I don’t get why any user has the ability to cause so much damage. Sure they can lock their own files out and need to restore from backup, but how can that knock out other departments, let alone things like email.
When ransomware attacks began, it was more typical to see the blast radius centered around a single user who did something stupid, like run an exe or enable macros.
But that’s not how it’s done on these large enterprise networks. Ransomware gangs will still use single user entry points, but the hackers will work quietly inside the network to escalate privileges and determine key servers that should be targeted first.
I'm a penetrations tester. When the client gives me a windows laptop with low privilege credentials, I'm typically domain admin by lunch time. Sometimes even before I finish my first cup of coffee. As a domain admin I could encrypt almost any computer, often including the backups.
Privilege escalation in Windows Active directory domains is really easy. Securing a large corporate network is really hard. Especially on a tight budget.
It's not any user, it's a ransomware attack. So it was intentionally done to limit their ability to work. Also, don't assume they had backups, or that these backups weren't also targeted.
Prevention is orders of magnitude less expensive than dealing with the fallout from an eventually inevitable atack.
The tragedy is that in the absence of attacks, local governments don't always allocate the necessary funds to employing competent admins who take a proactive approach to security.
Even more importantly, these admins need to be given authority to block attempts at lowering defenses in the name of convenience or "money-saving".
The problem is that lowering security expenditure is a good gamble for managers/executives: Chances are it will take a while before things blow-up.
In the meantime, you get the credit for "saving money", you will get promoted, perhaps move to another company, and the bomb will explode in the hands of your successor.
Depends, but usually the problem is that it is difficult to properly assess the probability of a successful attack and to get decision makers to believe that number.
But that’s not how it’s done on these large enterprise networks. Ransomware gangs will still use single user entry points, but the hackers will work quietly inside the network to escalate privileges and determine key servers that should be targeted first.