Written by: Joseph Salazar, Technical Marketing Manager & Juan Carlos Vázquez, Sales Manager -The Active Directory (AD) infrastructure remains critical in so-called “human-operated” ransomware campaigns and post-compromise extortion, which represents a significant threat to businesses and a detection challenge in the short time they have to avoid impact.
The defender usually becomes aware of ransomware within the organization when the adversaries encrypt assets to interrupt their availability. In other words, the defense finds out when it is too late to do anything about the attack.
Assuming that the attackers will eventually infiltrate the network, their advantage lies in remaining hidden from traditional security controls to conduct their attacks using tactics that evade detection. The defenders can reduce the impact of a ransomware attack as long as they can detect the threat actors early enough in the attack cycle. This early detection post-infiltration is where the Attivo Networks ThreatDefend platform provides value.
The renowned website “The DFIR Report” recently published an excellent case study analyzing a recent infection from the Ryuk ransomware group. Their analysis found that the Ryuk group went from a single email to domain-wide ransomware infections in just over a day and asked for over $6 million to unlock the systems. The group started with an initial infection of the Bazar malware loader, then conducted reconnaissance over the next 26 hours. Once they managed to execute the ransomware payload on the Domain Controller, they infected the rest of the network. In total, the campaign lasted 29 hours–from the initial execution of the Bazar loader to domain-wide ransomware. “If a defender missed the first day of recon, they would have had a little over 3 hours to respond before being ransomed. “
However, days later, The DIFR Report released a second case study where the adversary reduced the dwell time and went from the initial phishing attack to full domain encryption in just 5 hours.
With the Ryuk ransomware group, the attackers used tools like Cobalt Strike, ADFind, PowerShell, WMI, and even utilities from the operating system itself, such as “nltest” and “net group,” to discover the AD environment. In the second case study, they exploited the Zerologon vulnerability, which Microsoft patched in August. This vulnerability allows an attacker to reset the primary domain controller’s password, compromising all identity services in AD.
In the same context, the firm PWC published a fascinating report called “Responding to the growing threat of human-operated ransomware attacks,” highlighting the need to reduce adversary dwell times. They have observed the previously mentioned tools, including Bloodhound, as sufficient to gain privileged access on internal corporate networks due to widespread IT and AD hygiene issues and detection capabilities that do not detect the techniques used in these attacks.
Many criminals have started exposing their victim’s data to increase the level of coercion. Affected organizations who have refused to pay ransom demands to recover the data feel pressure when facing economic and reputational harm. Attackers will even use the data for the second round of extortions, threatening to release the information unless the victim pays to prevent its release.
In several recent blogs, Attivo Networks discussed ransomware attack sophistication. Many of the techniques used imply that attackers perform internal reconnaissance and move laterally through the target networks to profile their victims, targeting the organization’s most critical assets so they can negotiate from a stronger position. The use of “Living off the Land” techniques/tools coupled with leveraging AD to deploy the ransomware via GPO is prevalent in some recent attacks.
Several questions come to light:
- How can one identify malicious actors on the AD infrastructure and differentiate them from organizational assets? How can one separate legitimate queries to AD from malicious ones?
- How can one prevent the use of tools like Bloodhound or Mimikatz? Should EPP/EDR solutions contain or alert when someone uses these?
- How can one identify that exposed credentialed on other endpoints allow attackers to exploit them, laterally move, and reach critical assets?
- How can one restrict connectivity and trust relationships within AD across different areas of the company to prevent the spread of ransomware attacks?
- How can one gain visibility that attackers are exploiting privileged accounts, such as AD domain admins, Service accounts, or shadow admins possessing privileges, at the endpoints?
- How does one protect data from tampering by unauthorized programs or ransomware?
- How does one isolate the attack source when investigation confirms the presence of domain controller enumeration or “credential dumping” events?
The Attivo Networks ThreatDefend® platform works with existing security controls to address the ransomware problem. Current EPP/EDR solutions detect many of the ransomware variants in use today. However, should attackers evade these and other traditional security controls, the ThreatDefend platform provides detection capabilities for discovery, lateral movement, privilege escalation, and data gathering activities that one sees in human-controlled ransomware attacks. The Attivo solution offers this coverage across different organization layers at the network, endpoint, data, applications, and AD, providing early and accurate detection while preventing the attack from accessing sensitive or critical data, credentials, and other objects.
The ADSecure solution prevents attackers from breaking out of a compromised system by restricting their ability to conduct reconnaissance or move laterally to production assets. It denies attacking users the ability to discover or list domain controllers, domain memberships, group privileges, and other AD objects while providing early and accurate alerts on the activity. It returns data that leads the attackers to decoys for engagement, identifying their tactics, technique, and procedures and providing telemetry with the details of the tools they used to extract the data from AD. Simply put, the platform immediately misdirects and misinforms the attackers as soon as they look or attempt to move around, diverting them to the decoy environment and reducing the impact on production infrastructure.
The platform also provides detailed event data, displays visual attack replays, and collects forensic evidence for analysis and threat intelligence development to raise the security posture and defend against subsequent attacks.
The Attivo platform, through its DataCloak capability, hides and denies access to local files, folders, removable devices, and mapped network or cloud shares, preventing attackers from enumerating, accessing, encrypting, or even exfiltrating them from the organization. Simultaneously, the platform maps fake file shares that lead to decoy servers for the ransomware to discover and encrypt. As the malware attempts to encrypt the data it finds, the platform rate-limits the connection and feeds the ransomware with endless streams of data to encrypt. This delay stalls the attack, giving the security teams time to isolate infected systems and stop further damage quickly.
Protecting against modern ransomware attacks takes preparation and overlapping security controls that provide a layered defense that sophisticated attackers must penetrate undetected. Deploying the Attivo Networks ThreatDefend platform as a layer in that defensive strategy enhances existing security controls while providing unique denial, detection, and derailment functions to elevate the security posture and harden the organization against ransomware attacks. To learn more, please visit www.attivonetworks.com.