• Posted by: Eng. Donya Bino
• February 15, 2026

Ransomware Lateral Movement via SMB Errors

The SMB (Server Message Block) is a popular protocol used by ransomware gangs to move between computers in networked environments like Windows. Port 445 is often used for file and printer sharing and domain authentication (the normal way to connect to servers) and is usually left open. Although ransomware gangs may use legitimate connections using SMB, they will also use vulnerable and incorrectly configured connections (and/or behaviors left from older systems) to rapidly move around a network in a stealthy manner.

The continued prevalence of SMB as a means of lateral movement for ransomware affiliates in 2025 and 2026 has yet to change, this is due to the situation where "SMB is chatty & forgiving in nature," meaning failed connections provide the potential to expose valuable intelligence to the attacker (and to leave an attack vector open for use). 

Typically, legitimate interactions with SMB include negotiating, establishing a session (creating a log in session), connecting to a share point (tree), opening a file, reading/writing a file, and closing a file. Whenever an interaction fails, the SMB server generates (responds back to the requesting machine) with an NTSTATUS error to indicate the type of failure. NTSTATUS error messages frequently contain extensive and detailed descriptions/meanings that an attacker may use to gain further access (or maintain access by providing them intelligence on how best to do so).

Common SMB error codes abused:
1. STATUS_LOGON_FAILURE (0xC0000064) , bad username → confirms username exists or not.
2. STATUS_WRONG_PASSWORD (0xC000006A) , wrong password → attacker knows the username is valid.
3. STATUS_ACCOUNT_DISABLED / LOCKED (0xC0000072 / 0xC0000234) , this refers to the status of the accounts that are currently disabled or locked and can also provide evidence of account status leak.
4. STATUS_ACCESS_DENIED (0xC0000022) , when an account has a successful share, it can also provide evidence of the share name.
5. STATUS_OBJECT_NAME_NOT_FOUND (0xC0000034) , when an account/requested resource (share/file) does not exist, it will return evidence of negative confirmation.
6. STATUS_NOT_SUPPORTED (0xC00000BB) , when a client attempts to use SMBv1, a server supporting legacy dialects would be used.  

An attacker can use these to:
1. Enumerate a valid username (there's no lockout on failed logins).
2. Map open shares.
3. Find writable locations.
4. Pivot to new hosts.

Practical Applications Seen in Actual Instances of Attack
1. Identifying and Collecting Possible Usernames through SMB with Null Session and Invalid Password Combining SMB with a known account on Port 445, a hacker will attempt to log on by guessing usernames/passwords using Anonymous Login (null session) or known login credentials using Username/Password Pairs. Error responses are different for valid vs invalid logins, therefore enabling the hacker to create a list of valid usernames by review of error codes returned from the server

2. Identifying Shared Resources and Writable Locations To exploit share locations and discover writable locations on a network, a hacker can attempt to connect to commonly used share locations (ADMIN,C$,IPC$ etc). If access is denied for all shares, the hacker will know that at least some exist on the targeted server and will next attempt to identify shares on various node servers by retrying the last share with no valid account.

3. Forcing SMB to use Version 1 (if still available) When attempting to log into SMB services, a hacker will try to establish an SMB session using the version 1 protocol if the targeted server supports it. If the server allows for successfully establishing a session using SMB version 1, then those systems are vulnerable to EternalBlue-style exploitation attacks or will have weak authentication methods enabled.

4. Relay Attack through SMB When SmB Authentication is not Enabled (Common Misconfiguration) If authentication is not enabled for SMB, a hacker is able to relay NTLM hashes from one system to another without having the plaintext credentials required to login.

Real Ransomware Scenarios (2025–2026 Patterns)
1. LockBit / RansomHub Affiliate Initial foothold on one workstation via phishing. SMB null session to domain controller → enumerates usernames (different error for valid accounts). Uses legitimate low-privileged user → connects to C$ on targeted machines → drops ransomware binary → executes via scheduled tasks. If EDR blocks direct execution → triggers BSOD on targeted machine to cover tracks during a reboot.

2. BlackCat/ALPHV Successor gets foothold inside VPN → scans 445 → finds open ADMIN$ shares on multiple servers → mounts share using stolen local admin hash → copies payload to target machines. Some shares did not allow access to share → attacker brute forces weak share passwords due to error codes indicating share names.

3. Hospital/Education network used an administrator laptop with malware that connected to other machines through SMB enumeration discovering a writable SYSVOL share.  The ransomware was installed on all domain-joined machines through previously created Group Policy update scripts.  If the installation process was interrupted, the attacker forced a BSOD on the target machine and completed the encryption of all documents upon reboot of the machine.

To reduce this risk, take the following steps:
1. Disable SMBv1 throughout your environment , use GPO or use PowerShell as it remains enabled throughout a large number of environments.
2. Implement SMB signing , both client and server , this prevents relay attacks.
3. Implement strict firewall rules to block unnecessary outbound SMB traffic; limit port/protocol 445 to trusted servers only. 
4. Enhance security of your null sessions , configure GPO Network access: Restrict anonymous access to Named Pipes and Shares.
5. Keep an eye on SMB Errors , If you see an unusual number of STATUS_LOGON_FAILURE or STATUS_ACCESS_DENIED errors, you may have someone who is trying to enumerate your systems. 
6. Have a strong local admin policy in place - Use LAPS, have a restricted group of users with access to your systems and do not create any default local administrator.

Attackers use SMB errors as a breadcrumb trail to continue to move through your network. By eliminating the more dangerous features, as well as monitoring for excessive SMB activity, you are closing numerous attack pathways.