From the Microsoft Threat Protection Intelligence Team
Cybercriminals have been using COVID-19 as an opportunity to activate attacks and prey on the urgency of the current situation – while using the information and access gained to plan and gain leverage for future attacks.
In the first two weeks of April 2020 alone, multiple groups have been activating dozens of ransomware deployments, having accumulated access and maintained persistence on target networks for several months. These attacks can even be fatal, given their impact on aid organizations, medical billing companies, manufacturing, transport, government institutions and educational software providers. However, despite this global crisis, ransomware groups seem to give little regard to the critical services they impact.
Vulnerable systems are targeted far in advance of actual attacks
In digging deeper into past incidents to better understand how to counter attackers, Microsoft security intelligence as well as forensic data from relevant incident response engagements by Microsoft’s Detection and Response Team (DART) has shown that the many compromises which enabled these attacks actually occurred months earlier. Attackers had infiltrated target networks and then waited silently to monetize their attacks by deploying ransomware when they thought they would see the most financial gain.
To gain access to target networks, recent ransomware campaigns exploited internet-facing systems that had weaknesses such as a lack of multi-factor authentication (MFA). Hackers also went for older Windows platforms which were not updated and had weak passwords, or looked for misconfigured web servers and systems with specific existing vulnerabilities.
The attacks all used the same techniques observed in human-operated ransomware campaigns: initial access, credential theft, lateral movement and persistence. All culminating in the deployment of a ransomware payload of the attacker’s choice.
As with all human-operated ransomware campaigns, these recent attacks spread quickly throughout the network environment, affecting email identities, endpoints, inboxes, applications and more. Because it can be challenging even for experts to ensure the complete removal of attackers from a fully compromised network, it’s critical that vulnerable internet-facing systems are proactively patched and that mitigations are put in place to reduce the risk of these kinds of attacks.
Respond immediately once attacked
Should an attack hit, organizations should immediately check network-wide if they have any alerts related to these ransomware attacks and prioritize investigation and remediation. Having a plan in place for what to do can help prevent further attacks while addressing the current situation.
When an organization’s network is affected, we recommend performing the following scoping and investigation activities immediately to better understand the impact of the breach and to respond accordingly:
- Investigate affected endpoints and credentials: Identify all the credentials present at affected endpoints (points of access by end-user devices like desktops, laptops and mobile). Given the breach, assume that these credentials were available to attackers and that all associated accounts are compromised. Across software, check the event log for post-compromise logons, namely those that occur after or during the earliest suspected breach activity.
- Isolate compromised endpoints: For endpoints that have command-and-control beacons or have been lateral movement targets, these should be located and isolated. They can be located using advanced hunting queries or other methods of directly searching for related Indicators of Compromise (IOCs). Defender sources like Microsoft Defender ATP or NetFlow can then isolate identified endpoints.
- Address internet-facing weaknesses: Identify perimeter systems that attackers might have utilized to access your network. A public scanning interface such as io can then be used to augment your own data. Systems that are known to be at-risk and endpoints without MFA should receive particular attention.
- Inspect and rebuild devices with related malware infections: Many ransomware operators enter target networks through existing malware infections. Investigate and remediate any known infections immediately and consider them as possible vectors for sophisticated human adversaries. Do check for exposed credentials, additional payloads and lateral movement before you rebuild affected endpoints or reset passwords.
As ransomware operators continue to compromise new targets, taking the proactive step to assess risk using all available tools is the best prevention strategy. Organizations should continue to enforce proven solutions such as credential hygiene, minimal privileges and host firewalls to stymie these attacks.
These are some measures that should be implemented to make networks more resilient against new breaches, reactivation of dormant implants, or lateral movement:
- Randomize your local administrator passwords using a tool such as the Local Administrator Password Solution (LAPS).
- Apply an Account Lockout Policy so that someone who attempts to use more than a few unsuccessful passwords logging onto the system will be blocked.
- Ensure good perimeter security by patching exposed systems and applying mitigating factors, such as MFA or vendor-supplied mitigation guidance, for vulnerabilities.
- Utilize host firewalls to limit lateral movement and prevent endpoints from communicating on TCP port 445 for SMBs. This can significantly disrupt malicious activities.
- Turn on cloud-delivered protection for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.
- Follow standard security baselines guidance for all your software. A tool like Microsoft Secure Score can also assist in measuring your security posture and recommending actions for improvement , guidance and control.
- Turn on tamper protection features to prevent attackers from stopping security services.
- Turn on attack surface reduction rules, including rules that can block ransomware activity.
Ransomware attackers don’t take days off
What we’ve learned from the increase in ransomware deployments in April is that attackers pay no attention to the real-world consequences of disruption in services that their attacks cause, even in this time of global crisis. Organizations shouldn’t expect hackers to be concerned about anything other than disruption and potential financial reward, regardless of the impact on people or society as a whole.
Human-operated ransomware attacks represent a different level of threat because adversaries are adept at systems administration and security misconfigurations and can therefore adapt to any path of least resistance in a compromised network. Attackers have shown that they can skillfully maneuver blocks and find other ways to move forward with their attack. These attacks are complex and far-reaching, and no two attacks are exactly the same.
With the region’s rapid digital transformation fueled by COVID-19, organizations must be aware and prepared to reduce the risk of impending attacks. Staying vigilant with the latest preventive actions and tools and knowing how to react in case of an attack, will go a long way in safeguarding an organization’s present and future.
