Ransomware is an Infrastructure Problem, Not a Malware Problem
The narrative that ransomware is merely malicious software executed by a careless user is fundamentally outdated. In 2026, ransomware is a highly targeted, manual intrusion operation (Human-Operated Ransomware). Affiliates utilize legitimate administrative tools (Living off the Land) to navigate the network, escalate privileges, and mass-deploy encryption.
Defending against this requires deep technical hardening of your core infrastructure: Windows Active Directory and the Hypervisor layer.
Advanced Affiliate Tactics
1. EDR Evasion via BYOVD (Bring Your Own Vulnerable Driver)
Endpoint Detection and Response (EDR) solutions run heavily in user-mode (Ring 3) with hooks into kernel-mode (Ring 0) via ETW-Ti (Event Tracing for Windows - Threat Intelligence) and callbacks.To bypass this, attackers drop digitally signed, but vulnerable, legitimate drivers (e.g., older versions of anti-cheat software or hardware monitoring tools). They use exploits against these drivers (BYOVD) to read/write arbitrary kernel memory. This allows them to patch the EDR's kernel callbacks, effectively blinding the sensor without crashing the service. The EDR reports "Healthy" to the console while the attacker operates invisibly.
Defense: Enforce strict Windows Defender Application Control (WDAC) blocklists for known vulnerable drivers and enable Hypervisor-Protected Code Integrity (HVCI).
2. Domain Dominance via AD CS (Active Directory Certificate Services)
Attackers have shifted away from noisy techniques like Kerberoasting or DCSyncing. Instead, they target AD CS misconfigurations (specifically ESC1 through ESC8).If a certificate template allows client authentication and permits the enrollee to specify the Subject Alternative Name (SAN), an attacker with a low-privileged account can request a certificate masquerading as a Domain Admin. They then use this certificate to request a Ticket Granting Ticket (TGT) via PKINIT, achieving instant Domain Admin privileges.
Defense: Audit all published certificate templates. Remove the ENROLLEE_SUPPLIES_SUBJECT flag on templates used for authentication. Enforce EPA (Extended Protection for Authentication) to mitigate NTLM relay attacks against the web enrollment endpoints.
3. Hypervisor and Storage Subsystem Encryption
Why encrypt individual Windows VMs when you can encrypt the datastore? Groups like BlackBasta and LockBit heavily target VMware ESXi and Microsoft Hyper-V infrastructure.Attackers dump credentials from vCenter, SSH into ESXi hosts, terminate all running VMs using esxcli vm process kill, and execute compiled Linux ELF binaries to encrypt the underlying .vmdk files.
Defense: ESXi management interfaces must be isolated on dedicated VLANs with strict jump-box access. Implement vSphere Lockdown Mode and integrate ESXi shell authentication with centralized, MFA-backed identity providers.
The Resilience Architecture
If the attacker achieves Domain Admin, you must assume all domain-joined assets are compromised—including your backup servers.
- Air-Gapped and Immutable Storage: Backups must reside on storage arrays that do not share underlying authentication with the primary Active Directory. Implement hardware-level WORM (Write Once, Read Many) locks (e.g., AWS S3 Object Lock, physical tape, or immutable SAN snapshots).
- Tiered Administration (Tier 0 Isolation): Domain Controllers, PKI infrastructure, and virtualization management must be classified as Tier 0. Tier 0 administrators must use dedicated Privileged Access Workstations (PAWs) with no internet access. A credential used on a standard workstation must never have logon rights to a Tier 0 asset.
- Out-of-Band Recovery Runbooks: During a full encryption event, you will have no email, no Slack, and no domain authentication. Recovery procedures must be printed physically, and out-of-band communication channels (like Signal or WhatsApp external groups) must be pre-established.