The company is 80 hosts. Bakapi via Veeam every night, storage policy - 14 days. Monday, morning - accounting can not open the database of 1C, file extensions on the file server have changed. After 40 minutes, the picture is clear: the ransomware walked through the file server, two domain controllers and NAS with a Veeam repository. Backup service accounting was a domain with local administrator rights to storage - ransomware used it for the lateral movement and encrypted the repository along with all production data.
The recovery took 11 days. The cost of downtime exceeded the repurchase amount by four times.
This is not an extreme case. This is a typical scenario for SMB-infrastructure without segmentation and immutable backups. And I see him again and again.
Business logic of attack: why small business is the priority goal of ransomware
According to Verizon DBIR 2025, the growth of ransomware incidents in the SMB segment was 18% year-on-year.
The logic of the attackers is simple to indecency. A large company is months of exploration, SOC with three shifts, a legal department ready to negotiate. SMB - RDP, sticking to the Internet, one half-time-set sysadmin, the budget on EDR is not as a class. The median redemption, according to the Verizon DBIR 2025, is $46 000 - the amount that SMB-vica is more likely to pay than to endure 21 days of downtime (the average downtime on Halcyon). Groups like Qilin, Akira, Play, and DragonForce - all among the most active according to ransomware.live - consciously choose the targets with a turnover sufficient to pay the ransom, but insufficient for normal layered protection.
For Russian business, the financial context is strengthened by negotiable fines for leaks of personal data. If the ransomware exposed the client base before encryption (and a significant part of the attacks in 2025 includes the exfiltration stage - double extortion), the company receives a double blow: a simple business plus a regulator penalty. This is not a hypothetical risk, but an assessment of the cybersecurity risks of SMB, which is worth being transferred to specific rubles.
Ransomware attack vectors: kill chain from initial access to encryption
The ransomware attack on SMB is not one event, but a chain: initial access, lateral movement, exfiltration, Data Encrypted for Impact (T1486). Three main input vectors with TTPs binding.
Compromised Accounts and RDP
For a number of industry reports, compromised VPN-accounting data are among the leading causes of ransomware attacks - often ahead of phishing and exploiting vulnerabilities.
Mechanics: An attacker buys VPN or RDP accounts from Initial Access Broker (IAB) on a shadow marketplace. Next - entrance through Valid Accounts (T1078, Initial Access) If the RDP is open outside without MFA and Network Level Authentication, it’s a matter of minutes. The CMU SEI in the analysis of grasomware defense strategies calls the RDP the first most important attack vector.
In SMB on Windows Server 2016/2019 without a modern EDR (CrowdStrike Falcon, SentinelOne, Elastic 8.x+), this vector remains dominant. The result is valid domain accounts in the hands of the attacker, and then the lateral movement through legitimate administrative tools that do not cause any alerta. Because for SIEM it looks like a normal sysadmin job.
Exploitation of perimeter vulnerabilities
The second vector is the holes in the devices on the perimeter. For SMB here pain: the cycle of patch management on perimeter equipment is often months.
Specific examples from CISA KEV marked as used in ransomware campaigns:
• CVE-2024-40766 - SonicWall SonicOS, improper access control (CWE-284), CVSS 9.8 (CRITICAL). CVSS vector: AV:N/AC:L/PR:N:N - network attack, no authentication, without user actions. Affects SonicWall Gen 5, Gen 6 and Gen 7 with SonicOS 7.0.1-5035 and below. CISA added to the KEV on September 9, 2024.
• CVE-2025-5777 - Citrix NetScaler ADC/Gateway, out-of-bounds read (CWE-125, CWE-908, CWE-457), CVSS 9.3 (CRITICAL on CVSS 4.0). It is used in the configuration of Gateway as VPN virtual server, ICA Proxy, CVPN, RDP Proxy or AAA virtual server. CISA KEV marked ransomware, added July 10, 2025. Public PoC on Exploit-DB (EDB-52401).
Both cases are united by one thing: SonicWall and Citrix NetScaler - standard SMB equipment in Russia. And organizations are still not paving the perimeter in time. Nothing's changed.
