Protection Against Targeted Active Directory Ransomware
Targeted ransomware, also known as human-operated ransomware, poses a significant threat to enterprises. In targeted ransomware attacks, adversaries use various MITRE techniques like T1069 — Permission Group Discovery, T1087 — Account Discovery, and others to learn about the permissions associated with accounts, identify misconfigurations, steal credentials, etc., to deploy ransomware across the network.
Targeted Ransomware is different from auto-propagation ransomware in the following ways:
1. Auto-propagation:
- Steal credentials, keys, and other authentication tokens from memory, disk, etc. and deploy ransomware on infected systems
- Spread across network mapped drives to drop and execute ransomware using tools such as WMI, PSExec, PowerShell, Net tools, and others
- Propagate by using exploitation methods (Ex: Eternal Blue MS17–010) and deploying ransomware on target systems
2. Targeted Ransomware:
- Adversaries discover information about the network and domain and identify weakness in the environment
- Use tools like PowerShell, Bloodhound, etc., to perform domain reconnaissance and identify paths to high privilege targets
- Compromise software deployment systems or CI/CD systems and deploy ransomware across the organization
- Deploy ransomware across exposed C$ share using tools like PSExec, WMI, PowerShell scripts, etc.
- Deploy Ransomware using Microsoft Group Policy Objects (GPOs) from the compromised domain controller.
Ransomware is evolving from encryption-only attacks to data-exfiltration and data leakage attacks. Organizations have typically deployed backup and self-service restore features to recover from data encryption ransomware.
The below table documents data protection mechanisms that organizations employ to recover data from encryption-only ransomware
Data Exfiltration Ransomware:
Ransomware operators are revising their playbooks from encryption-only ransomware to encryption + exfiltration of sensitive data. This strategy is proving to be profitable for ransomware operators compared to encryption-only attacks as organizations are forced to pay ransom to prevent attackers from leaking their sensitive data. Existing ransomware mitigation strategies like data backup and restore can only recover local files, but not prevent attackers from leaking sensitive data.
MITRE Permission Group Discovery T1069
Ransomware operators use multiple methods to discover weaknesses within the enterprise network, steal credentials, perform lateral movement and deploy ransomware. In most of the incidents, attackers perform MITRE technique T1069 Permission Groups Discovery to determine the user accounts and groups that are available, find group memberships, and identify users and groups that have elevated permissions.
MITRE has introduced additional sub-techniques within T1069, which documents attackers’ additional discovery methods.
Attackers typically target user accounts, starting with local administrator accounts and move laterally to target delegated administrators and then domain administrators.
1. Local administrator accounts have privileged access to domain-joined computers
2. Delegated Admins users typically are not part of the default domain admin group but have privileges associated with the group and are also referred to as ‘Shadow Admins’. CyberArk’s ACLight is a popular tool that discovers Privileged Accounts — including Shadow Admins.
3. Domain Admins are users with unrestricted privileged access in Active Directory
Once attackers gain access to privileged accounts, they can deploy ransomware across the enterprise to domain users, Active Directory connected storage systems, servers, databases, etc.
Ransomware Families Performing Permission Group Discovery
The following table shows various lateral movement techniques used by ransomware operators to spread across the network.
TrickBot Ransomware Permission Group Discovery
The TrickBot loader uses ADfind tools to query for various Active Directory users, computers, groups, etc.
Sample information gathered by ADfind querying domain group permissions and users belonging to each group.
Endpoint Detection Net (EDN)
Attivo Networks EDN prevents attackers from breaking out from an infected system by restricting their ability to conduct reconnaissance or move laterally. It denies attackers the ability to discover domain users and elevated group membership while providing real-time alerting.
Detailed telemetry & forensic information, which shows malicious dropper querying all critical groups in your domain controller.
Conclusion
Organizations should deploy defense in depth to protect against both auto-propagated and targeted ransomware methods. Preventing domain reconnaissance using deception, helps detect attackers earlier in the cycle and prevent lateral movement. You can find additional information about Attivo Networks EDN at https://attivonetworks.com/product/endpoint-detection-net/
