sysinternals\/downloads\/psexec\">PsExec<\/a><\/td><td>Lateral movement<\/td><td><a href=\"https:\/\/www.nirsoft.net\/utils\/nircmd.html\">NirCmd<\/a><\/td><td>Command execution\/ Defense evasion<\/td><\/tr><tr><td><a href=\"https:\/\/github.com\/gentilkiwi\/mimikatz\/blob\/master\/README.md\">Mimikatz<\/a><\/td><td>Credential access<\/td><td><a href=\"https:\/\/rclone.org\/\">Rclone<\/a><\/td><td>Exfiltration<\/td><\/tr><tr><td><a href=\"https:\/\/www.nirsoft.net\/password_recovery_tools.html\">Nirsoft<\/a>&nbsp;password tools<\/td><td>Command execution \/ Defense evasion<\/td><td><a href=\"https:\/\/www.trendmicro.com\/vinfo\/es\/threat-encyclopedia\/malware\/PUA.Win64.PCHunter.A\/\">PCHunter<\/a><\/td><td>Recognition \/ Process manipulation<\/td><\/tr><tr><td><a href=\"https:\/\/www.kroll.com\/en\/insights\/publications\/cyber\/analyzing-exmatter-ransomware-data-exfiltration-tool\">ExMatter<\/a><\/td><td>Exfiltraci\u00f3n<\/td><td><a href=\"http:\/\/www.gmer.net\/\">GMER<\/a><\/td><td>Defense evasion<\/td><\/tr><tr><td><a href=\"https:\/\/github.com\/BloodHoundAD\/BloodHound\">Bloodhound tool<\/a><\/td><td>Recognition<\/td><td><a href=\"https:\/\/attack.mitre.org\/software\/S0534\/\">BazarLoader<\/a><\/td><td>Lateral movement<\/td><\/tr><tr><td><a href=\"https:\/\/www.kali.org\/tools\/crackmapexec\/\">CrackMapExec<\/a><\/td><td>Lateral movement<\/td><td><a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/threat-encyclopedia\/malware\/hacktool.msil.grabff.a\/\">GrabFF<\/a><\/td><td>Firefox Web browser credentials<\/td><\/tr><tr><td><a href=\"https:\/\/github.com\/Kevin-Robertson\/Inveigh\">Inveigh\/InveighZero<\/a><\/td><td>Capture \/ Credential access<\/td><td><a href=\"https:\/\/symantec-enterprise-blogs.security.com\/blogs\/threat-intelligence\/yanluowang-ransomware-attacks-continue\">GrabChrome<\/a><\/td><td>Chrome Web browser credentials<\/td><\/tr><tr><td><a href=\"https:\/\/mega.io\/es\/syncing\">MegaSync<\/a><\/td><td>Exfiltration<\/td><td><a href=\"https:\/\/www.portablefreeware.com\/index.php?id=2072\">BrowserPassView<\/a><\/td><td>Web browser credentials<\/td><\/tr><tr><td><a href=\"https:\/\/attack.mitre.org\/software\/S0552\/\">Adfind<\/a><\/td><td>Recognition \/ Lateral movement<\/td><td><a href=\"https:\/\/github.com\/GhostPack\/KeeThief\">KeeThief<\/a><\/td><td>KeePass credential access<\/td><\/tr><tr><td><a href=\"https:\/\/github.com\/GhostPack\/Rubeus\">Rubeus<\/a><\/td><td>Credential access<\/td><td><a href=\"https:\/\/github.com\/mentebinaria\/filegrab\">FileGrab<\/a><\/td><td>Exfiltration<\/td><\/tr><tr><td><a href=\"https:\/\/malpedia.caad.fkie.fraunhofer.de\/details\/win.stealbit\">Stealbit<\/a><\/td><td>Exfiltration<\/td><td><a href=\"https:\/\/keepcoding.io\/blog\/que-es-cobalt-strike\/\">CobaltStrike<\/a><\/td><td>Command and Control \/ Post Exploitation<\/td><\/tr><tr><td><a href=\"https:\/\/screenconnect.connectwise.com\/\">ConnectWise\/ScreenConnect<\/a><\/td><td>Persistence \/ Lateral movement<\/td><td><a href=\"https:\/\/www.xataka.com\/basics\/filezilla-que-sirve-primeros-pasos-este-cliente-ftp\">FileZilla<\/a><\/td><td>Exfiltration<\/td><\/tr><tr><td><a href=\"https:\/\/processhacker.sourceforge.io\/\">Process Hacker<\/a><\/td><td>Recognition<\/td><td><a href=\"https:\/\/www.advanced-port-scanner.com\/es\/\">Advanced Port Scanner<\/a><\/td><td>Recognition<\/td><\/tr><tr><td><a href=\"https:\/\/learn.microsoft.com\/es-es\/troubleshoot\/windows-server\/remote\/understanding-remote-desktop-protocol\">Conexiones RDP<\/a><\/td><td>Persistence \/ Lateral movement<\/td><td><a href=\"https:\/\/www.netscantools.com\/\">NetScan<\/a><\/td><td>Recognition \/ Lateral movement<\/td><\/tr><tr><td><a href=\"https:\/\/www.proxifier.com\/\">ProxifierPE<\/a><\/td><td>Command and Control (Proxy)<\/td><td><a href=\"https:\/\/www.pcloud.com\/es\/\">Pcloud<\/a><\/td><td>Exfiltration<\/td><\/tr><tr><td><a