Microsoft issues detailed warning about human-operated ransomware attacks

Campaigns using this pernicious approach “pose a significant and growing threat to businesses and represent one of the most impactful trends in cyberattacks today”, states the company’s Threat Protection Intelligence Team

Posted 10 March 2020 by

Microsoft’s global Threat Protection Intelligence Team last week issued special guidance on how to deal with what it calls the “preventable disaster” that is human-operated ransomware attacks.

In a detailed report on the problem posted on its website on March 5th, the Team starts by distinguishing this kind of ransomware from automated ones like WannaCry or NotPetya.

Source: Microsoft Global Threat Protection Intelligence Team

Which makes them more dangerous – as hackers can then employ credential theft and lateral movement methods traditionally associated with targeted attacks like those from nation-state actors.

As a result, they “exhibit extensive knowledge of systems administration and common network security misconfigurations, perform thorough reconnaissance, and adapt to what they discover in a compromised network.”

Attacks are also known to take advantage of network configuration weaknesses and vulnerable services to deploy devastating ransomware payloads, warns the study, adding that, the aim seems to be to perform long-term fraud and cause even more mischief than the one-off attacks:

“News about ransomware attacks often focus on the downtimes they cause, the ransom payments, and the details of the ransomware payload, leaving out details of the oftentimes long-running campaigns and preventable domain compromise that allow these human-operated attacks to succeed.

“[But] based on our investigations, these campaigns appear unconcerned with stealth and have shown that they could operate unfettered in networks. Human operators compromise accounts with higher privileges, escalate privilege, or use credential dumping techniques to establish a foothold on machines and continue unabated in infiltrating target environments.”

Pretty gloomy stuff, then, and the examples provided of what groups like PARINACOTA and Ryuk are getting up to are pretty scary (“PARINACOTA impacts three to four organizations every week and appears quite resourceful”). But the report does say in its headline that there are defences here, so what are they? Well, says the post, there are several, which it goes on to detail.

These include the fact that to fully recover from human-powered ransomware attacks, comprehensive incident response procedures and subsequent network hardening need to be performed.

Microsoft also reminds us that IT pros play an important role in security (“Attackers are preying on settings and configurations that many IT admins manage and control. Given the key role they play, IT pros should be part of security teams”), and that “seemingly rare, isolated, or commodity malware alerts can indicate new attacks unfolding and offer the best chance to prevent larger damage”).

The post also suggests that truly mitigating modern attacks requires addressing the infrastructure weakness that let attackers in:

“Human-operated ransomware groups routinely hit the same targets multiple times. This is typically due to failure to eliminate persistence mechanisms, which allow the operators to go back and deploy succeeding rounds of payloads, as targeted organizations focus on working to resolve the ransomware infections.

As a result, “Organizations should focus less on resolving alerts in the shortest possible time and more on investigating the attack surface that allowed the alert to happen.

“This requires understanding the entire attack chain, but more importantly, identifying and fixing the weaknesses in the infrastructure to keep attackers out,” the report concludes.