October 12, 2023 at 07:28AM
Microsoft Defender for Endpoint successfully stopped a large-scale remote encryption attempt by the Akira ransomware group targeting an industrial organization in June 2023. The attack involved devices not protected by Microsoft Defender and included reconnaissance and lateral movement activities. Microsoft’s automatic attack disruption feature prevented breached accounts from accessing endpoints and limited attackers’ movement. Microsoft also reported thwarting lateral movement attempts against a medical research lab in August 2023.
According to the meeting notes, Microsoft reported that its user containment feature in Microsoft Defender for Endpoint successfully prevented a large-scale remote encryption attempt by the Akira ransomware actors on an unknown industrial organization in early June 2023. The attack utilized devices that were not onboarded to Microsoft Defender for Endpoint and involved reconnaissance and lateral movement activities before encrypting the devices with a compromised user account. However, the new automatic attack disruption capability of Microsoft’s endpoint security platform prevented breached accounts from accessing endpoints and other network resources, thereby limiting the attacker’s ability to move laterally. In a separate incident, the platform also disrupted lateral movement attempts against a medical research lab in August 2023 by detecting and containing compromised domain admin-level accounts, which are highly valuable to attackers. Microsoft emphasized that preventing the progression of attacks, even after initial access is gained, is crucial in protecting environments using traditional security mechanisms.