Modern ransomware doesn't just encrypt the patient zero endpoint. It spends days or weeks silently mapping the network, harvesting credentials, and moving laterally to domain controllers and backup servers before detonating the payload globally.
Attackers rely on SMB (Port 445) for file shares, RDP (Port 3389) for remote administration, and WMI/WinRM for automated execution. If these protocols are allowed freely between user subnets and server subnets, the ransomware will spread instantly.
💡 Pro-tip: Implement 'Jump Hosts' or 'Bastion Servers' for RDP. Block direct RDP from user endpoints to servers. This forces the attacker to compromise the heavily monitored bastion before reaching the data.
# PowerShell: Detecting abnormal SMB connections
Get-NetTCPConnection -LocalPort 445 | Where-Object {$_.State -eq 'Established'} | Select-Object RemoteAddressThis script helps administrators quickly identify which remote IPs are actively connected to SMB shares, aiding in the rapid isolation of infected hosts during an outbreak.
Proper microsegmentation acts as a circuit breaker. If a user endpoint is infected, the inter-VLAN ACLs block its attempts to scan the server subnet on port 445, containing the infection to a single broadcast domain and saving the enterprise.
⚠️ Backups are the #1 target for ransomware actors. Ensure backup servers are placed in an isolated, highly restricted management zone that is completely invisible to the standard user and server routing tables.
| Protocol | Risk | Mitigation |
|---|---|---|
| SMB (445) | Wormable spread | Block inter-VLAN |
| RDP (3389) | Credential theft | Force via Bastion |
| WinRM (5985) | Remote execution | Restrict to Admin VLANs |
Verify exercises to earn ★ 240 XP and unlock next lab level.