href=\"https:\/\/www.chromium.org\/developers\/decoding-crash-dumps\">OpenChromeDumps<\/a><\/td><td>Credential access<\/td><td><a href=\"https:\/\/splunkresearch.com\/endpoint\/d6e464e4-5c6a-474e-82d2-aed616a3a492\">WmiExecAgent<\/a><\/td><td>Lateral movement \/ Command execution<\/td><\/tr><tr><td><a href=\"https:\/\/s3browser.com\/\">S3 Browser<\/a><\/td><td>Web Browsing<\/td><td><a href=\"https:\/\/github.com\/AlessandroZ\/LaZagne\">LaZagne<\/a><\/td><td>Credential access<\/td><\/tr><tr><td><a href=\"https:\/\/ngrok.com\/\">Ngrok<\/a><\/td><td>Recognition<\/td><td><a href=\"https:\/\/www.softperfect.com\/\">SoftPerfect<\/a><\/td><td>Recognition \/ Lateral movement<\/td><\/tr><tr><td><a href=\"https:\/\/www.malwarebytes.com\/blog\/detections\/riskware-tdsskiller#:~:text=TDSSKILLER%20is%20Malwarebytes'%20detection%20name,software%20on%20the%20victim's%20system\">TDSSKiller<\/a><\/td><td>Defense evasion<\/td><td><a href=\"https:\/\/www.tightvnc.com\/download.php\">TightVNC<\/a><\/td><td>Defense evasion \/ Lateral Movement<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p class=\"has-text-align-center\"><strong>Table 1. Tools most used by ransomware variants<\/strong><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">What to do during a ransomware attack?<\/h3>\n\n\n\n<p>When an organization has already been compromised, it faces numerous unknowns, such as whether there is a free way to recover its data. What should be reported to senior management? How should recovery efforts be initiated? Did an employee orchestrate the attack? Is it possible to clean the compromised systems? What is necessary: blocking or isolating? Among many other questions, it is recommended to focus on the following:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Initiate an incident response process, which can utilize the&nbsp;<a href=\"https:\/\/gc.scalahed.com\/recursos\/files\/r161r\/w24891w\/planes_continuidad.pdf\">BCP (Business Continuity Plan)<\/a>&nbsp;in the event of a ransomware cyberattack. This will allow you to follow the previously defined plan and manage the crisis appropriately.<\/li>\n\n\n\n<li>If a BCP is not in place, a contingency plan must be designed to maintain business operations. This plan should include a&nbsp;<a href=\"https:\/\/sdr.com.mx\/index.php\/que-es-un-drp-y-como-funciona\">DRP (Disaster Recovery Plan)<\/a>, and, if possible, a robust backup policy that includes offline backups of critical information to prevent its compromise in the event of a ransomware attack.<\/li>\n\n\n\n<li>If an incident response process is not in place, consider the following:\n<ul class=\"wp-block-list\">\n<li>Involving an expert incident response team specializing in cyber intelligence will allow for a faster and more accurate response.<\/li>\n\n\n\n<li>Defining the organization\u2019s position for internal and external communication will establish a unified version of the situation, prevent panic, and reduce media impact.<\/li>\n\n\n\n<li>Defining a&nbsp;<a href=\"https:\/\/grupocovix.com\/pages\/salas-de-crisis-war-rooms\">war room<\/a>&nbsp;where all those who must participate in the incident response can be physically or virtually (as appropriate).<\/li>\n\n\n\n<li>Designating a person responsible for communicating the incident status to senior management and other areas of the organization.<\/li>\n\n\n\n<li>Defining an incident leader who can make decisions to be implemented by the rest of the organization\u2019s teams. The following are some activities the incident leader should carry out during the event:\n<ul class=\"wp-block-list\">\n<li>Select the research sources that will provide information for investigating the incident.<\/li>\n\n\n\n<li>Determine if it is necessary to&nbsp;<a href=\"https:\/\/openwebinars.net\/blog\/triage-informatico-guia-practica-para-priorizar-incidentes\">triage<\/a>&nbsp;the teams involved.