Employing techniques usually associated with nation-state threat actors, human-operated ransomware attacks represent a growing threat to businesses, Microsoft warned last week.
Different from auto-spreading ransomware, these are hands-on-keyboard attacks, where attackers use stolen credentials, perform reconnaissance, adapt to the compromised network’s configuration, and show extensive knowledge of systems administration.
Configuration weaknesses and vulnerable services are abused to perform the attack, which might also involve the delivery of other malicious payloads, credential theft, and data exfiltration.
As part of long-running campaigns that employ such ransomware attacks, adversaries compromise accounts with higher privileges, escalate privileges on the network, or use credential dumping techniques to establish a foothold in the compromised network.
REvil, Samas, Bitpaymer, and Ryuk are some of the most infamous human-operated ransomware campaigns, but other prolific threat actors have emerged recently, demonstrating a need for comprehensive defenses that can stop the attacks in their infancy, Microsoft says.
The company, which has been tracking several adversaries that deploy ransomware in such a manner, has observed similarities in the techniques employed by three adversaries behind active human-operated ransomware campaigns.
The first is PARINACOTA, which Microsoft has been tracking for 18 months, and which appears to be highly active, hitting three to four organizations each week, and able to quickly adapt to the configuration of the compromised network.
Over time, the group has changed tactics to match its needs and abused the compromised systems for crypto-currency mining, spam, or as proxies for other attacks. The group also changed payloads, but mostly deployed the Wadhrama ransomware over the past several months.
The adversary frequently targets web-exposed Remote Desktop Protocol (RDP) servers, but adapts to any path of least resistance they can use. Often, brute force is employed for lateral movement and built-in local administrator accounts or Active Directory (AD) are targeted.
PARINACOTA employs a smash-and-grab method, where ransomware is deployed less than an hour after initial access. Reconnaissance is performed if the attackers can easily move throughout the compromised environment.
The attackers search the Internet for systems that listen on RDP port 3389, then proceed to brute force those they find. Following a successful compromise, they determine if the system can be abused to launch RDP attacks on other targets or should be used for other actions.
Using stolen credentials, the hackers attempt to dump credentials and turn off malware detection services, then proceed to download tools for credential theft, persistence, reconnaissance, and other activities, clear event logs and conduct reconnaissance to identify opportunities for lateral movement.
In addition to high-privilege account credentials, the group targets credentials for specific banking or financial websites. Even if the infected machines are used for crypto-mining or spam, the adversary in most cases returns after a few weeks to install ransomware.
Another ransomware family deployed by human operators through stolen credentials for privileged accounts is Doppelpaymer. Machines encrypted with the ransomware were also infected by banking Trojans like Dridex, suggesting that the former was used for initial access. However, Doppelpaymer-compromised networks also show signs of RDP brute force.
“The use of numerous attack methods reflects how attackers freely operate without disruption – even when available endpoint detection and response (EDR) and endpoint protection platform (EPP) sensors already detect their activities,” Microsoft notes.
The campaign operators then attempt to steal credentials to elevate privileges and sometimes create new accounts and grant Remote Desktop privileges to them, for persistence. They also perform reconnaissance, search for active RDP sessions, query Active Directory or LDAP, and target high-impact machines.
Similarly, the Ryuk human-operated ransomware family is being deployed by a banking Trojan, in this case Trickbot. The Cobalt Strike implant or PowerShell Empire are employed for lateral movement, with the ransomware often deployed weeks or months after the initial infection.
The same as PARINACOTA and the Doppelpaymer operators, the Ryuk gang leverages local administrator accounts, attempts to disable security tools, performs reconnaissance and lateral movement, and attempts to steal credentials for high-privilege accounts. The ransomware is often deployed weeks or months following the initial intrusion.
Successful human-operated ransomware attacks target servers with security software disabled to improve performance, and many use already known malware and tools. In such campaigns, Microsoft says, attackers maintain access to the network even if the ransom is paid.
“The same servers also often lack firewall protection and MFA, have weak domain credentials, and use non-randomized local admin passwords. Oftentimes these protections are not deployed because there is a fear that security controls will disrupt operations or impact performance,” Microsoft says.
Removing the adversary’s ability to move laterally would significantly increase resilience against Wadhrama, Doppelpaymer, Ryuk, Samas, REvil, and other human-operated attacks. Credential hygiene and stopping unnecessary communication between endpoints should also help, especially if coupled with the use of advanced protection on multiple attack surfaces.