Low
Moderate
Caution
High
Critical
Recent ransomware campaigns reveal a strategic shift in attacker behaviour -- targeting trusted control planes, the backbone systems responsible for detection, management, and recovery within enterprise environments. These include:
Endpoint Detection & Response (EDR) systems
Security Information & Event Management (SIEM) platforms
Active Directory (AD) domain controllers
Virtualisation infrastructure (hypervisors)
Backup and restore systems
Once compromised, these assets allow attackers to bypass defences, escalate privileges, and eliminate recovery options, thereby gaining full control and increasing the impact of the attack.
Protecting these critical systems must be prioritised as a core element of ransomware prevention and response readiness. NC4 strongly urges all organisations, especially those managing National Critical Information Infrastructure (NCII), to adopt hardened configurations, strong access controls, and continuous monitoring of these services.
The National Cyber Coordination and Command Centre (NC4) has observed increasing ransomware activity targeting trusted enterprise services and control planes including Endpoint Detection & Response (EDR), Security Information and Event Management (SIEM) platforms, Active Directory (AD), virtualization infrastructure, and backup systems. These components are critical for detecting, responding, and recovering from cyber incidents. Threat actors exploit them to disable defences, elevate privileges, and sabotage recovery mechanisms, thereby maximising operational disruption.
Recent incident forensics across multiple sectors revealed that ransomware affiliates are systematically compromising:
EDR Platforms – Agents are disabled or tampered with to evade detection.
SIEM Systems – Logging and alerting functions are bypassed or modified.
Active Directory Controllers – Used to gain domain-wide control.
Hypervisors – Virtualisation hosts are shut down to cripple services.
Backup Systems – Backup policies and data are deleted or encrypted.
Attackers are also leveraging configuration weaknesses such as shared credentials, lack of multi-factor authentication, and insufficient segmentation of administrative interfaces.
While IoCs may vary depending on the ransomware strain used, common artefacts include:
Unexplained disabling of EDR or anti-virus agents.
Missing or altered SIEM logs for critical systems.
Unexpected group membership changes in Active Directory.
Shutdown of virtual machines or hypervisors via abnormal admin activity.
Modification or deletion of backup policies or retention settings.
Note: Organisations are encouraged to monitor logs and SIEM data for anomalous access or configuration changes on control plane systems.
| Observed Ransomware TTP | MITRE ATT&CK Technique | Sub-Technique(s) | Contextual Notes |
|---|---|---|---|
| Disable EDR to operate stealthily | T1562 – Impair Defenses | T1562.001 – Disable or Modify Tools | Used to neutralize endpoint protection and evade detection. |
| Bypass SIEMs by tampering with log sources | T1070 – Indicator Removal on Host | T1070.001 – Clear Windows Event Logs; T1565.001 – Stored Data Manipulation: Log Tampering | Obfuscates adversary activity from security monitoring solutions. |
| Compromise Active Directory for domain-wide control | T1482 – Domain Trust Discovery; T1098 – Account Manipulation; T1078 – Valid Accounts | — | Enables lateral movement, persistence, and large-scale deployment of ransomware. |
| Shut down virtualization hosts to cripple IT ops | T1529 – System Shutdown/Reboot | Also relevant: T1490 – Inhibit System Recovery | Disrupts core infrastructure, increasing recovery time and business impact. |
| Encrypt or delete backups to prevent recovery | T1490 – Inhibit System Recovery; T1486 – Data Encrypted for Impact | — | Eliminates recovery options, coercing ransom payment by maximizing damage. |
To counter the growing risk of ransomware campaigns targeting trusted enterprise control planes, NC4 strongly recommends a defence-in-depth strategy. Organisations should implement comprehensive hardening measures at both the portal/interface and host/system levels across critical infrastructure components. Mitigation strategies are outlined below by control plane:
Portal-Level Hardening:
Enforce Multi-Factor Authentication (MFA): Mandate MFA for all administrative access, including web portals and command-line interfaces.
Implement Role-Based Access Control (RBAC): Assign roles based on the principle of least privilege; prohibit shared or generic admin accounts.
Monitor EDR Agent Integrity: Continuously detect and alert on agent tampering, removal, or unauthorised rule modifications.
Audit Administrative Access: Log all administrative actions and preserve audit logs to support incident investigation and accountability.
Host-Level Hardening:
Operating System (OS) Hardening: Disable non-essential services, apply security patches promptly (especially kernel-level), and configure systems per industry benchmarks (e.g., CIS).
Access Control Enforcement: Restrict direct login to backup and EDR hosts. Route access through PAM systems with full session recording.
Credential Hygiene: Require unique, non-shared admin credentials, enforce strong password policies, implement regular rotation, and apply granular access policies.
Lateral Movement Controls:
Group Policy Object (GPO) Firewall Rules: Block high-risk lateral communication protocols (SMB, RDP, WMI, WinRM) across non-administrative network segments. Apply rules based on the organisation’s tiered trust model.
