Microsoft’s threat protection intelligence team has warned of a “significant and growing” cybersecurity threat that can deliver a devastating payload. The FBI has warned about how high impact threat ransomware is, and now Microsoft is adding to the voices of vigilance. While ransomware threats such as the newly discovered strain of NetWalker that can inject malicious code right into the Windows 10 explorer executable process are bad enough, they are but the tip of a very worrying cyber-iceberg. The Microsoft threat protection intelligence team has described in comprehensive detail how one type of ransomware attack poses a significant and growing threat, particularly to business users, calling it one of the “most impactful trends in cyberattacks” that we face today. The good news is that despite being able to deploy what Microsoft refers to as devastating payloads, the attacks and the fallout that follows are preventable.
All Ransomware is Not The Same
The critical message to digest from the Microsoft deep dive into this threat is that not all ransomware is the same. The automated, bot-driven worm-like ransomware that spits out across the interwebs like a cyber-blunderbuss is damaging enough, for sure. However, the Microsoft threat protection intelligence team is warning about the type of hands-on, human-operated, highly targeted threat that is more commonly associated with the credential-stealing and data exfiltration antics of nation-state actors. Indeed, there is a similarity beyond the targeting; some of these ransomware attack methodologies have evolved to exfiltrate as well as encrypt data.
Human-operated Ransomware Attack Tactics
Just like your nation-state, advanced persistent threat (APT) attackers, human-operated ransomware will target particular victims. The cybercriminals behind these attacks will already know plenty about you, by reconnaissance involving probing networks for common security misconfiguration errors or using open-source intelligence (OSINT) methodologies to glean publicly available data that can be useful in the social engineering side of such attacks. “These attacks are known to take advantage of network configuration weaknesses and vulnerable services to deploy devastating ransomware payloads,” Microsoft said in the report, but it doesn’t stop there. If a human attacker can see other opportunities before them, then further malicious payloads will be dropped, credentials stolen and data exfiltrated.
The DoppelPaymer Threat
Microsoft warns that DoppelPaymer threat actors have “caused havoc” in several attacks, with ransoms reaching into millions of dollars territory in some cases. Spread by human-operators, within compromised networks, and within an attack framework involving other malicious software such as banking Trojans (Dridex is often found on machines compromised by DoppelPaymer) shows the level of unfettered confidence these cybercriminals have. “The success of attacks relies on whether campaign operators manage to gain control over domain accounts with elevated privileges after establishing initial access,” Microsoft said. While Microsoft Defender ATP generates alerts for myriad activities as a result of these attacks, if the affected network segments are not actively monitored, these do not get the response they demand. Because DoppelPaymer attacks tend not to “fully infect” the networks they compromise, but rather only a subset of machines with the malware and then a further subset with data encryption and exfiltration, there’s even more chance of them going unnoticed. The big difference between this type of ransomware and the more “traditional” file-encryptors we are used to, is that DoppelPaymer and its ilk will also exfiltrate data to use as ransom leverage.
So, what does Microsoft recommend you do to protect your systems, and your data, from these human-operated ransomware attackers? Apply the basics of good security, would be the simple yet obvious answer. “The top recommendations for mitigating ransomware and other human-operated campaigns,” Microsoft said, “are to practice credential hygiene and stop unnecessary communication between endpoints.” This removes the lateral movement ability of the attackers and can reduce the impact of any attack.