Microsoft Offers Extensive Advice To Address Human Operated Ransomware Threats
Microsoft on Monday described the human-operated ransomware industry, offering detailed tips for IT pros, plus security product mentions.
Human-operated ransomware involves decision making by an attacker, armed with a keyboard and network access. These attackers leverage a broader ransomware-as-a-service economy, which mimics the services “gig economy” that was largely fostered by the software industry itself. The attack tools are provided to partners who conduct phases of the attacks and share in the profits.
That gig economy circumstance in the criminal ransomware industry sometimes makes it difficult to distinguish threat actors, who may be working with various affiliates. Moreover, ransomware attackers often swap out the attack software that gets used.
Microsoft uses the “DEV”-plus-number approach to label unidentified attackers. It switches to using volcano names when those groups become known. Nation-state attackers get labeled using chemical element names.
The “most prolific ransomware group” that’s active at present is Trickbot LLC, which Microsoft calls “DEV-0193.” This group typically adds new members via the “cybercriminal gig economy.” Six other threat actors were also highlighted by Microsoft as being prominent in the ransomware-as-a-service space.
Admin Tools Used in Attacks
Ransomware attackers basically need admin credentials to gain a network footing. To that aim, they typically exploit unpatched software vulnerabilities, Microsoft indicated.
With network access established, various attack tools get deployed. Cobalt Strike is one of the more frequently used command-and-control tools that gets dropped into a victim’s network. However, “common enterprise tools” get used, too.
Microsoft listed the following common tools for IT pros that it sees getting used in ransomware attacks:
- Atera Remote Management
- Remote Manipulator System
Microsoft advised blocking the use of these tools via “perimeter firewall rules” if they are not used in a computing environment. However, if they are used, Microsoft recommended the use of multifactor authentication (a secondary identity verification means beyond a password) with them as a safeguard.
Microsoft specifically called out the Mimikatz tool, developed by “ethical hacker” Benjamin Delpy to detect Microsoft authentication protocol flaws, as quickly incorporating Active Directory exploits that get used by ransomware attackers:
Ransomware activity groups also rapidly adopt vulnerabilities related to authentication, such as ZeroLogon and PetitPotam, especially when they are included in toolkits like Mimikatz. When unpatched, these vulnerabilities could allow attackers to rapidly escalate from an entrance vector like email to Domain Admin level privileges.
Former Microsoft employee and security researcher Kevin Beaumont commented in a May 9 Twitter post, though, that Delpy shouldn’t be blamed for Microsoft’s software flaws. He added that “you need to make a whole bunch of changes to out of the box AD as it ships with insecure defaults … but the blog completely fails to mention that for defenders.”
To deal with possible credential exposures, Microsoft recommended the use of the free and open source BloodHound tool, which shows the number of administrators in a computing environment. “It can also be a powerful tool in reducing privileges tied to administrative account and understanding your credential exposure,” Microsoft indicated.
The BloodHound mention was noticed by Andy Robbins, BloodHound’s product architect, in a May 9 Twitter post. Robbins pointed interested parties to this “BloodHound versus Ransomware” guide.
BloodHound is yet another tool, though, that can be abused by ransomware attackers, according to Microsoft:
Microsoft has observed ransomware attackers also using BloodHound in attacks. When used maliciously, BloodHound allows attackers to see the path of least resistance from the systems they have access, to highly privileged accounts like domain admin accounts and global administrator accounts in Azure.
Microsoft 365 Defender
Microsoft’s Monday announcement had much advice for defending against ransomware, more than can be summarized in a coherent manner. It’s good stuff in a very long blog post.
Microsoft’s advice was sufficiently detailed — loading up multiple tasks for IT pros to complete — that it may serve as an argument for using the Microsoft 365 Defender service as a way to deal with all of the complexity.
Here’s Microsoft’s basic pitch:
The multi-faceted threat of ransomware requires a comprehensive approach to security. The steps we outlined above defend against common attack patterns and will go a long way in preventing ransomware attacks. Microsoft 365 Defender is designed to make it easy for organizations to apply many of these security controls.
Microsoft plans to talk more about these sorts of solutions during its Microsoft Security Summit online event on May 12, which will feature CEO Satya Nadella and Vasu Jakkal, corporate vice president for security, compliance, identity and management at Microsoft.
Microsoft also recently announced new security service offerings for organizations, including its Microsoft Security Experts offering, which promises to take over managing security for organizations.
The ransomware discussion effectually serves as a sales avenue for many of Microsoft’s security services offerings. The phrase, “human-operated ransomware,” is one that Microsoft says it coined. Such discussions and marketing likely will continue, especially given that most organizations have been hit by ransomware.
Microsoft offered tips on addressing human-operated ransomware in an earlier talk given back in December by Microsoft security experts. It, too, offered organizations tips on addressing ransomware threats, along with advice on Microsoft security products.