Phishing and Compromised Legitimate Hosts
According to Verizon DBIR 2025, phishing remains a vector of initial access in 36% of incidents, and 68% of leaks are related to the human factor. IBM X-Force records: the generation of phishing emails using GenAI became 11.4 times faster at comparable quality. For SMB with 50-200 employees without security awareness training one plausible letter with .xlsm-investment is a matter of days.
A separate problem is insider threatr and compromised legitimate hosts. An employee whose laptop is infected with infostealer itself becomes a vector: stolen cookies, RDP sessions, saved passwords from the browser go away to the attacker. Further - T1078 Valid Accounts, and penetration is indistinguishable from the normal operation of the user. Without behavioral analysis (baseline anomalies), such attacks are not detected by a standard antivirus. He just doesn’t understand that the “legitimate user” is no longer the same.
Detection-checklist: Correlation rules for ransomware in SMB-network
Minimum detection stand for Blue Team small business - Sysmon (SwiftOnSecureity configuration, SwiftOnSecurity/sysmon-config) + Wazuh-agents (open-source SIEM). What to monitor is below.
What to do with Sysmon and Wazuh
Keywords EventCode for ransomware detection:
• Sysmon EventID 11 (FileCreate) - mass creation of files with atypical extensions (.lockbit, .akira, .encrypted) Correlation threshold: more than 50 events in 60 seconds from one ProcessId.
• Sysmon EventID 1 (ProcessCreate) - launch vssadmin.exe delete shadows /all /quietor wmic shadowcopy delete. Removal of shadow copies - the standard step before encryption, T1490 (Inhibit System Recovery).
• Windows Security EventID 4625/4624 - a series of unsuccessful authentications followed by successful entry. Threshold: more than 10 EventID 4625 in 5 minutes with one source IP, then EventID 4624. Indicator brate force RDP.
• Sysmon EventID 3 (NetworkConnect) - the outgoing connection of an atypical process on ports 443/8443 to the non-whitelist IP. Possible C2-communication or extiletion before encryption.
Example of the Wazuh rule for alerte to removing shadow copies (T1490):
XML:
<rule id="100510" level="14">
<if_sid>61603</if_sid>
<field name="win.eventdata.commandLine" type="pcre2">
(?i)vssadmin.*delete.*shadows|wmic.*shadowcopy.*delete
</field>
<description>Ransomware indicator: shadow copy deletion</description>
<group>ransomware,t1490,</group>
</rule>
Sigma rules and canary files
In the SigmaHQ repository (SigmaHQ/sigma) by tag T1486 (Data Encrypted for Impact) is available 17 rules. The three most practical for SMB:
• file_rename_win_ransomware.yml- detects mass renaming of files with extension patterns characteristic of ransomware.
• image_load_dll_rstrtmgr_suspicious_load.yml- tracks suspicious loading rstrtmgr.dll. Ransomware uses Restart Manager API to remove file locks before encryption – this IOC is characteristic of LockBit, BlackCat and their derivatives.
• av_ransomware.yml- correlation of antivirus alerates with well-known backsomware-family signatures.
By tag T1078 (Valid Accounts) available 116 rules, including proc_creation_win_net_use_password_plaintext.yml - detects the transmission of the password by open text through net use, often used in the lateral movement.
For the validation of the detection rules - tests of the Atomic Red Team (redcanaryco/atomic-red-team) Po T1486 Three tests: PureLocker Ransom Note, Data Encrypted with GPG4Win and Data Encrypt Using DiskCryptor - all run on Windows.
Additional measure with minimal costs - Canary Files (D3-DF, Decoy File by MITRE D3FEND): on each network resource, create a trap file (e.g., _BUDGET_2025_final.xlsx) and adjust the alteration to its change through the Wazuh File Integrity Monitoring (D3-FIM). The cipherer processes files sequentially - the canary file will work earlier than the entire ball is encrypted. Cheap, angry, works.
Backup strategy from ransomware: immutable repository or nothing
Rule 3-2-1 (three copies, two types of media, one offsite) - at least. But for SMB, where Veeam is a de facto standard, one specific configuration is critical: immutable repostor.
