How to defend against human-operated ransomware attacks
Over the last nine months, there has been a sharp increase in the number of human-operated ransomware attacks. Many organisations have been impacted, from local governments to global corporations. In the height of this global pandemic, not even the healthcare sector has been spared, with recent attacks on a major US hospital system and a health tech company.
With eye-watering amounts of money being paid in ransoms to criminals, some as high as seven-figures, the number of these attacks is only going to rise. Preventing these attacks should be a top cyber security priority for organisations, and we as the cyber security industry need to help them.
Last week, along with two of my colleagues I published a whitepaper on how organisations should respond to this growing threat — based on our experience working with victims and tracking the groups behind these attacks. We also spoke at the SANS Cyber Defence Summit on this same topic.
In this blog, I am going to talk about what are human-operated ransomware attacks, how they are carried out, why they are an increasingly dangerous threat, and what organisations should do about it.
What are human-operated ransomware attacks?
Skilled cyber criminals gain access to organisations networks, before extorting victims into paying ransoms, by encrypting systems and threatening to leak sensitive data. Attacks typically take place over weeks or months, as attackers prepare to maximise the damage they can cause by compromising privileged accounts and gaining access to key systems. Well-known groups who carry out these types of attacks include Ryuk, REevil, Doppelpaymer and Maze.
These “human-operated” attacks represent a much greater challenge to defend against than previously well known automated ransomware attacks, such as NotPetya and WannaCry, as they are carried out by skilled adversaries. These adversaries have shown they can overcome defences and target valuable systems, whilst continuously fine-tuning their tactics to maximise disruption and their chances of getting paid.
How are these attacks carried out?
In most cases, ransomware attackers gain access to organisations’ networks by using “distribution networks”. These regularly send millions of untargeted phishing emails to organisations around the world (often disguised as overdue invoices, resumes, airline tickets), in an attempt to opportunistically compromise lucrative targets with malware, such as the banking trojans Emotet, Dridex and TrickBot. These emails use tried and tested ways to persuade employees to run malicious files, normally by asking users to enable macros in Microsoft Office documents.
Once they’ve compromised systems they perform reconnaissance to assess the value of the systems, before selling access to the highest bidder. But sometimes “distribution networks” are run by the ransomware attackers themselves, such as WIZARD SPIDER who operated Trickbot as a profitable banking trojan, before using this to deploy Ryuk ransomware and demand multi-million dollar ransoms. Or, have exclusive deals with ransomware attack groups to only provide them with access.
Distribution networks are an extremely effective way for criminals groups to gain access to organisations. Trickbot has infected over a million computing around the world since late 2016, and some criminal groups have even struggled to find enough hackers to use the access they have gained. Anti-virus coverage of the malware used in these attacks can often be sparse in the hours after phishing emails are sent, and organisations often fail to comprehensively identify and clean up all infections.
Ransomware attackers also gain access to organisations by exploiting internet-facing vulnerabilities and through remote access systems without multi-factor authentication. Again, like with distribution networks, this is nearly always untargeted and opportunistic. Many “exploitable” vulnerabilities have been discovered in common internet-facing enterprise applications over the past two years, providing an easy way in for attackers. These have included vulnerabilities in Pulse Secure, Citrix NetScaler, MobileIron, and F5 BIG-IP.
Escalating privileges and compromising further systems
Attackers then perform reconnaissance and compromise privileged accounts and systems. Relying on tools and techniques more commonly associated with cyber criminal groups such as FIN6, nation-state actors and red teams.
They also make extensive use of security testing tools like Bloodhound, Mimikatz, Cobalt Strike and PowerShell Empire (causing contentious debate in the cyber security community), as well as legitimate administration tools, such as PSEXEC and WMI. These tools are often undetected in enterprise networks because organisations have failed to invest in or effectively configure modern security tools, such as Endpoint Detection and Response. Cisco Talos recently highlighted that 66% of the ransomware attacks they responded to used Cobalt Strike.
These attacks typically exploit weaknesses caused by legacy IT, hygiene issues and poorly secured Active Directory domains. “Flat networks” and the poor protection of privileged accounts, often allow attackers to gain domain administrator privileges within hours or days.
Exfiltrating data and deploying ransomware
With those privileged accounts, attackers identify and exfiltrate sensitive data, before deploying ransomware to as many systems as they can — including across multiple domains by exploiting trust relationships.
Attackers often take steps to maximize the impact they have on organisations, for example by disabling security tools and using existing software distribution systems, such as GPO and SCCM, to deploy ransomware. In a sign of how increasingly sophisticated they are becoming, attackers also taking innovative steps to ensure they are not detected, including by turning off security logging and by deploying ransomware tools in virtual machines.
Why these attacks represent an increasingly dangerous threat
The increasing scale, sophistication, and frequency make them an increasingly dangerous threat. Not to mention, the devastating impact on people, the livelihoods of employees and the responders’ mental health that is often understated and untold. When organisations are targeted that can not afford to protect themselves from these sophisticated and well resourced cyber criminal groups, the tole is especially unfair.