<\/li>\n\n\n\n<li>Generate hypotheses that will guide the investigation, and that will be confirmed or refuted based on the evidence obtained.<\/li>\n\n\n\n<li>Generate recommendations for the containment, eradication, and recovery from the incident.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Appoint a technical leader with the ability to coordinate the group of specialists responsible for the various technology areas involved in the affected critical process, and support response activities, enabling specialists to act at the required speed.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Remain calm and avoid drawing immediate conclusions, as this can lead to hasty decisions that affect the response process and hinder the restoration of operations.<\/li>\n\n\n\n<li>Avoid searching for internal perpetrators of the attack, as this can lead to confrontations with personnel who obstruct the incident response.<\/li>\n\n\n\n<li>Conduct a thorough analysis, if artifact samples are available, to find indicators of compromise that will aid in the detection, containment, and eradication of the threat.<\/li>\n\n\n\n<li>Establish procedures for blocking access, reporting incidents, and conducting forensic analysis after a successful attack attempt.<\/li>\n\n\n\n<li>Avoid disseminating information on social media and to the press about what happened, to prevent the creation of false expectations about the situation. In the case of publicly traded companies, inadequate communication management and a lack of reassuring messages can increase speculation and, consequently, cause a drop in share value.<\/li>\n\n\n\n<li>Avoid uploading samples to public analysis tools, as other users could download them and disclose confidential organizational information.<\/li>\n\n\n\n<li>If immediate containment measures are required, such as isolating an affected computer, it is recommended that the computer experiencing the incident not be shut down, but only disconnected from the network. Shutting down the computer could result in the loss of important information needed for the incident investigation.<\/li>\n\n\n\n<li>Integrate specialized legal teams into incident response plans to manage hybrid extortion scenarios (a combination of pressure from compromised data and legal threats). This ensures that decision-making is based on an objective risk analysis and not on external pressure exerted by attackers.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Lateral movement prevention<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Implement the use of internal firewalls and access control lists&nbsp;<a href=\"https:\/\/www.fortinet.com\/lat\/resources\/cyberglossary\/network-access-control-list\">(ACLs)<\/a>&nbsp;qto block traffic between segments where it is not needed, such as restricting SMB and RDP protocols.<\/li>\n\n\n\n<li>Configure the Windows Firewall on all hosts to block widely used techniques, such as the use of PowerShell.exe or other&nbsp;<a href=\"https:\/\/www.crowdstrike.com\/en-us\/cybersecurity-101\/cyberattacks\/living-off-the-land-attack\">Living-Off-the-Land<\/a>&nbsp;scripts and binaries.\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/lolbas-project.github.io\/lolbas\/Binaries\/Regsvr32\">regsvr32.exe<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/lolbas-project.github.io\/lolbas\/Binaries\/Mshta\">mshta.exe<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/lolbas-project.github.io\/lolbas\/Binaries\/Bitsadmin\">bitsadmin.exe<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/lolbas-project.github.io\/lolbas\/Binaries\/Certutil\">certutil.exe<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/lolbas-project.github.io\/lolbas\/Binaries\/Msbuild\">msbuild.exe<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/lolbas-project.github.io\/lolbas\/Binaries\/Hh\">hh.exe<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/lolbas-project.github.io\/lolbas\/Binaries\/Makecab\">makecab.exe<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/lolbas-project.github.io\/lolbas\/Binaries\/Ieexec\">ieexec.exe<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/lolbas-project.github.io\/lolbas\/Binaries\/Expand\">expand.exe<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/lolbas-project.github.io\/lolbas\/Binaries\/Extrac32\">extrac.exe<\/a><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Pay