Active Directory Ransomware Attacks
Organizations worldwide use?Active Directory?(AD) as their primary identity service, which makes it a top target for ransomware attacks. This article explains how adversaries exploit Active Directory during ransomware attacks and provides strategies and tools for defending against this modern menace.
The two phases of a ransomware attack
A common misconception about ransomware attacks is that they are quick: Someone opens an infected email attachment or inserts an infected USB device, and within minutes data across the network is encrypted and a ransom demand is displayed on every screen.
The reality is quite different. Ransomware attacks today tend to be quite sophisticated and methodical. To encrypt as much sensitive information as possible and therefore maximize the chances of receiving a high payout, attackers proceed in two phases:
Once the adversaries have the access they want, they run the ransomware to encrypt all the data they can reach, which can include content stored in the cloud. In many cases, they copy it before encryption so they can threaten to release it as additional leverage to get paid. They often also try to encrypt or delete backup data so that victims are more likely to comply with the ransom demand.
Ransomware attack methods that exploit Active Directory
Here are some ways that cybercriminals have exploited Active Directory to carry out ransomware attacks:
Breaching a network using a disabled AD account
In the 2021 attack on Colonial Pipeline, a gang known as DarkSide gained access to the network through a disabled Active Directory account. They compromised the account using either an list of common passwords or dumps of breached passwords available on the dark web. Disabled accounts are low-hanging fruit for threat actors because their takeover is less likely to be noticed than compromise of an active account.
Spreading ransomware using Active Directory Group Policy
Group Policy?is a powerful feature of Active Directory that administrators use to maintain security and user productivity. Ransomware actors can misuse Group Policy to spread their payloads.
For example, Ryuk ransomware is often distributed through Group Policy objects (GPOs) that the adversaries modify or create. Specifically, they insert Ryuk into the?Active Directory logon script, which infects anyone who logs on to the Active Directory server.
Spreading ransomware via Active Directory’s SYSVOL share
Another way that ransomware gangs exploit Active Directory is to use the SYSVOL share. SYSVOL stores domain public files and is readable for all authenticated users. Once adversaries have privileged access rights, they alter SYSVOL to schedule tasks to infect devices and monitor them.
Gaining access by exploiting a SharePoint vulnerability
Ransomware actors and other adversaries can also gain a foothold in an AD environment by exploiting unpatched vulnerabilities. For instance, in 2019, hackers exploited a vulnerability in Microsoft SharePoint at the United Nations; even though Microsoft had released the patch for the vulnerability, UN had failed to update the software in a timely manner. While this attack did not involve the release of ransomware, the personal data of almost 4,000 UN staff members was compromised.
How to defend against ransomware attacks on Active Directory
Planning to simply pay the ransom is not a viable ransomware strategy. There’s no guarantee you will actually get the decryption key, and you may be more likely to be targeted again. However, there are effective strategies to reduce your risk of suffering a ransomware infection and minimizing the damage if one does occur. Here are the top best practices.
Handpicked Content: Cyber Chief Magazine
The latest edition of Cyber Chief Magazine explains the importance of PAM and its vital role in strengthening your organization's security. Privileged accounts have access to highly sensitive systems and information, so misuse by account owners or takeover by adversaries can result in costly breaches and downtime>>Download your copy today!
Clean up AD accounts and groups
Ensure that each user has only the permissions necessary to perform their job functions. Remove any AD accounts and security groups that are no longer needed, and ensure that each remaining group has a designated owner (or owners) who must regularly review the group’s permissions and membership.
Minimize privileged accounts
Malicious actors, including ransomware gangs, can do the most damage when they compromise a highly privileged account. Accordingly, it is essential to strictly limit membership in all privileged groups, especially highly powerful ones like Enterprise Admins, Domain Admins and Schema Admins.
Even better, adopt a modern?privileged access management?(PAM) that enables you to replace standing privileged accounts with just-in-time, just-enough access.
领英推荐
Update software promptly
Software companies frequently release patches to address vulnerabilities in their solutions, and regularly provide updated versions that improve security. Ensure that your Windows Server operating system and other software systems are kept patched, and never run software that has reached end of life and is no longer receiving security updates.
Implement Zero Trust and multifactor authentication (MFA)
A?Zero Trust?security model coupled with MFA helps thwart adversaries, both when they are trying to enter your network and when they attempt to move laterally and elevate their permissions. MFA renders stolen passwords useless, and Zero Trust means that even after a user has authenticated, suspicious or risky activity will be met with additional authentication demands.
Invest in advanced threat detection and response
As explained above, ransomware actors typically spend time moving through the network in search of more powerful credentials and valuable assets. It’s essential to constantly monitor the environment for any suspicious activity. In addition, modern misdirection technology lead attackers into revealing themselves using techniques like honeypots.
Educate all users
One of the most effective approaches for protecting Active Directory is to educate all users in the organization about the tactics adversaries use to plant ransomware, such as phishing emails with malicious links or attachments. Conduct frequent training sessions and assess their effectiveness with tests such as phishing-like emails.
Prepare for a ransomware event
Having playbooks for responding to ransomware attacks will help ensure a rapid and effective response. Some solutions can even automatically take specific actions when a known threat is detected. In addition, be sure to back up Active Directory, store the data beyond the reach of ransomware, and practice the recovery process on a regular basis.
Securing Active Directory with Netwrix GroupID
Implementing best practices for?Active Directory security?is a complex and time-consuming task.?Netwrix GroupID?is a comprehensive identity and access management solution that simplifies and automates the work. For example, with Netwrix GroupID, you can:
FAQ
Does ransomware encrypt Active Directory?
Yes, ransomware can encrypt Active Directory files.
Why do hackers attack Active Directory?
Active Directory plays a central role in managing identities and their access to network resources, which makes it a lucrative entry point.
What are Active Directory attacks?
Active Directory attacks include compromising user credentials, manipulating security group membership and permissions, and altering Group Policy objects.
Is Active Directory vulnerable?
Yes. Active Directory is a complex system that often has overprivileged accounts, misconfigured security policies and other vulnerabilities that adversaries can exploit.
On-demand Webinar
Automate & Elevate: Best Practices in Group and Identity Security
Properly managing identities and groups is vital for avoiding costly data breaches, business downtime and compliance findings.
In this webinar, learn about best practices for group and identity management using Netwrix GroupID. You will get practical strategies for scaling your practices as your organization grows and adapting to other changes in your environment, empowering you to strengthen security while reducing IT workload.
Cybersecurity Executive / Co-founder of Action1 and Netwrix
8 个月"Ensure that your Windows Server operating system and other software systems are kept patched, and never run software that has reached end of life and is no longer receiving security updates." - I will second this. But ransomware delivered via GPO sounds like the absolute worst nightmare.
Sr. Site Reliability Engineering | Devops | Cloud Engineer | Rundeck Implementer | An Rust learner
8 个月Not sure how ransomware can approach an AD disabled account to exploit something. Can explain? Any vulnerability in place or patch is related to avoid this exploit if it exists?