Back to Intelligence

ANSSI 2025 Report: Encryption-Based Attacks Targeting French SMBs — Defense and Detection Guide

SA
Security Arsenal Team
April 15, 2026
6 min read

The French National Cybersecurity Agency (ANSSI) recently released its 2025 metrics on the state of the cyber threat landscape. While the agency reports a welcome overall decline in encryption-based cyber incidents (ransomware) across the nation, the data highlights a persistent and alarming trend: French Small and Medium Businesses (SMBs) remain the organizations most targeted by these attacks.

For defenders, this is a critical indicator. The drop in high-profile enterprise breaches suggests that large organizations have hardened their perimeters, pushing threat actors downmarket to "softer" targets. SMBs often lack the 24/7 monitoring of a SOC or the robust backup architectures required to recover from encryption events. This post dissects the technical realities of these encryption-based attacks targeting SMBs and provides the detection signatures and hardening steps required to stop them.

Technical Analysis

The threat vector identified by ANSSI is predominantly encryption-based extortion, commonly known as ransomware. While the specific report covers the trend, the mechanics of the attacks targeting French SMBs rely on well-established TTPs (Tactics, Techniques, and Procedures) designed to bypass limited defenses.

  • Affected Products & Platforms: The primary targets are Windows-based environments (Server 2016/2019/2022 and Windows 10/11) prevalent in French SMBs. Linux-based virtualization hosts and file servers are secondary targets.
  • Attack Chain (SMB Context):
    1. Initial Access: Phishing credentials, exploitation of exposed RDP (TCP 3389), or unpatched VPN appliances.
    2. Execution: PowerShell scripts or malicious binaries dropped via the SMB protocol.
    3. Privilege Escalation: Exploiting "ZeroLogon" or PrintNightnight vulnerabilities (still prevalent in unpatched legacy environments) or valid credential abuse.
    4. Defense Evasion: Disabling Endpoint Detection and Response (EDR) tools via taskkill or Driver manipulation.
    5. Impact (Encryption): Utilization of legitimate OS tools like cipher.exe or vssadmin to delete backup snapshots before encrypting files.
  • Exploitation Status: Active. While ANSSI notes a statistical drop, the targeting of SMBs implies that commodity ransomware strains (e.g., LockBit, Akira, BlackCat) are successfully executing their encryption payloads.

Detection & Response

The following detection rules focus on the precursors to encryption—specifically the destruction of Volume Shadow Copies and the use of built-in Windows utilities for data wiping. These are high-fidelity indicators that an adversary is attempting to prevent recovery and prepare for encryption.

SIGMA Rules

YAML
---
title: Potential Ransomware Activity - VSS Shadow Copy Deletion
id: 8a8b8c8d-9e0f-1a2b-3c4d-5e6f7a8b9c0d
status: experimental
description: Detects attempts to delete Volume Shadow Copies using vssadmin or wmic, a common precursor to ransomware encryption to prevent recovery.
references:
  - https://attack.mitre.org/techniques/T1490/
author: Security Arsenal
date: 2025/04/01
tags:
  - attack.impact
  - attack.t1490
logsource:
  category: process_creation
  product: windows
detection:
  selection_vssadmin:
    Image|endswith: '\vssadmin.exe'
    CommandLine|contains: 'delete shadows'
  selection_wmic:
    Image|endswith: '\wmic.exe'
    CommandLine|contains: 'shadowcopy delete'
  condition: 1 of selection_*
falsepositives:
  - System administrators manually managing disk space (rare)
level: high
---
title: Potential Data Wiping via Cipher.exe
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects the use of cipher.exe to overwrite deleted data, often used by ransomware operators to make forensic recovery impossible.
references:
  - https://attack.mitre.org/techniques/T1485/
author: Security Arsenal
date: 2025/04/01
tags:
  - attack.impact
  - attack.t1485
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\cipher.exe'
    CommandLine|contains: '/w'
  condition: selection
falsepositives:
  - Legitimate secure disk wiping operations
level: high
---
title: Mass File Encryption via PowerShell
id: 2b3c4d5e-6f7a-8b9c-0d1e-2f3a4b5c6d7e
status: experimental
description: Detects PowerShell scripts attempting to encrypt files using .NET cryptography APIs, indicative of custom ransomware scripts.
references:
  - https://attack.mitre.org/techniques/T1486/
author: Security Arsenal
date: 2025/04/01
tags:
  - attack.impact
  - attack.t1486
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\powershell.exe'
    CommandLine|contains:
      - 'System.Security.Cryptography.AesManaged'
      - 'System.Security.Cryptography.RijndaelManaged'
      - 'FileInfo.Extension'
  condition: selection
falsepositives:
  - Legitimate backup scripts or file management tools (verify source)
level: medium

KQL (Microsoft Sentinel)

This query hunts for the deletion of backup shadows and mass file modification patterns indicative of encryption.

