Ransomware Actors Use Consistent Playbooks to Cripple Defenses and Delete Backups

An intrusion monitored by Huntress revealed a ransomware operation utilizing a consistent and heavily reused playbook aimed at impairing system defenses through Defender tampering and backup removal to facilitate ransomware encryption. In this incident, the attackers gained access via Remote Desktop Protocol (RDP) and immediately began executing commands to disable defenses, including modifying Windows Defender settings and removing volume shadow copies. Despite their speed, the intrusion was detected and halted before ransomware execution could complete, showcasing the necessity of recognizing adversary behaviors. “The playbook launches a comprehensive barrage of configuration changes targeting Microsoft Defender’s operations,” report Huntress researchers Dray Agha and Matt Anderson. The observed activity mirrors prior threat behavior seen in previous ransomware incidents, demonstrating how adversaries continue to reuse known scripts, including one publicly available since at least 2021.

The attack sequence started with lateral movement via Windows Management Instrumentation (WMI), where “wmiprvse.exe” launched “powershell.exe” to execute “Get-WmiObject Win32_Shadowcopy | Remove-WmiObject,” removing shadow copies. This step prevents file restoration and supports ransomware deployment. The script then issued a series of "reg add" and "schtasks /Change" commands to disable Windows Defender functionality, logging, and scheduled tasks. Registry changes included disabling “Real-Time Protection,” “Behavior Monitoring,” and “Cloud-Based Protection,” while Defender telemetry logging through “DefenderApiLogger” and “DefenderAuditLogger” was shut down by setting autologger Start values to "0." Additionally, system tray icons and context menu options for Defender were removed, eliminating visual indicators for users and administrators. "They systematically dismantle supporting features by setting policies to disable behavior monitoring, turn off cloud-based protection like 'Block at First Seen,' and prevent the system from sending suspicious samples back to Microsoft for analysis."

The script evolved beyond legacy tooling, introducing newer PowerShell-based tampering through the use of "Set-MpPreference" to adjust threat handling. Default responses for high- and moderate-severity threats were set to "Allow" (6), effectively telling Defender to ignore detections. Other commands disabled scanning of compressed files, script scanning, and the Controlled Folder Access feature. Boot-level defenses were also targeted; "bcdedit /set {current} disableelamdrivers yes" disabled early launch anti-malware drivers, while registry and service deletions neutralized MDE and System Guard telemetry. Network profiles were reclassified to "Private" using "Set-NetConnectionProfile," enabling lateral movement. Attempts to run the ransomware binary "C:\Temp\file.exe" were detected and blocked by Huntress, but the adversary’s script displayed a clear progression in tradecraft, showing not only how playbooks persist but how they are iteratively refined across campaigns. This incident reinforces the need for persistent monitoring of registry tampering, PowerShell Defender reconfiguration, and shadow copy deletions.