Ryuk’s Rampage Has Lessons for the Enterprise
Latest in cybersecurity.
The Ryuk ransomware epidemic is no accident. The cybercriminals responsible for its spread have systematically exploited weaknesses in enterprise defenses that must be addressed.
The Ryuk ransomware gang is hiring … and that’s bad news. In a conversation with Natalia Godyla of Microsoft in January, Jake Williams, the founder of Rendition Infosec, noted that his team spotted job advertisements in Dark Web forums from accounts associated with Ryuk’s operators.
“They’re looking for experienced ransomware operators, and they have a whole set of criteria, including that they want to see a history that you’re getting an average $400,000 payout,” Williams said. “They haven’t asked for help in the past. They have more work than they can handle.”
Good times for the Ryuk gang mean bad times for everyone else. The Ryuk ransomware, which appeared in 2018, has become one of the most potent threats to organizations — especially in healthcare, where research suggests it is responsible for three-quarters of ransomware attacks on healthcare organizations. It is also among the most costly ransomware families, with average ransom demands over $100,000, according to CheckPoint.
Ryuk’s operators used highly tailored phishing emails to gain footholds within their targets. Its operators “live off the land,” using standard tools such as net view and Ping to surveil and map networks. Next, standard Windows administrative applications such as PowerShell and Windows Management Instrumentation (WMI) are used to move laterally within victim environments. Purpose-built attack tools such as Cobalt Strike, PowerShell Empire, and Mimikatz harvest credentials and hashes from high-value Windows domain controllers. After that, Ryuk operators use offline techniques, such as Kerberoasting, to crack passwords and elevate permissions.
Ryuk was among the first high-touch “human-operated” ransomware campaigns that have become prevalent in recent years, affecting both public and private sector organizations with crippling attacks. The ability of malicious actors to compromise critical control infrastructure (CCI) such as Active Directory turns what might otherwise be minor disruptions into major disasters.
Ryuk is hardly the only ransomware family to use this approach. Human-directed ransomware campaigns are becoming the norm because they work so well. But, unlike other ransomware groups, the Ryuk operators don’t have a public “dox” website where they publish stolen data. Ryuk infections that cause large disruptions may get noticed and become part of the public record. But many other Ryuk infections go unreported, which makes it difficult to gauge the malware’s true impact or damages.
These measures are necessary but not sufficient. Organizations can also make it harder for attackers to achieve their most important intermediate goal: elevating access. For an attacker, becoming a domain administrator is far more important than generic “lateral movement.” Gaining elevated access by forging or stealing credentials allows operators to spread ransomware throughout the organization. Elevated access is what gives attackers their ultimate leverage and ensures maximum payouts.
By spotting attacks on authentication and related CCI earlier, organizations stand a much better chance of recovering gracefully and can minimize damage to corporate reputations or bottom lines. Here are a few recommendations for improving the integrity of authentication.
These factors make it hard to retire NTLM. But we must. The gangs distributing Ryuk and ransomware like Maze, RobbinHood, and REvil use tools like Mimikatz (such as Rubeus) to extract NTLM credentials from memory. They also use well-known attack techniques such as Pass-the-Hash, Pass-the-Ticket, or Kerberoasting to gain access to network resources using stolen system credentials. One of the best ways to foil ransomware gangs is to retire NTLM by hunting down and terminating all old Windows machines, with extreme prejudice. Then, turn off NTLM for good.
Golden Ticket, Silver Ticket, and other techniques that allow attackers to reuse stolen credentials (or issue their own) to access domain controllers and elevate access. These kinds of attacks are a key reason the Ryuk gang can persist in compromised environments for days or weeks, expanding their reach and implanting crippling ransomware everywhere — even in cloud-based Windows servers.
To stop such activity, organizations need to detect attacks on authentication systems, both on-premises and in cloud-based Active Directory environments. By keeping a validated, stateful ledger of each Kerberos transaction, organizations can quickly detect credential forgeries and attempts to elevate access — and stop lateral movement.
Organizations that hope to counter technically sophisticated, well-funded adversaries need to “level up” their defenses. Shoring up critical controls infrastructure like Active Directory is the place to start. As Edison once put it, “Opportunity is missed by most people because it is dressed in overalls and looks like work.”
As the Chief Information Security Officer of QOMPLX, Mr. Jaquith is responsible for protecting company information assets, safeguarding customer data, managing enterprise risks, and ensuring compliance. As General Manager of the Cyber Business Unit, Mr. Jaquith directs the …
via Dark Reading https://ift.tt/2qbHoDd
April 6, 2021 at 10:07AM