Targeted Active Directory Ransomware attacks increased dramatically in the past years. Let’s take a look at how ransomware is affecting AD, what impacts can it have on your company and how you can manage risk.
Sure, the title makes for dry reading, but it could just save you and your company a considerably incapacitating, painful, and expensive experience.
“I have anti-virus; I have a DR team for that; I have an Active Directory backup solution…”
We hear you. The cold hard reality, though, is that when targeted ransomware attack hi, none of that is likely to cut it, unfortunately. Without preparing for such exquisitely coded and architected attacks, the truth is that the situation will wreak havoc on your company and its reputation, and also quite literally it can become weeks and months of significant mental and financial burden for an entire organization.
The End of Groundhog Day
What is the single most important and yet simple process you and your employees do every day at your desk or on your laptop on the way to that important meeting? Yes, that’s right, you’ve got it: You type in your complicated (hopefully) password, and you log on…
The simplest of tasks and yet the most taken for granted. We all know how it feels to not be able to log on; you feel locked out and entirely powerless. Nothing can be achieved without logging on with the help of Active Directory (except maybe that crossword puzzle). You get the point.
We log on, and by way of this seemingly intangible process, we are provided with access to numerous important data sources and resources. This data is made available — and indeed secured — through the transparent and forgotten authentication mechanisms of Active Directory, which crank and turn in the background and ensure we can run our businesses.
Let’s highlight the nature of a cyberattack and the typical chain of events that ensues because of such an attack against an organization:
- The network has been compromised (they have control)
- All files and backups are now encrypted and inaccessible, across 11 countries, 12,000 computers, and 533 servers
- Employees are now working with pen and paper
- A ransom demand for $2.4 million has been made
- You have rightly refused to pay the ransom
- The network is now locked down entirely
- Not a single employee can log on anywhere within your company
Cue weeks or months of downtime, loss of clients, and millions of dollars of revenue lost. Try our Active Directory downtime and recovery cost calculator to find how our much you company could lose.
Active Directory and Ransomware
AD Targeted Ransomware Attack on Norsk Hydro
The above chain of events is not dissimilar to events that took place for Norwegian aluminum producer Norsk Hydro in 2019. Norsk Hydro was hit with an infection known as “LockerGoga.”
The attackers leveraged AdFind to query Active Directory and make lateral movements via Remote Desktop Protocol (RDP); effectively, Active Directory is hijacked and becomes a transport network.
The virus, which is also commonly combined with another named “Ryuk,” spread from a single plant in the U.S. and subsequently spread to other facilities across its network. The ransomware attack forced Norsk Hydro into operating its plants using manual processes in many of its factories, and they were reduced to using fax machines, sticky notes, and old computers following the attack, which cost the company more than $60 million. The insurance policy covered an estimated $3.6 million of these costs.
AD Targeted Ransomware Attack on ThreatGen
ThreatGen, a technology firm based in the U.S., reported that several of its clients in the oil and gas sector were also hit with the Ryuk infection. Privileged credentials were obtained through a vulnerability within the RDP protocol. Ryuk, then having access to the systems, inserted itself into a logon script to ensure all users’ machines logging into the domain (AD) was infected. As a result, all network users’ devices were locked and encrypted.
The initial infection and compromise to Active Directory enabled the ransomware to lie dormant for months before it was then inserted into the logon scripts, thus allowing the hackers to data mine the entire environment in stealth.
This level of attack provides the hackers with ample time to guarantee they can control the network and to ensure that all backups and systems or DR processes are also compromised and encrypted as efficiently as possible to make an AD recovery impossible.
Active Directory Attack Vectors
Based on the volume of complaints received in 2020 by the Internet Crime Complaint Center (IC3), Business E-mail Compromise (BEC) schemes continue to be the costliest, as e-mail is known to be the top vector for spreading ransomware. Between 2019 and 2020, phishing incidents increased by 110%, from 114,702 incidents in 2019 to 241,324 incidents in 2020, according to the FBI Internet Crime Report 2020. In addition to the most prevalent attack vectors, there is a plethora of others you should be aware of and consider in terms of your overall security planning.
Common attack vectors:
- Phishing e-mails
- Unpatched vendor software
- Insider threats
- Weak credentials
- Third-party vendors
- Poor encryption
- Poor system configuration
Ransomware as a Service (RaaS)
Let’s talk Ransomware as a Service (RaaS). Not exactly the kind of service that you might expect to find at all. RaaS is a business model designed and run by ransomware developers to monetize their illegitimate and destructive acts, which facilitate attacks for a paying customer.
The customer logs on to the RaaS portal, pays with cryptocurrency, and provides the information regarding the type of malware or attack and their intended targets. Unbelievably, they have access to an array of support, communities, and documentation, and they can even be provided with portals that enable them to monitor the status of their infections on their targets.
