Microsoft’s threat protection intelligence team has warned of a “significant and growing” cybersecurity threat that can deliver a devastating payload. The FBI has warned about how high impact a threat ransomware is, and now Microsoft is adding to the voices of vigilance. While ransomware threats such as the newly discovered strain of Net Walker that can inject malicious code right into the Windows 10 explorer executable process are bad enough, they are but the tip of a very worrying cyber-iceberg. The Microsoft threat protection intelligence team has described in comprehensive detail how one type of ransomeware attack poses a significant and growing threat, particularly to business users, calling it one of the “most impactful trends in cyberattacks” that we face today. The good news is that despite being able to deploy what Microsoft refers to as devastating payloads, the attacks and the fallout that follows are preventable.
All ransomware is not the same
The critical message to digest from the Microsoft deep dive into this threat is that not all ransomware is the same. The automated, bot-driven worm-like ransomware that spits out across the interwebs like a cyber-blunderbuss is damaging enough, for sure. However, the Microsoft threat protection intelligence team is warning about the type of hands-on, human-operated, highly targeted threat that is more commonly associated with the credential-stealing and data exfiltration antics of nation-state actors. Indeed, there is a similarity beyond the targeting; some of these ransomware attack methodologies have evolved to exfiltrate as well as encrypt data. DoppelPaymer, which recently hit the headlines when I reported how Lockheed Martin, SpaceX and Tesla had all been caught in the crossfire of one cyber-attack on a business in their supply chains, is an excellent example of the breed. More of that in a moment, though. First, let’s look at the attack tactics and techniques Microsoft is alerting users to.
HUMAN Operated Threat
Human-operated ransomware attack tactics
Just like your nation-state, advanced persistent threat (APT) attackers, human-operated ransomware will target particular victims. The cybercriminals behind these attacks will already know plenty about you, by reconnaissance involving probing networks for common security misconfiguration errors or using open-source intelligence (OSINT) methodologies to glean publicly available data that can be useful in the social engineering side of such attacks. “These attacks are known to take advantage of network configuration weaknesses and vulnerable services to deploy devastating ransomware payloads,” Microsoft said in the report, but it doesn’t stop there. If a human attacker can see other opportunities before them, then further malicious payloads will be dropped, credentials stolen and data exfiltrated.
The Microsoft researchers found that these ransomware campaigns do not bother too much with a stealthy approach; if they can get into your networks, then they operate without worrying about covering their tracks. Perhaps even more surprising to many, will be that the attacks themselves start in an unsophisticated manner, employing commodity malware and using vectors that routinely trigger detection alerts in business systems. They don’t care because the warnings are low level, with security teams determining them to be of little importance and so get left uninvestigated in a timely fashion, if at all. This opens the attack window for long enough to enable the attacker to jump right through it. Even if a common payload gets intercepted by the security solution in place, the attack will simply try others until one sneaks through the defenses. They will even, having got admin status on a system, disable antivirus protection to enable relatively unfettered payload action.
Doppel Paymer Threat
The DoppelPaymer threat in more detail
Microsoft warns that DoppelPaymer threat actors have “caused havoc” in several attacks, with ransoms reaching into millions of dollars territory in some cases. Spread by human-operators, within compromised networks, and within an attack framework involving other malicious software such as banking Trojans (Dridex is often found on machines compromised by DoppelPaymer) shows the level of unfettered confidence these cybercriminals have. “The success of attacks relies on whether campaign operators manage to gain control over domain accounts with elevated privileges after establishing initial access,” Microsoft said. While Microsoft Defender ATP generates alerts for myriad activities as a result of these attacks, if the affected network segments are not actively monitored, these do not get the response they demand. Because DoppelPaymer attacks tend not to “fully infect” the networks they compromise, but rather only a subset of machines with the malware and then a further subset with data encryption and exfiltration, there’s even more chance of them going unnoticed. The big difference between this type of ransomware and the more “traditional” file-encryptors we are used to, is that DoppelPaymer and its ilk will also exfiltrate data to use as ransom leverage. As was the case in the Visser Precision attack, the criminals will happily release data into the public domain, usually on cybercrime forums, to persuade the victim they are serious. If ransoms are still not paid, the criminals have data that can then be sold on those markets so that they still successfully monetize the attack.
Mitigating against the human-operated ransomware threat
So, what does Microsoft recommend you do to protect your systems, and your data, from these human-operated ransomware attackers? Apply the basics of good security, would be the simple yet obvious answer. “The top recommendations for mitigating ransomware and other human-operated campaigns,” Microsoft said, “are to practice credential hygiene and stop unnecessary communication between endpoints.” This removes the lateral movement ability of the attackers and can reduce the impact of any attack.