How to thwart human-operated ransomware campaigns?

Most ransomware campaigns hitting healthcare organizations and critical services right now are just the final act of a months-long compromise.

“Using an attack pattern typical of human-operated ransomware campaigns, attackers have compromised target networks for several months beginning earlier this year and have been waiting to monetize their attacks by deploying ransomware when they would see the most financial gain,” says the Microsoft Threat Protection Intelligence Team.

Organizations who have yet to witness the final act (data exfiltration, file encryption) may have time to prevent it altogether and boot the attackers out before more damage is done.

Of course, those who have checked for organization-wide compromise and found nothing are the luckiest ones, but should nevertheless put up protections and mitigations as soon as possible.

Skilled attackers and a common attack pattern

“Human-operated ransomware attacks represent a different level of threat because adversaries are adept at systems administration and security misconfigurations and can therefore adapt to any path of least resistance they find in a compromised network,” the team explained.

“If they run into a wall, they try to break through. And if they can’t break through a wall, they’ve shown that they can skillfully find other ways to move forward with their attack. As a result, human-operated ransomware attacks are complex and wide-reaching. No two attacks are exactly the same.”

They might not be exactly the same, but they are variation on a common attack pattern – the attackers achieve initial access via vulnerable and unmonitored internet-facing systems, steal credentials, perform lateral movement, make sure to achieve persistence on the systems/networks and, finally, deploy the ransomware payload

Mitigation

For the initial step, attackers usually:

• Brute-force RDP endpoints or Virtual Desktop endpoints without multi-factor authentication (MFA)
• Exploit misconfigurations of web servers (e.g., IIS), backup servers, systems management servers, electronic health record (EHR) software, etc.
• Exploit vulnerabilities in older, no longer supported platforms (e.g., Windows Server 2003 and 2008)
• Exploit vulnerabilities in widespread solutions like the Citrix Application Delivery Controller (ADC) systems (e.g., CVE-2019-1978) and Pulse Secure VPN systems (CVE-2019-11510).

Microsoft thinks it likely that CVE-2019-0604 (affecting Microsoft SharePoint servers), CVE-2020-0688 (affecting Microsoft Exchange Server), and CVE-2020-10189 (affecting Zoho ManageEngine Desktop Central) will also be soon exploited by these attackers.

Of course, attackers are not adverse to simultaneously try to deliver the ransomware via phishing emails or downloader Trojans that may already present on enterprise systems.

While fixing those weak spots is imperative, it may already be too late, so enterprise administrators and cybersecurity teams must also search for indication that their systems and networks have been breached and, if they find them, to start remediation immediately.

Detection and remediation

The Microsoft Threat Protection Intelligence Team has shared possible indicators of compromise for human-operated ransomware campaigns, such as presence of malicious PowerShell scripts, penetration testing tools, suspicious access to Local Security Authority Subsystem Service (LSASS) or suspicious registry modifications, security event logs that have been tampered with, and more.

They’ve also provided advice on how to go about eradicating the attackers’ presence completely and mitigating the fallout.

“As ransomware operators continue to compromise new targets, defenders should proactively assess risk using all available tools. You should continue to enforce proven preventive solutions—credential hygiene, minimal privileges, and host firewalls—to stymie these attacks, which have been consistently observed taking advantage of security hygiene issues and over-privileged credentials,” they noted.

Keith McCammon, co-founder and CSO of threat detection and response specialist Red Canary, says that the fact that ransomware actors continue to successfully leverage some textbook breach tactics underscores the need not just for better preventative controls, but for robust detection coverage, careful investigation, and proactive hunting for threats that others controls have missed.

“Microsoft’s dedication to preventing and stopping these everyday ransomware attacks is refreshing in a world where many security vendors focus their attention primarily on splashy detection of nation-state actors,” he added.