Professional Documents
Culture Documents
Responding To The Growing Threat of Human-Operated Ransomware Attacks
Responding To The Growing Threat of Human-Operated Ransomware Attacks
threat of human-operated
ransomware attacks
PwC Cyber Security
Ankit Singhal
Contents
Ankit Singhal
Human-operated
ransomware attacks
Human-operated ransomware attacks are now one Given these attackers have now started stealing
of the top priority cyber threats faced by most and threatening to leak sensitive data, the majority
organisations. In this type of attack, cyber criminals of improvement efforts should be focused on
gain access to internal corporate networks and deploy preventing these attacks. Focusing solely on backup and
ransomware to encrypt data – often to devastating effect recovery strategies is no longer a viable option, as
– before attempting to extort organisations into paying these do not prevent the attacker from stealing data in the
seven or eight figure ransoms to recover access and first place, or help with the resulting regulatory
restore systems. Attackers also steal and threaten to implications.
leak sensitive data, to provide additional leverage when Even when backup and recovery strategies are in
extorting their victims. place, for large organisations an enterprise-wide
recovery from backups can take weeks and in some
These attacks represent a more challenging threat cases be practically unfeasible.
than previous well-known ransomware attacks,
such as NotPetya and WannaCry. This results from Organisations who have not already taken steps
skilled and adaptable financially-motivated to understand and reduce their vulnerability to
people behind the attacks, who can identify and these attacks should act now. This is especially
overcome defences, as well as evolve their tactics important as organisations across a wide-range of
to maximise their chances of getting organisations to sectors have
successfully recently been affected, and the frequency of these
pay out. This is unlike previous high profile attacks which attacks is highly likely to continue to rise over the coming
relied on wormlike functionality to spread ransomware. months. The improvements required to reduce the
risk of these attacks are not anything surprising to
cyber security teams, likely already forming part of
organisations’ existing improvement plans. However, the
escalation in the threat should cause organisations to re-
prioritise ongoing
and planned activities, as well as consider what actions
they can take to immediately reduce their vulnerability
to these attacks.
Ransomware attackers often work with other criminal Typical path of a human-
groups who use automated and mass-scale operated ransomware attack
techniques to gain access to company networks, for
example
by distributing banking trojans via phishing emails. Gain initial access and
deploy using
In many cases investigated by PwC’s incident automated and
response practice, these relatively simple opportunistic methods
techniques are effective at compromising
organisations as they have yet to solve challenging
business problems like how to restrict Microsoft Office
Phish employees
macros.
Once initial access has been gained into a target and deploy
organisation, attackers compromise privileged malware to
workstations
accounts and further systems, using a combination of
legitimate administration tools and security
testing tools
Exploit
(e.g. Cobalt Strike, PowerShell Empire, and BloodHound).
vulnerabilities
We have seen these tools as sufficient to gain in Internet-facing
privileged access in internal corporate networks due services
to widespread IT and Active Directory hygiene issues,
and detection capabilities that fail to detect the
techniques used in these attacks. Compromise
When attackers have gained privileged and privileged accounts
widespread access to the target’s network, sensitive by exploiting common
IT/AD hygiene issues
data is extracted and ransomware deployed as widely
as possible, in most cases causing significant and
long-term disruption to business operations.
Move laterally and
establish footholds
using common
offensive security tools
The number of
ransomware actors has Exfiltrate sensitive
data to attacker
profile attacks
as widely as
possible to for
maximum impact
‘Human-operated’
The rapid growth in human-operated ransomware attacks has been driven by several factors, including the:
Growing number of actors attracted by perceived Emergence of leak sites, placing additional pressure on
easy revenue. victims to pay ransom demands.
The number of ransomware actors has grown steadily The growing use of leak sites, where victim data is
throughout 2020, encouraged by the profits derived from released if a ransom is not paid, further increases the
high-profile attacks. For example, the NetWalker affiliate pressure on organisations to meet demands, and in turn
programme was launched in March 2020 and the profitability of these attacks. After the Maze Group
claimed to have amassed $4.5 million in its first six weeks. hosted a leak site in January 2020, a further 18 actors
After four months of operation, this revenue had have followed suit. By the end of September, over 750
reportedly increased to $25 million. organisations have had data exposed, with 80% of leaks
occurring since late April 2020.
Popularity of affiliate programmes, lowering the Arrival of new attackers, some of which
barrier to entry for newcomers. are highly aggressive.