Adjustments to the environment
• OS: Ubuntu 22.04 LTS or Debian 12 (supported by Veeam Linux Hardened Repository)
• RAM: at least 4 GB for service; storage volume - according to business needs
• File system: XFS (required for immutability in Veeam)
• Network: isolated VLAN, SSH only with jump host, separate IP list
Key principles
1. Linux Hardened Repository is a repository on the GNU/Linux host with immutability at the file system level. The Veeam account has limited rights and cannot remove immutable backups even when the domain compromises.
2. Non-domain account - Backup responsives should be local on GNU/Linux hosts not included in AD. It breaks the chain of the lateral movement.
3. Segmentation is a backup server for pfSense/Microtik in a separate VLAN.
Restoration testing is quarterly. And not “we checked that the task ended in green”, but the revert full VM from immutable-copy with a check of the OS loading and data availability. In practice, companies find problems with backups during the incident - when it's too late to fix.
Incident Response Schedule Resomware: The First 60 Minutes
For SMB IR-plan - not a 40-page document, but a one-page playbook, printed and lying next to the console. The Frame Binding - NIST SP 800-53 IR-1 Indication Response Policy and CP-1 (Contingenency Planning)
0-10 minutes: insulation. Disable the infected host from the network (disable port on the roller). Do not turn off the machine - the RAM contains artifacts. Block the compromised accounting: Disable-ADAccount -Identity <username>. If encryption is actively distributed - the drop rule for intersegmental traffic to firewall.
10-30 minutes: scale. Check Out Wazuh dashboard: what hosts generate alerta (mass file rename, shadow copy deletion). On an infected host through an isolated console: Get-Process | Where-Object {$_.CPU -gt 50} - find a process that produces CPU (resource-intensive encryption). Check the integrity of immutable repository: connect to GNU/Linux host, make sure that immutable flags are in place.
30-60 minutes: containment and notification. Collection of artifacts: Velociraptor for remote forensic triage - automatic collection of Prefetch, Amcha, ShimCache, MFT, Windows Event Logs. Evaluation for management: What is encrypted, are there signs of exfiltration (Sysmon EventID 3 - atypical volumes of outgoing traffic), the state of backups. If signs of personal data leak are found - the launch of the procedure for notifying Roskomnadzor.
The recovery took 11 days. The cost of downtime exceeded the repurchase amount by four times.
This is not an extreme case. This is a typical scenario for SMB-infrastructure without segmentation and immutable backups. And I see him again and again.
Business logic of attack: why small business is the priority goal of ransomware
According to Verizon DBIR 2025, the growth of ransomware incidents in the SMB segment was 18% year-on-year.
The logic of the attackers is simple to indecency. A large company is months of exploration, SOC with three shifts, a legal department ready to negotiate. SMB - RDP, sticking to the Internet, one half-time-set sysadmin, the budget on EDR is not as a class. The median redemption, according to the Verizon DBIR 2025, is $46 000 - the amount that SMB-vica is more likely to pay than to endure 21 days of downtime (the average downtime on Halcyon). Groups like Qilin, Akira, Play, and DragonForce - all among the most active according to ransomware.live - consciously choose the targets with a turnover sufficient to pay the ransom, but insufficient for normal layered protection.
For Russian business, the financial context is strengthened by negotiable fines for leaks of personal data. If the ransomware exposed the client base before encryption (and a significant part of the attacks in 2025 includes the exfiltration stage - double extortion), the company receives a double blow: a simple business plus a regulator penalty. This is not a hypothetical risk, but an assessment of the cybersecurity risks of SMB, which is worth being transferred to specific rubles.
Ransomware attack vectors: kill chain from initial access to encryption
The ransomware attack on SMB is not one event, but a chain: initial access, lateral movement, exfiltration, Data Encrypted for Impact (T1486). Three main input vectors with TTPs binding.
Compromised Accounts and RDP
For a number of industry reports, compromised VPN-accounting data are among the leading causes of ransomware attacks - often ahead of phishing and exploiting vulnerabilities.
