The Human-Directed Ransomware Playbook

A recent stretch of damaging and targeted ransomware attacks serves as a reminder that securing Active Directory is imperative to containing threat actors already on a network.

Recent ransomware campaigns have become textbook studies on the current threat-actor playbook:

Automate exploits against vulnerable internet-facing infrastructure
Automate credential extraction using any among a host of purpose-built open-source tools (e.g. Mimikatz)
Use the stolen credentials to move laterally, elevating privileges wherever possible
Persist on the network by creating new accounts within the authentication infrastructure, scheduling tasks, and/or registering services
Exfiltrate select data to increase leverage on target organizations
Deploy ransomware to all or part of targeted networks

Microsoft recently published its second deep-dive examining this cycle of activity against a backdrop of attacks carried out by what it calls “human-operated ransomware:” malicious actors running targeted, stealthy campaigns toward high-value, sophisticated firms.

A spate of victims in healthcare (see e.g. CISA and NCSC warnings), education, the public sector, and other vertical industries have cropped up since the start of April, Microsoft said. These attacks have similar characteristics in which attackers rely on credential theft and lateral movement before dropping ransomware on the network and demanding a payment in return for decryption of files. Many of these intrusions happened weeks or months ago, with the ransomware operators lurking, undetected, on victim networks and activating their payloads only during the height of the COVID-19 pandemic, further taxing businesses in an already-stressed environment. Some of the attacks also involved the compromise and exfiltration of data, Microsoft said.

The report is extensive and definitely worth a read. Of particular interest is its examination of the different payloads being used in human-operated ransomware campaigns and the importance of security hygiene and reducing the available attack surface.

Between the lines, the message is clear: hardening Active Directory is an imperative when dealing with today’s threats. It isn’t a discretionary project.

Cat-and-Mouse Game with Attackers Lives On

Credential theft and lateral movement is nothing new for ransomware operators. Even opportunistic and automated attacks such as the NotPetya malware bundled Mimikatz to steal administrator credentials from system memory on compromised hosts and move laterally. In the case of NotPetya where a Microsoft Windows SMB1 vulnerability was exploited to gain an initial foothold, NotPetya’s ability to steal admin credentials allowed it to also infect machines patched against the originally exploited MS17-010 Windows flaw.

—Download this QOMPLX report: “ManyKatz: How Active Directory Attacks went Mainstream”—

Microsoft’s recent report underscores how credential theft is furthering disruptive ransomware attacks, allowing attackers to lurk under the covers for weeks before coming out in full force in early April. With stolen credentials, attacker activity blends in with everyday network traffic and fails to trigger alerts from security monitoring tools. Security tools are not designed to catch appropriately authenticated users and services, and behavioral analysis solutions don’t work either since the “bad data” from spoofed authentication events compromises the modeled activity baseline.

Responding to Human-Directed Ransomware

Organizations and industries that find themselves in the cross hairs of human operated ransomware gangs need to redouble efforts to maintain basic security hygiene. Critical vulnerabilities must be patched, networks segmented, and processes isolated when possible. Security teams should also take a hard look at event logs and other monitored activity to spot telltale signs of lateral movement. Within Active Directory, organizations should be on the lookout for efforts to target legacy protocols such as NTLM and Kerberos. These protocols underpin many authentication technologies companies rely upon today, and attackers are successfully abusing known weaknesses and inflicting damaging consequences upon victims.

Part Ways with NTLM

As QOMPLX pointed out in a recent post, NTLM is well past its prime. However, deprecating use of this security protocol isn’t as simple as flicking a switch. Windows systems still rely on NTLM for local authentication, and Active Directory Domain Controllers—servers that respond to authentication requests and enforce policy—rely on NTLM for password storage. NTLM is also embedded within many legacy applications. All of these factors conspire to make a rip-and-replace of NTLM a tall order.

Still, the security benefits of eliminating this vulnerable, legacy authentication protocol are substantial. Since Windows 2000, Kerberos has been the default authentication protocol in Windows and is considered a more secure alternative to NTLM. And though it’s not a foolproof option, it can help curb human-operated ransomware attacks.

Today, numerous strains of ransomware include features that specifically target Active Directory. Maze, RobbinHood, and REvil (also known as Sodinokibi), for example, bundle tools such as Mimikatz or Rubeus that extract NTLM credentials from memory and can carry out well-known attacks such as Pass-the-Hash, Pass-the-Ticket, or Kerberoasting to gain access to resources on the network using valid system credentials.

As we have noted, devastating Kerberos ticket forgeries such as Golden Ticket attacks can give a threat actor control over an entire domain by allowing them to forge valid ticket granting tickets. An attacker can have unfettered access to networked resources and the ability to not only forge new tickets, but also to reside on networks indefinitely disguised as credentialed administrator-level users.

Make Kerberos Stateful

Today, the stateless nature of the Kerberos protocol is being exploited in many Active Directory attacks. Kerberos transactions are not retained throughout an authentication session, or after, leaving it vulnerable to Pass-the-Ticket attacks, as well as potentially devastating Golden Ticket and Silver Ticket attacks that grant domain or service rights, respectively. Kerberos’s stateless design also makes re-use of stolen credentials a security and privacy issue, and in the case of the recent run of ransomware attacks described by Microsoft, allowed attackers to lay low for months on systems as valid, credentialed users.

QOMPLX’s technology transforms Kerberos activity from stateless to stateful, allowing it to deterministically detect attacks such as Golden and Silver Ticket attacks. It can also provide reliable heuristic detection of other types of credential compromises such as Pass-the-Ticket and Kerberoasting where credentials are stolen and reused on Active Directory. QOMPLX’s Q:Cyber products instrument domain controllers and endpoints with agents that enables passive, stateful validation of Kerberos traffic to detect ticket forgery attacks in near-real-time not by simply matching a signature, but by maintaining a ledger of every Kerberos transaction on your network to validate every request for access to services.

Conclusion

Ransomware attacks are here to stay. Criminals and nation-state actors have shown their affinity for ransomware, which provides a direct path to profit and, in some cases, cover for other malicious activity such as data theft or the placement of remote access tools.

While organizations can do little to stop the spread of ransomware, they can raise the barriers for adversaries to compromise their environment. Increased monitoring of Active Directory, including “stateful Kerberos” monitoring of the kind QOMPLX offers can speed detection of compromised identities and lateral movement. By exposing compromises early, organizations can greatly reduce the damage caused by malicious actors and limit the direct and indirect costs of security incidents.