Twelve well-known schemes are run as affiliate Despite their recent arrival on the ransomware scene,
programmes where ransomware developers lease operations like Suncrypt have released data more
access to their malware in exchange for a share of profits. frequently and in larger numbers than some of their more
This trend significantly lowers the barrier to entry, as established rivals. Conti, which we assess to be the
malware development is no longer a requirement; replacement for the notorious Ryuk ransomware,
allowing them to specialise in spreading through launched its leak site in August and released data on
organisations’ IT environments and deploying over 100 victims in its first eight weeks of activity.
ransomware at scale.
800
700
600
500
400
300
200
100
0
11/2019 12/2019 01/2020 02/2020 03/2020 04/2020 05/2020 06/2020 07/2020 08/2020 09/2020
Legacy IT creates security weaknesses attackers Ineffective detection and response capabilities give
can exploit. attackers freedom to operate.
Most organisations have legacy IT of some form; many still Attackers often remain in internal corporate networks
rely on this heavily, however this has significant security for days or weeks, escalating privileges and expanding
implications. The risk of out-of-support operating systems their footholds, before deploying destructive
increases over time as vulnerabilities are identified ransomware.
and remain unpatched. In addition, legacy operating During this time, there are usually many detection and
systems are nearly always incompatible with modern response opportunities that organisations fail to identify
security tooling and lack the security features required and take advantage of. This is most often because,
to defend against these types of attacks. In many traditional signature-based security tooling is ineffective
instances legacy systems host some of an organisation’s at detecting the techniques used in these attacks, alerts
most critical applications; those typically targeted in are often lost in the noise as security operations teams
human-operated ransomware attacks. are overwhelmed by false positives, and containment
Technology is not securely configured to processes are not effective. Also, the use of commodity
prevent common cyber attack techniques. trojans such as Emotet, Dridex or Qakbot as an initial
infection vector is often highly effective, as detecting and
In most cases, initial access in human-operated
remediating these ‘commodity malware’ infections is not
ransomware attacks stems from the compromise of
prioritised by security
Organisations teams. on-premise infrastructure
have retained
workstations with phishing emails or servers by exploiting
and struggled to adopt the SaaS cloud.
unpatched vulnerabilities in internet-facing services.
Attackers exploit the poor configuration of these systems, Cloud “software-as-a-service” business applications
with security controls either absent or not effectively (such as email, file storage, and CRM) can significantly
configured. These issues often remain unfixed due reduce the impact of a human-operated ransomware
to a lack of awareness around security good practice, attack, yet many organisations continue to rely on and
a lack of prioritisation by IT teams when delivering invest in on-premise infrastructure and applications.
security fixes, and the unknown or perceived business This type of environment was rarely architected with
impact security in mind (or indeed to prevent modern security
of delivering the fixes. threats), meaning attackers can easily use now widely
Poor protection of privileged accounts allows available offensive security tooling to exploit the
attackers to compromise credentials. resulting weaknesses. There are no quick-fixes, as
effectively retrofitting modern cyber security controls
We have seen skilled ransomware operators obtain Domain
on IT infrastructure can be costly and complex,
Administrator privileges within 72 hours, as
requiring IT to be modernised before it can become
organisations have not adequately protected privileged
securable.
accounts.
The most common problems are large numbers of
overly privileged accounts, risky operating practices by
domain administrators, and the use of insecure
passwords and authentication mechanisms. The root
cause of this is often that Active Directory (and other
identity and access management systems) is seen as an
IT tool, rather than a security tool that is essential to
preventing attackers from gaining privileged access;
and is therefore not configured with security in mind.
4 I Responding to the growing threat of human-operated ransomware
attacks Ankit Singhal
What questions should you
ask to assess your
vulnerability?
Management teams should question their security teams to determine how susceptible they are to
ransomware attacks, including:
How are we using technical How quickly and How confident are we that we can
security controls to limit the risk of comprehensively are we detect common attacker tools
a workstation being detecting and remediating being used within our network, for
compromised by phishing ‘commodity malware’ infections example Cobalt Strike or
attacks? on workstations? BloodHound?
How are we using secure How confident are we that we can How are we mitigating the risk of
administration practices and restricting detect the compromise and abuse of legacy IT to ensure this does not
the use of domain administrator privileged accounts by an attacker? provide a point of weakness that
accounts to limit the risk of allows an attacker to
credential-theft attacks? How do we restrict the compromise our entire
How could we still access our connectivity and Active Directory trust environment?
email and messaging if a relationships between different What have we done to validate that
ransomware attack impacted our areas of the business to slow any network security controls are
on-premise down and limit the spread of still effective with an increasingly
IT infrastructure? ransomware attacks? remote workforce?