close attention to the execution of tools such as&nbsp;<a href=\"https:\/\/learn.microsoft.com\/es-es\/windows\/win32\/wmisdk\/wmic\">wmic.exe<\/a>,&nbsp;<a href=\"https:\/\/learn.microsoft.com\/es-es\/sysinternals\/downloads\/psexec\">psexec<\/a>,&nbsp;<a href=\"https:\/\/learn.microsoft.com\/es-es\/windows-hardware\/drivers\/debugger\/-netuse--control-network-connections-\">netuse<\/a>,&nbsp;<a href=\"https:\/\/github.com\/poweradminllc\/PAExec\">PaExec<\/a>,&nbsp;<a href=\"https:\/\/www.elladodelmal.com\/2020\/05\/crackmapexec-una-navaja-suiza-para-el.html\">crackmapexec<\/a>&nbsp;or&nbsp;<a href=\"https:\/\/www.tightvnc.com\/download.php\">TightVNC<\/a>, which are frequently used by threat actors to perform lateral movement.<\/li>\n\n\n\n<li>Restrict or avoid the use of remote administration tools, such as como&nbsp;<a href=\"https:\/\/anydesk.com\/es\">AnyDesk<\/a>,&nbsp;<a href=\"https:\/\/www.goto.com\/es\/it-management\/resolve\">GoToAssist<\/a>,&nbsp;<a href=\"https:\/\/www.atera.com\/\">Atera<\/a>,&nbsp;<a href=\"https:\/\/www.remoteutilities.com\/support\/docs\/host\">HOST<\/a>,&nbsp;<a href=\"https:\/\/www.teamviewer.com\/latam\/campaign\/new-in-teamviewer-remote\">Team Viewer<\/a>, among others, commonly used by threat actors to perform lateral movement within the victim\u2019s network.<\/li>\n\n\n\n<li>Segment the network and restrict unnecessary traffic. It is recommended to implement segmentation using VLANs to isolate systems into different segments, limiting communication between critical and non-critical devices. Likewise, micro segmentation using technologies such as VMware NSX allows for more granular rule definition and reduces the attack surface.<\/li>\n\n\n\n<li>Apply the principle of least privilege to ensure that users and systems only have the permissions strictly necessary to perform their functions.<\/li>\n\n\n\n<li>Disable default credentials and apply multi-factor authentication (MFA) for critical access.<\/li>\n\n\n\n<li>Enable technologies such as Windows Defender Credential Guard to protect credentials stored in system memory against hash-stealing attacks, such as Pass-the-Hash.<\/li>\n\n\n\n<li>Actively monitor the use of privileged accounts and detect the use of attack tools such as&nbsp;<a href=\"https:\/\/www.tarlogic.com\/es\/glosario-ciberseguridad\/mimikatz\">Mimikatz<\/a>&nbsp;using security solutions like Sysmon and SIEMs.<\/li>\n\n\n\n<li>Implement Endpoint Detection and Response (EDR\/XDR) solutions that identify anomalous behavior and block attacks before they spread. Additionally, a well-configured SIEM helps correlate suspicious events and generate real-time alerts.<\/li>\n\n\n\n<li>Monitor unusual access via RDP and suspicious credential usage, which may indicate lateral movement attempts by attackers.<\/li>\n<\/ul>\n\n\n\n<p>Depending on the magnitude of the incident, the incident response team will determine the most sensible actions and establish a critical path that can lead to the recovery of the affected systems, based on their understanding of the threat and the intelligence they have.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><\/h3>\n\n\n\n<h3 class=\"wp-block-heading\">What to do after a ransomware attack?