KQL — Microsoft Sentinel / Defender
// Hunt for Shadow Copy Deletion and suspicious process behavior
DeviceProcessEvents
| where Timestamp > ago(1d)
| where FileName in~ ("vssadmin.exe", "wmic.exe", "cipher.exe")
| extend ProcessCommand = ProcessCommandLine
| where ProcessCommand contains_any ("delete shadows", "shadowcopy delete", "/w")
| project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, ProcessCommand
| order by Timestamp desc

Velociraptor VQL

Hunt for processes actively trying to disable system recovery or encrypt data.

VQL — Velociraptor
-- Hunt for ransomware precursor processes
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime
FROM pslist()
WHERE Name =~ "vssadmin.exe" 
   OR Name =~ "wmic.exe"
   OR Name =~ "cipher.exe"
   OR Name =~ "powershell.exe"

-- Supplement with file system glob for common ransomware notes/extensions
SELECT FullPath, Size, Mtime
FROM glob(globs="C:\\Users\\\\*\\*.encrypted")
LIMIT 50

Remediation Script (PowerShell)

This script audits the critical security controls often missing in compromised SMB environments: RDP exposure and VSS health.

PowerShell
# Audit RDP and VSS Security Posture
Write-Host "[+] Starting Security Audit for Ransomware Prerequisites..." -ForegroundColor Cyan

# 1. Check if RDP is enabled
$rdpProperty = Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server' -Name 'fDenyTSConnections' -ErrorAction SilentlyContinue
if ($rdpProperty.fDenyTSConnections -eq 0) {
    Write-Host "[!] WARNING: Remote Desktop (RDP) is ENABLED." -ForegroundColor Red
    Write-Host "    Recommendation: Disable RDP or enforce strict VPN/MFA access." -ForegroundColor Yellow
} else {
    Write-Host "[+] PASS: RDP is Disabled." -ForegroundColor Green
}

# 2. Check Volume Shadow Copy Service (VSS) Status
$vssService = Get-Service -Name VSS -ErrorAction SilentlyContinue
if ($vssService.Status -ne 'Running') {
    Write-Host "[!] WARNING: Volume Shadow Copy Service is not running." -ForegroundColor Red
    Write-Host "    Attempting to start VSS..." -ForegroundColor Yellow
    Start-Service VSS -ErrorAction SilentlyContinue
} else {
    Write-Host "[+] PASS: VSS Service is Running." -ForegroundColor Green
}

# 3. Check for recent Shadow Copies (Ensure backups exist)
try {
    $shadows = vssadmin list shadows 2>&1
    if ($shadows -match "No shadow copies found") {
        Write-Host "[!] WARNING: No Volume Shadow Copies found. System is vulnerable to permanent data loss." -ForegroundColor Red
    } else {
        Write-Host "[+] PASS: Existing Shadow Copies detected." -ForegroundColor Green
    }
} catch {
    Write-Host "[!] Could not query VSS state." -ForegroundColor Red
}

Write-Host "[+] Audit Complete." -ForegroundColor Cyan

Remediation

Based on the ANSSI findings and the TTPs observed in SMB targeting, immediate remediation and hardening steps are required:

  1. Disable Internet-Facing RDP: The number one vector for SMB ransomware. Disable Port 3389 at the firewall level immediately. If remote access is required, mandate the use of a VPN with Multi-Factor Authentication (MFA) or a Zero Trust Network Access (ZTNA) solution.
  2. Immutable Backups: ANSSI's report underscores the reliance on encryption. Attackers delete shadow copies. Implement immutable (WORM) storage for backups. This ensures that even if the domain admin is compromised, backup data cannot be deleted or encrypted.
  3. Patch Management: Prioritize patching for Exchange Server, VPN appliances (e.g., Fortinet, Pulse Secure), and Windows Print Spooler. SMBs often neglect these appliances.
  4. Phishing Resistance: Deploy MFA universally. Since SMBs may not have advanced AI email filtering, enforcing MFA is the single most effective control against credential harvesting.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub

incident-responseransomwarebreach-responseforensicsdfiranssifrancesme-security

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action