Using this approach we recommend six For each, we have listed several targeted
priority areas of focus to reduce the risk of human- improvements that, with the right delivery approaches
operated ransomware attacks. and prioritisation, can be delivered within three months.
While many
1. Prevent workstations being compromised of these improvements may seem obvious at
by phishing attacks first glance, their value (or the challenge in their
delivery) should not be underestimated – it is the
2. Remediate internet-facing vulnerabilities
“hard basics” of security that still represent the
and reduce the attack surface
greatest challenge, and corresponding benefit.
3. Protect privileged accounts from As the “devil is in the detail” when reducing the risk
being compromised posed by ransomware, we recommend that
organisations that have already implemented these
4. Remediate common hygiene issues used
improvements still take steps to validate that they are
by attackers to escalate privileges
effectively preventing and detecting the techniques used
5. Restrict the ability of an attacker to in these attacks.
compromise further systems In cases investigated by PwC’s incident response
6. Rapidly detect and contain incidents practice, we regularly see a disconnect between the
before they escalate believed
and actual levels of risk reduction brought about by
improvements that have been made (for example, the
deployment of tooling without having appropriately
configured it).
Compromise Remediate
Protect privileged common hygiene
privileged accounts
accounts from being issues used by
by exploiting common
compromised attackers to
IT/AD hygiene issues
escalate privileges
BloodHound (an offensive security tool) should be used to Remove credentials stored in network shares to
identify, investigate and eliminate attack paths to privileged prevent attackers using these to compromise
accounts. These are often present due to hidden and accounts.
unintended trust relationships within Active Directory In many cases investigated by PwC’s incident response
environments, for example misconfigured or complex practice, organisations unknowingly have plaintext
inheritance-based permissions. This should also be privileged credentials stored in network file shares
an opportunity for security teams to gain confidence (or other easily accessible locations) which are
BloodHound’s use is reliably detected. accessed and exploited by attackers. Offensive security
tools, e.g. PowerShell scripts should be used to scan file
Restrict accounts in local administrator groups to shares for credentials, so these can be removed and
reduce the identity attack surface of endpoints. the exposed passwords reset. Access to network shares
should also be restricted as much as possible, as these
Users and groups in the local administrator
provide a common way for attackers to gain access to
group on workstations and servers should be
sensitive
Use data.testing and Microsoft Secure Score to
security
reviewed to
ensure accounts are only added where strictly identify IT and Active Directory hygiene issues.
necessary. This reduces the number of accounts that, if Security testing should be used to identify
compromised, could allow an attacker to gain weaknesses and vulnerabilities an attacker could exploit
widespread administrative access to systems. Local by simulating cyber attack techniques. For organisations
administrator groups should also be monitored to ensure using Microsoft 365, Secure Score should also be used to
any modifications
Monitor are detected.
Active Directory to detect the insecure identify fixes
use, compromise and abuse of privileged to improve security posture and reduce attack
accounts. surface, for example by enabling Credential Guard to
Security teams should deploy tooling, such as Microsoft improve workstation secure configuration.
Defender for Identity, to monitor and detect anomalies
involving privileged accounts, e.g. logging in from a
new location. Accounts suspected of
compromise should be blocked and investigated
thoroughly before reinstating access.
While the majority of efforts should be focused on 1. Develop and exercise incident response and
preventing these attacks, it is also vital that organisations crisis plans that clearly outline how a response
plan and exercise their response to a major ransomware should be managed and coordinated. These
incident. In many cases where PwC’s incident should be challenged to ensure they are effective
response team have been brought in to assist, days in a catastrophic ransomware scenario, where
have already been lost due to a lack of clear response common
and recovery plans, and leadership’s failure to security and IT tools may be unavailable and recovery
understand the scale efforts may have to be sustained for weeks or
of the challenge. months.
We have seen that the ‘realities of recovery’ in
2. Understand where critical data is, what the
organisations are far more challenging than they
implications would be on that data if systems were
anticipate, as IT environments are complex and
unavailable, the regulatory requirements attached to
information about critical systems is unclear. Even
this, and what would need to be recovered in
when organisations have gained access to the 3. Ensure that offline backups have been
order to create a ‘minimum viable company’.
decryption keys, in many cases they are still unable to created and validated for all critical systems
decrypt large amounts of data as it has been left and data, including Active Directory, with a
corrupted by ransomware tools, or they lack the technical well-defined and tested restore procedure.
ability to do so.
4. Build or retain the technical expertise to
We recommend organisations carry out the following investigate and respond to the attack (e.g.
actions to prepare for a major ransomware attack
investigating the extent of compromise, identifying
and mobilise an effective response: attacker access and eradicating the attacker
from the environment).