Mechanics: An attacker buys VPN or RDP accounts from Initial Access Broker (IAB) on a shadow marketplace. Next - entrance through Valid Accounts (T1078, Initial Access) If the RDP is open outside without MFA and Network Level Authentication, it’s a matter of minutes. The CMU SEI in the analysis of grasomware defense strategies calls the RDP the first most important attack vector.
In SMB on Windows Server 2016/2019 without a modern EDR (CrowdStrike Falcon, SentinelOne, Elastic 8.x+), this vector remains dominant. The result is valid domain accounts in the hands of the attacker, and then the lateral movement through legitimate administrative tools that do not cause any alerta. Because for SIEM it looks like a normal sysadmin job.
Exploitation of perimeter vulnerabilities
The second vector is the holes in the devices on the perimeter. For SMB here pain: the cycle of patch management on perimeter equipment is often months.
Specific examples from CISA KEV marked as used in ransomware campaigns:
• CVE-2024-40766 - SonicWall SonicOS, improper access control (CWE-284), CVSS 9.8 (CRITICAL). CVSS vector: AV:N/AC:L/PR:N:N - network attack, no authentication, without user actions. Affects SonicWall Gen 5, Gen 6 and Gen 7 with SonicOS 7.0.1-5035 and below. CISA added to the KEV on September 9, 2024.
• CVE-2025-5777 - Citrix NetScaler ADC/Gateway, out-of-bounds read (CWE-125, CWE-908, CWE-457), CVSS 9.3 (CRITICAL on CVSS 4.0). It is used in the configuration of Gateway as VPN virtual server, ICA Proxy, CVPN, RDP Proxy or AAA virtual server. CISA KEV marked ransomware, added July 10, 2025. Public PoC on Exploit-DB (EDB-52401).
Both cases are united by one thing: SonicWall and Citrix NetScaler - standard SMB equipment in Russia. And organizations are still not paving the perimeter in time. Nothing's changed.
Phishing and Compromised Legitimate Hosts
According to Verizon DBIR 2025, phishing remains a vector of initial access in 36% of incidents, and 68% of leaks are related to the human factor. IBM X-Force records: the generation of phishing emails using GenAI became 11.4 times faster at comparable quality. For SMB with 50-200 employees without security awareness training one plausible letter with .xlsm-investment is a matter of days.
A separate problem is insider threatr and compromised legitimate hosts. An employee whose laptop is infected with infostealer itself becomes a vector: stolen cookies, RDP sessions, saved passwords from the browser go away to the attacker. Further - T1078 Valid Accounts, and penetration is indistinguishable from the normal operation of the user. Without behavioral analysis (baseline anomalies), such attacks are not detected by a standard antivirus. He just doesn’t understand that the “legitimate user” is no longer the same.
Detection-checklist: Correlation rules for ransomware in SMB-network
Minimum detection stand for Blue Team small business - Sysmon (SwiftOnSecureity configuration, SwiftOnSecurity/sysmon-config) + Wazuh-agents (open-source SIEM). What to monitor is below.
What to do with Sysmon and Wazuh
Keywords EventCode for ransomware detection:
• Sysmon EventID 11 (FileCreate) - mass creation of files with atypical extensions (.lockbit, .akira, .encrypted) Correlation threshold: more than 50 events in 60 seconds from one ProcessId.
• Sysmon EventID 1 (ProcessCreate) - launch vssadmin.exe delete shadows /all /quietor wmic shadowcopy delete. Removal of shadow copies - the standard step before encryption, T1490 (Inhibit System Recovery).
• Windows Security EventID 4625/4624 - a series of unsuccessful authentications followed by successful entry. Threshold: more than 10 EventID 4625 in 5 minutes with one source IP, then EventID 4624. Indicator brate force RDP.
• Sysmon EventID 3 (NetworkConnect) - the outgoing connection of an atypical process on ports 443/8443 to the non-whitelist IP. Possible C2-communication or extiletion before encryption.