<\/h3>\n\n\n\n<p>Once organizations emerge from the crisis of a ransomware attack, it\u2019s important to consider the following recommendations:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Conduct lessons learned sessions to help the organization determine what could have been done differently and implement actions to prevent reinfection.<\/li>\n\n\n\n<li>Perform an advanced threat&nbsp;<a href=\"https:\/\/www.aon.com\/solutions\/commercial-risk\/cyber-security\/cyber-threat-hunting-es\">hunting<\/a>&nbsp;exercise to identify whether the same or a similar threat exists anywhere in the network that requires immediate attention.<\/li>\n\n\n\n<li>Maintain thorough monitoring for at least three months to ensure that no traces of the attacker remain within the organization. This involves understanding the alerts generated by the various security solutions implemented during incident response and investigating each one in depth.<\/li>\n\n\n\n<li>Develop detection models that closely resemble the attacker\u2019s modus operandi to ensure timely detection of any new events associated with the same threat.<\/li>\n\n\n\n<li>Implement a campaign targeting partners and users, summarizing the events the organization has just experienced and emphasizing the importance of adhering to established security guidelines.<\/li>\n\n\n\n<li>Conduct a comprehensive assessment to determine the organization\u2019s current state in terms of processes, people, and technology. This assessment will reveal the organization\u2019s internal and external cybersecurity posture and inform the development of a cybersecurity strategy.<\/li>\n\n\n\n<li>Design the organization\u2019s cybersecurity strategy with a holistic vision, considering at least the following points:\n<ul class=\"wp-block-list\">\n<li>Consider the new opportunities that cybersecurity services must support to protect critical data, considering business objectives, needs, and regulatory compliance.<\/li>\n\n\n\n<li>Consider a risk-based approach for the organization, considering its sector and threat model.<\/li>\n\n\n\n<li>Understand the importance of the human factor and user personalities to meet internal and external expectations and determine how and to whom to direct ongoing awareness campaigns.<\/li>\n\n\n\n<li>Implement continuous cyber intelligence monitoring and threat model mapping to visualize the cybersecurity posture and how it is perceived internally and externally.<\/li>\n\n\n\n<li>Ensure that the security strategy includes identification capabilities through a visibility architecture, continuous monitoring, and prevention, using a holistic approach that considers continuous threat hunting, protection with appropriate technology at necessary points, trained personnel, robust processes, orchestrated response by expert staff, recovery, process verification, and an emphasis on resilience.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Current ransomware landscape in LATAM Based on SCILabs telemetry and information gathered from public and private security feeds, several attacks<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21,6],"tags":[],"class_list":["post-1605","post","type-post","status-publish","format-standard","hentry","category-ransomware","category-recommendations"],"_links":{"self":[{"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/posts\/1605","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/comments?post=1605"}],"version-history":[{"count":2,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/posts\/1605\/revisions"}],"predecessor-version":[{"id":1608,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/posts\/1605\/revisions\/1608"}],"wp:attachment":[{"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/media?parent=1605"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/categories?post=1605"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/tags?post=1605"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}