Portal-Level Hardening:
Restrict Administrative Privileges: Limit dashboard, rule, and data source management access to authorised personnel only.
Mandate MFA and Network Restrictions: Enforce MFA and limit portal access to trusted network zones (e.g., VPN or dedicated VLANs).
Change and Access Auditing: Enable comprehensive logging of admin sessions, configuration changes, and access attempts.
Tampering Alerts: Set up detection for suspicious activities such as rule disabling, log source removal, or correlation rule modifications.
Host-Level Hardening:
Harden Host OS: Remove default accounts, disable unnecessary services, and apply OS patches regularly.
Log Protection: Enforce read-only storage for logs, and alert on deletion or tampering attempts.
Controlled Admin Access: Use PAM or bastion hosts for access with session logging. Apply strict RBAC policies to enforce least privilege.
Operational Role Segregation: Use dedicated accounts for log collection, system admin, and monitoring functions to prevent privilege escalation.
Firewall Enforcement: Restrict SIEM access to pre-approved IP addresses using host-based firewall rules.
Portal-Level Hardening:
Use Tier-0 Privileged Access Workstations (PAWs): Confine DC administration to secure, isolated PAWs to reduce exposure to malware and credential theft.
Implement MFA with Session Logging: Require MFA for all administrative logins and ensure forensic auditability.
Enforce JIT and JEA Models: Eliminate persistent administrative privileges through scoped, time-bound access tools (e.g., Microsoft LAPS, PIM, PAM).
Audit Directory Activities: Continuously log changes to directory configurations, group memberships, and privilege assignments.
Host-Level Hardening:
Domain Controller Security:
Disable legacy protocols (SMBv1, NTLM, LANMAN).
Apply RunAsPPL to protect the LSASS process from credential dumping.
Logging and Monitoring:
Enable auditing of logins, GPO changes, replication events, and directory access.
Monitor for GPO tampering or unauthorised modifications.
Network and Identity Controls:
Deny internet access to DCs and use dedicated admin accounts.
Enforce detection and alerting on dual-use violations of credentials.
Resilience Measures:
Backup SYSVOL and GPOs to offline or air-gapped media.
Isolate at least one FSMO role-holding Domain Controller for incident recovery.
Management Portal Hardening:
Access Controls: Enforce MFA and restrict access to management portals via dedicated secure networks.
Lockdown Mode: Disable local console/CLI access; mandate access only via central management tools.
Apply RBAC: Define distinct administrative roles (e.g., VM, storage, network) to limit privilege scope.
Audit Administrative Actions: Log all changes to VMs, configurations, and snapshots.
Host-Level Hardening:
Privileged Access Controls: Route all access through PAM or hardened jump servers. Disable direct root or shell access where possible.
Disable Redundant Features: Turn off clipboard sharing, USB passthrough, drag-and-drop, and similar features to reduce attack surface.
Patch Management: Regularly update firmware, hypervisor, and OS to prevent exploitation of known vulnerabilities.
Account Segregation: Assign separate privileged accounts for discrete responsibilities to contain lateral movement.
Threat Detection: Actively monitor for anomalous shell commands, API activity, and unauthorised remote access attempts.
Ransomware Contingency:
Immediately disconnect Active Directory integration if compromise is detected.
Maintain isolated emergency local admin accounts with strong, randomised passphrases for contingency access.
Portal-Level Hardening:
Secure Interfaces: Enforce MFA and RBAC for all backup portal users with strict time-bound access rights. Ensure interfaces are inaccessible from production networks.
Change Monitoring: Alert on any attempts to delete, suspend, or alter backup jobs, retention policies, or scheduling rules.
Comprehensive Audit Trails: Log all backup, restore, and configuration activities.
Host-Level Hardening:
System and Access Controls: Disable non-essential services, restrict remote login, and use PAM or bastion hosts for administrative sessions.
Credential Segmentation: Use distinct credentials for backup administration and system-level functions.
Resilient Backup Practices:
Maintain at least one immutable or air-gapped backup (e.g., WORM, S3 Object Lock).
Isolate backup systems using strict VLAN segmentation and firewalling.
Credential and Storage Hygiene:
Store emergency credentials securely offline.
Rotate service account credentials at least every 30 days.
Monitor continuously for backup policy tampering or deletion attempts and enforce immutable storage protections.
Organisations are advised to validate the effectiveness of their current security posture using the following steps:
Conduct red team or tabletop exercises simulating ransomware targeting control planes.
Audit privileged access to EDR, SIEM, AD, hypervisors, and backup systems.
Verify PAM (Privileged Access Management) enforcement and session recordings.
Review alerting mechanisms and confirm integrity of backup copies.
Validate firewall and segmentation rules through penetration testing.
All NCII entities are urged to report ransomware-related incidents immediately to NC4 to facilitate coordinated response and cross-sectoral threat intelligence sharing as per required under Cyber Security Act 2024 [Act 854].