Attracted by the vast sums of money, new criminals and even established groups are turning to these attacks. Alarming amounts of money are being paid to these criminals and they are now incredibly well-funded. The FBI has said, over $61 million in ransom money has been paid out to Ryuk in the past two years. These criminals are also getting increasingly aggressive and organised.
Ransomware-as-a-service and affiliate programmes are making these attacks more profitable and more scalable for criminal groups. These have lowered the bar to entry to new criminals and allowed groups to specialise in spreading through organisations’ networks and extorting victims.
Attackers are also increasingly aggressive in the types of organisations they target — indiscriminately targeting hospitals and charities. How they carry out attacks has also changed, enhancing malware to encrypt files quicker, and going after backups to cause maximum impact.
Their tactics have also evolved to maximise the pressure they exert and increase their chances of receiving a pay out. Over the last nine months, there has been a massive increase in the number of ransomware attacks that involve stealing sensitive data and threatening to leak this. Also, attackers have been shortening deadlines for organisations to pay and even using DDOS attacks to further ramp up the pressure. Creating serious regulatory and reputational implications, which makes responding much more complex.
As long as organisations continue to pay multi-million dollar ransoms these attacks will become an increasingly dangerous threat. This will only change when we see coordinated and sustained action by governments and the cyber security industry. Recently, the US government took action to make it harder for organisations to pay ransoms to sanctioned criminal groups, and Microsoft worked with partners around the world to disrupt the Trickbot botnet. The G7 also pledged a coordinated response working with the financial sectors to combat ransomware. We still have a long we to go.
How to defend against these attacks?
Organisations should take a three-step approach to defend against these attacks:
First, they must understand their vulnerability through security testing that simulates the tools and techniques used in these attacks (see here or here for a list), and assessing whether they have the important cyber security capabilities in place. Listed below.
Tactical improvements can reduce organisations vulnerabilities to these attacks because they can have a significant impact on removing the hygiene issues attackers exploit, improving detection and response capabilities, and increasing the effectiveness of existing security tools.
Our recent whitepaper highlighted six areas organisations should focus on to defend against these attacks, along with pragmatic tactical recommendations for each:
- Prevent workstations from being compromised by phishing attacks
- Remediate internet-facing vulnerabilities and reduce the attack surface
- Protect privileged accounts from being compromised
- Remediate common hygiene issues used by attackers to escalate privileges
- Restrict the ability of an attacker to compromise further systems
- Rapidly detect and contain incidents before they escalate
Improving detection and response capabilities is critical — there are almost always missed opportunities to detect and respond to these attacks before ransomware is deployed. The vast majority of attacks can be stopped before its too late, by detecting the security testing tools commonly used, such as Cobalt Strike and PowerShell Empire. Validating the detection of these tools is essential to making improvements. Detecting and thoroughly cleaning up all banking trojan infections is also a key defence often overlooked.
Examples of tactical improvements organisations should carry out include:
- Deploying an advanced email filtering tool to help protect against the opportunistic phishing emails used in these attacks, for example, Office 365 Advanced Threat Protection. Configure email filtering tools to block attachment file-types commonly used to deliver malicious files (e.g. .HTA, .JS, .HTML, .PS1).
- Restricting what can be executed on workstations to reduce the risk of opportunistic phishing by restricting the use of PowerShell with constrained language mode, configuring scripting file-types to open with notepad by default (e.g. VBS, JS, HTA and VBS), blocking the execution of mshta.exe and deploying Windows Defender Attack Surface Reduction rules.
- Restricting the execution of Microsoft Office macros on workstations to reduce the risk of opportunistic phishing by considering the advice here and targeting vulnerable user groups who are not required to use macros for their daily work. Key mitigations include blocking macros from running in documents from the Internet and restricting macros to documents stored in trusted locations.
- Deploying an advanced endpoint agent to all workstations and servers to detect and prevent attacker activity, such as Windows Defender ATP or Cortex XDR. Ensure the endpoint agents supports the Windows Antimalware Scan Interface (AMSI) and blocking mode is enabled.
- Onboarding a “Managed Detection and Response” service to detect, hunt for and rapidly contain cyber attacks.
- Restricting the use of domain administrator accounts to prevent credentials for these accounts being exposed on systems at risk of compromise. Restrict accounts in the domain admins group from logging into workstations and servers and prevent them from being used for day-to-day administration or as service accounts. Start to secure privileged access and begin implementing a three-tiered administration model.
- Monitoring for the abuse of privileged accounts to detect and contain attackers gaining the privileges they need to deploy wide-spread ransomware. Deploy Microsoft Defender for Identity / Azure ATP to identify, detect, and investigate advanced compromised identities.
Microsoft's threat intelligence team has also provided a great list of actionable improvements to defend against these attacks. FireEye also has a list of actionable technical recommendations focused on enterprise Windows networks.