Activity logs on a server used by the TrickBot trojan in post-compromise stages of an attack show that the actor takes an average of two weeks pivoting to valuable hosts on the network before deploying Ryuk ransomware.
After compromising the network, the attacker starts scanning for live systems that have specific ports open and stealing password hashes from the Domain Admin group.
Targeted attacks follow this chain of firstly getting access to vulnerable network/system and working way through the network trying to find next weak access point while gathering data and understanding of how the organization operates along the way. In this instance understanding the information assets, applying not only MFA but enhanced multi-factor authentication would have reduced the risk of this ransomeware attack materializing. Its critical, part of the MFA policy to enforce time-limit for end-users and their trusted devices to re-authenticate, requiring them not only to validate themselves but also the identity of device trying to access critical systems/applications and data on the network. Applying enhanced MFA to the execution of critical actions particularly for IT and systems administrators would have reduce the associated risk further. Having logging in place and understanding logged events would support with the associated monitoring and alerting events. Worth considering the benefits of partnering with trusted third party providers for streamlining application access and managing end-use/device identity as another control. These are the risk-reduction controls. After the event has happened Crisis Management comes is critical for successfully managing ransomware attack to reduce business impact and consequences.