Intermediate

Hot Takes: Inside a Microsoft Ransomware Attack

The Marks & Spencer incident is a textbook example of how modern ransomware operations succeed by targeting identity infrastructure and virtualization hosts rather than individual endpoin...

This "loiter and harvest" behavior — spending significant time inside the network before taking disruptive action — mirrors tactics seen from other threat actors such as Volt Typhoon, although the motivations and follow-on actions differ (nation-state pre-positioning vs. criminal ransomware monetization).

The most consequential technical event in this attack was the exfiltration of the Active Directory database. Once an attacker has a copy of this database, they effectively hold "the keys to the kingdom": every account's password hash can be cracked or relayed offline, at leisure, without triggering account lockout policies or other live-network detections.

With cracked or replayed credentials in hand, the attackers were able to move laterally across the network largely undetected, because they were authenticating as legitimate accounts rather than exploiting a technical vulnerability at each hop. This is why credential-focused attacks against identity infrastructure are considered so much more dangerous than a single-host compromise: capturing the domain's credential material collapses the effort needed for lateral movement across the entire environment down to almost zero.

Sign in to read this course

A free account unlocks all 514 courses. 20 are readable without one.

What's inside

3 sections
  1. 1 Table of Contents
  2. 2 Module 1: Inside the M&S Ransomware Attack
  3. 3 Summary

More Security Hot Takes & Threat Intel courses

View all 21

Interested in this course?

Contact us to book it or get a custom training plan for your team.