Attivo Networks News

Protection Against Targeted Active Directory Ransomware

Reading Time: < 1 minute  |  Published: July 17, 2020 in Attivo News

Targeted ransomware, also known as human-operated ransomware, poses a significant threat to enterprises. In targeted ransomware attacks, adversaries use various MITRE techniques like T1069 — Permission Group Discovery, T1087 — Account Discovery, and others to learn about the permissions associated with accounts, identify misconfigurations, steal credentials, etc., to deploy ransomware across the network.

Targeted Ransomware is different from auto-propagation ransomware in the following ways:

1. Auto-propagation:

  • Steal credentials, keys, and other authentication tokens from memory, disk, etc. and deploy ransomware on infected systems
  • Spread across network mapped drives to drop and execute ransomware using tools such as WMI, PSExec, PowerShell, Net tools, and others
  • Propagate by using exploitation methods (Ex: Eternal Blue MS17–010) and deploying ransomware on target systems

2. Targeted Ransomware:

  • Adversaries discover information about the network and domain and identify weakness in the environment
  • Use tools like PowerShell, Bloodhound, etc., to perform domain reconnaissance and identify paths to high privilege targets
  • Compromise software deployment systems or CI/CD systems and deploy ransomware across the organization
  • Deploy ransomware across exposed C$ share using tools like PSExec, WMI, PowerShell scripts, etc.
  • Deploy Ransomware using Microsoft Group Policy Objects (GPOs) from the compromised domain controller.

Ransomware is evolving from encryption-only attacks to data-exfiltration and data leakage attacks. Organizations have typically deployed backup and self-service restore features to recover from data encryption ransomware.

Read the complete article by Venu Vissamsetty on Medium.

No Comments

Post a Comment

twelve − 4 =