Example of the Wazuh rule for alerte to removing shadow copies (T1490):
XML:
<rule id="100510" level="14">
<if_sid>61603</if_sid>
<field name="win.eventdata.commandLine" type="pcre2">
(?i)vssadmin.*delete.*shadows|wmic.*shadowcopy.*delete
</field>
<description>Ransomware indicator: shadow copy deletion</description>
<group>ransomware,t1490,</group>
</rule>
Sigma rules and canary files
In the SigmaHQ repository (SigmaHQ/sigma) by tag T1486 (Data Encrypted for Impact) is available 17 rules. The three most practical for SMB:
• file_rename_win_ransomware.yml- detects mass renaming of files with extension patterns characteristic of ransomware.
• image_load_dll_rstrtmgr_suspicious_load.yml- tracks suspicious loading rstrtmgr.dll. Ransomware uses Restart Manager API to remove file locks before encryption – this IOC is characteristic of LockBit, BlackCat and their derivatives.
• av_ransomware.yml- correlation of antivirus alerates with well-known backsomware-family signatures.
By tag T1078 (Valid Accounts) available 116 rules, including proc_creation_win_net_use_password_plaintext.yml - detects the transmission of the password by open text through net use, often used in the lateral movement.
For the validation of the detection rules - tests of the Atomic Red Team (redcanaryco/atomic-red-team) Po T1486 Three tests: PureLocker Ransom Note, Data Encrypted with GPG4Win and Data Encrypt Using DiskCryptor - all run on Windows.
Additional measure with minimal costs - Canary Files (D3-DF, Decoy File by MITRE D3FEND): on each network resource, create a trap file (e.g., _BUDGET_2025_final.xlsx) and adjust the alteration to its change through the Wazuh File Integrity Monitoring (D3-FIM). The cipherer processes files sequentially - the canary file will work earlier than the entire ball is encrypted. Cheap, angry, works.
Backup strategy from ransomware: immutable repository or nothing
Rule 3-2-1 (three copies, two types of media, one offsite) - at least. But for SMB, where Veeam is a de facto standard, one specific configuration is critical: immutable repostor.
Adjustments to the environment
• OS: Ubuntu 22.04 LTS or Debian 12 (supported by Veeam Linux Hardened Repository)
• RAM: at least 4 GB for service; storage volume - according to business needs
• File system: XFS (required for immutability in Veeam)
• Network: isolated VLAN, SSH only with jump host, separate IP list
Key principles
1. Linux Hardened Repository is a repository on the GNU/Linux host with immutability at the file system level. The Veeam account has limited rights and cannot remove immutable backups even when the domain compromises.
2. Non-domain account - Backup responsives should be local on GNU/Linux hosts not included in AD. It breaks the chain of the lateral movement.
3. Segmentation is a backup server for pfSense/Microtik in a separate VLAN.
Restoration testing is quarterly. And not “we checked that the task ended in green”, but the revert full VM from immutable-copy with a check of the OS loading and data availability. In practice, companies find problems with backups during the incident - when it's too late to fix.
Incident Response Schedule Resomware: The First 60 Minutes
For SMB IR-plan - not a 40-page document, but a one-page playbook, printed and lying next to the console. The Frame Binding - NIST SP 800-53 IR-1 Indication Response Policy and CP-1 (Contingenency Planning)
0-10 minutes: insulation. Disable the infected host from the network (disable port on the roller). Do not turn off the machine - the RAM contains artifacts. Block the compromised accounting: Disable-ADAccount -Identity <username>. If encryption is actively distributed - the drop rule for intersegmental traffic to firewall.
10-30 minutes: scale. Check Out Wazuh dashboard: what hosts generate alerta (mass file rename, shadow copy deletion). On an infected host through an isolated console: Get-Process | Where-Object {$_.CPU -gt 50} - find a process that produces CPU (resource-intensive encryption). Check the integrity of immutable repository: connect to GNU/Linux host, make sure that immutable flags are in place.
30-60 minutes: containment and notification. Collection of artifacts: Velociraptor for remote forensic triage - automatic collection of Prefetch, Amcha, ShimCache, MFT, Windows Event Logs. Evaluation for management: What is encrypted, are there signs of exfiltration (Sysmon EventID 3 - atypical volumes of outgoing traffic), the state of backups. If signs of personal data leak are found - the launch of the procedure for notifying Roskomnadzor.