It is worth understanding and being aware that these types of services exist. This knowledge may conceivably even lead you to discover your attacker.
‘Ryuk’ Ransomware – Short Bio
Ryuk is an example of one of the deadliest ransomware programs; it has worm capabilities enabling it to infect networks and spread automatically. It is used in targeted attacks against enterprises and organizations.
Type and source of infection:
Ryuk is used in targeted attacks against files and systems; i.e., company file servers and backups are encrypted, and demand for a ransom amount is made with the promise of decrypting all the data. Attackers rely on gaining access to the network and then essentially map out its contents to identify key targets.
Ryuk encrypts files present on the machine and appends .RYK to the filenames. Within each directory containing encrypted files, a ransom note is written in either of the following formats:
- a text file named RyukReadMe.txt
- an HTML file named RyukReadMe.html
The contents of the files can vary but patterns are present, namely the Ryuk signature followed by the sentence “No system is safe.”
Ryuk achieves its persistence through the following registry key:
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run\svchost (with Ryuk’s filepath as the value).
Ryuk finally deletes the Volume Shadow Copies to prevent any file recovery.
Ryuk seeks to stop more than 40 processes and 180 services: those related to security software, databases, and backups. Ryuk consists of a dropper that drops a data encryption module (32- or 64-bit).
The combination of symmetric (AES) and asymmetric (RSA) encryption algorithms ensures all files are encrypted, as well as the encryption key, making it impossible to decrypt the data. Ryuk simply expands this attack automatically across the entire network and all connected systems it can access.
The operating system is left operating for some time to allow the victims to read the ransom demands, until all access is entirely locked down — and indeed most ransomware notes are now shown where the logon screen once stood.
Active Directory Risk Mitigation
Now that we have seen some of the risks associated with targeted Active Directory ransomware and highlighted the level of damage that can occur in these ransomware events, let’s look at the most common risks and how we can mitigate them to secure our environments.
- User Education and Management:
- Regular employee awareness training regarding attacks and associated risks
- Training regarding the types of attacks that make organizations most vulnerable to infection (e.g., phishing attacks), password security, etc.
- Phishing IQ quantitative testing and social-context aware examples training
- Minimizing privileged AD group membership
- Restricting privileged AD accounts
- Regular Patching:
- All hardware and software network attached systems
- Updates to firewalls, switches, servers, PCs across the environment
- Management and deployment mechanisms of security patches
- Management and patching of third-party software and systems
- Security Hardening:
- Regular and planned scanning for vulnerabilities across entire environment(s) including on-premises and cloud environments
- Tiered administration model for Active Directory
- Managed end-user devices using non-AD accounts (local)
- Implementation of multifactor authentication (minimum)
- Implement change monitoring in AD
Active Directory Targeted Ransomware Attack Recovery Approach
Being proactive when fighting against ransomware is a necessity, but you also need a reactive Active Directory disaster recovery plan, should you fall victim.
Active Directory security is pivotal to the entire network. It is the interconnect and the gateway that facilitates all access and transactions, making it a particularly important target for ransomware.
Recovering from a targeted Active Directory ransomware attack is complex and depends on whether you have a backup and recovery solution, and a particularly robust at that, for ensuring that you can regain access to your network. You need to make sure this plan is AD specific and that it is regularly tested.
You need to be able to identify the root cause of an attack and in turn be able to remediate the problem from a positive position of regained control as opposed to a position of zero control.
Itergy’s Active Directory Ransomware Recovery Solution
Because the Active Directory restore process is so complex and often fails, we’ve built a bulletproof solution that guarantees you can recover Active Directory in 4 hours or less after an attack. And that matter which strategies hackers employ to prevent you from recovering.
First, we back up Active Directory only, to prevent backing up the ransomware infection present in the OS. Second, we use immutable storage to make sure your backups are protected.
Then, in combination with your on-premises or cloud environments, we leverage a proactive recovery solution utilizing an isolated approach. The solution provides an off-site recovery environment, which simply brings services back online in the event of a ransomware attack.
In re-establishing connectivity between sites and restoring the functionality of Active Directory authentication and logon services, we can minimize downtime and put your business back in control.
With Itergy’s Active Directory ransomware recovery solution, you will have confidence in the knowledge that should the undesirable occur, your business will rapidly regain control of your infrastructure. Can you guarantee that you can recover your AD in a matter of hours or are you overlooking this critical element in your cybersecurity strategy? Come discuss with our Active Directory Experts.
Itergy has been monitoring and managing Active Directory in 65 countries, 24/7 on behalf of its customers for over 20 years. Some of our Active Directory services and AD managed services include health checks, strategic consulting, migrations, consolidations, M&A and divestitures, and Active Directory disaster recovery (AD backup and AD restore).
We make Active Directory the agile, secure, mature business application it was intended to be—the one your enterprise needs to succeed throughout all your business operations.