The threat protection intelligence team at Microsoft has issued new warnings of what they call a “significant and growing” cybersecurity threat. The FBI has followed suit and offered their own warnings about the threat of ransomware. As bad as some ransomware is – such as the latest NetWalker threat that injects malicious code directly into Windows 10 explorer – these threats are just the tip of the iceberg.
The Microsoft threat protection intelligence team describes how one kind of ransomware attack poses a considerable threat, in particular for business users. The threat has been described as “one of the most impactful trends in cyberattacks” being dealt with today. The good news is that even though the malware is able to deliver devastating payloads, the attacks are entirely preventable with some care and forethought.
Table of Contents
Not All Ransomware Is Created the Same
The most important thing to take away from the Microsoft warning is that not all ransomware is created equal. There’s the usual automated bot-driven stuff that consists of the majority of ransomware cases on the internet. Then there’s the targeted, hands-on, human-operated approach to ransomware that Microsoft is warning against. This kind of attack is focused more on stealing credentials and information and is performed by nation-state actors.
The methodology behind the attacks has evolved to the point that the ransomware is able to exfiltrate files as well as encrypt them; the DoppelPaymer ransomware is a great example of this. It was able to hit Lockheed Martin, SpaceX, and Tesla all at once.
Human-Operated Ransomware
Human-operated ransomware targets specifics victims and systems. The cybercriminals launching these attacks know plenty about their target. They conduct surveillance by probing networks to find vulnerabilities, and they use open-source intelligence (OSINT) methodologies to access publicly available information to put together social engineering tactics for their attacks. Microsoft warns that these attacks “take advantage of network configuration weaknesses and vulnerable services to deploy devastating ransomware payloads.” There’s also the potential for the human attacker to see the chance for further attacks to steal more information and credentials.
Microsoft found that such ransomware attacks are hardly conducted using stealth. If they are able to get into the network, then the attackers won’t worry much about covering their own tracks. They may even begin in an unsophisticated way; starting with standard malware and vectors that trigger security systems and alerts. The reason the attackers don’t care is simple; the warnings are low level. Security teams don’t pay much attention to these alerts and rarely bother to investigate them, certainly not with any sense of urgency.
Leaving things as they are creates a window of opportunity for attackers. Even if the common payload is intercepted by the security system, the attacks continue until one of them makes it past the defenses. The attackers may even disable the antivirus protection once inside the system so that their bigger payloads don’t cause any alerts at all.
More About DoppelPaymer
Microsoft warns that the people behind DoppelPaymer have “caused havoc” with their attacks, with ransoms collectively reaching millions of dollars. The malware is spread by human actors across compromised networks and as part of an attack framework that involves other viruses like banking trojans. It’s clear that one thing these threat actors have in spades is unfettered confidence. “The success of attacks relies on whether campaign operators manage to gain control over domain accounts with elevated privileges after establishing initial access,” Microsoft said.
Microsoft Defender ATP is able to create alerts caused by these attacks, but it is up to cybersecurity personal to act on them and give them the attention that they deserve. Because the people launching the attacks don’t “fully infect” a target network, only a subset of machines on the network and then a further subset of those machines with the file exfiltration and encryption, it’s likely that the attack as a whole may go unnoticed until it’s too late.
The main difference between DoppelMeyer and more traditional forms of ransomware is that DoppelMeyer – and similar ransomware – will exfiltrate data and use it as leverage in the ransom demand. This is what happened with the Visser Precision attack. The criminals were all too happy to publish the information for the public to see. This is used as leverage and as a way to show their serious intent to the victim. If the ransom isn’t paid then the attackers will just sell the information they sold as a way to make money from the attack.
How to Protect Against Human-Operated Ransomware Attacks
With all of this in mind, how does Microsoft recommend that you protect yourself, your information, and your systems from human-operated ransomware? It all starts with a strong foundation of basic security practices. “The top recommendations for mitigating ransomware and other human-operated campaigns,” Microsoft said, “are to practice credential hygiene and stop unnecessary communication between endpoints.” This prevents the attackers from making lateral moves across a network and can mitigate the damage caused by an attack.
Take a look through the Microsoft Threat Protection Intelligence Team report for yourself to understand more about their recommendations and how to implement them. On the most basic level though, you want to take steps to prevent attacks, turn on temper protection, and improve the security of anything connected to the internet.
Leave a Reply
Thank you for your response.
Please verify that you are not a robot.