With that goal in mind, Microsoft has launched a new kind of security webinar “for experts, by experts.” The new Security Experts Roundtable series will serve as an accessible video platform for cyber defenders to learn about some of the latest threats while gaining a big-picture view of the cybersecurity landscape. Our inaugural episode aired on January 25, 2023, with an expert panel consisting of:

• Ping Look, Director, Training and Communications, Microsoft Detection and Response Team (DART)
• Ryan Kivett, Partner Director, Microsoft Defender Experts
• Jeremy Dallman, Principal Research Director, Customer Ready Intelligence
• Rani Lofstrom, Director, Security Incubations

This episode also features a special appearance by Rachel Chernaskey, Director of the Microsoft Digital Threat Analysis Center, who discusses cyber-enabled influence operations. I host a special remote interview with Mark Simos, Lead Cybersecurity Architect at Microsoft, on how to effectively communicate with your board of directors about cybersecurity. We also talk to Peter Anaman, Director and Principal Investigator at the Microsoft Digital Crimes Unit about tracking global cybercrime, and we have a special guest interview with Myrna Soto, Chief Executive Officer (CEO) and Founder of Apogee Executive Advisors, on the state of cybersecurity in the manufacturing sector.

Evolving threats—Expert insights

Back in December 2020, Microsoft investigated a new nation-state attacker now known as Nobelium that became a global cybersecurity threat.³ The following year, the hacker gang Lapsus moved into the spotlight with large-scale social engineering and extortion campaigns directed against multiple organizations.⁴ Those threat groups are still active, but 2022 saw a slowing in their attacks. “We didn’t have too many high-profile mass-casualty events,” Ping points out. “But we did see a continuation of ransomware, identity compromises, and attacks centered on endpoints.”

The ransomware as a service (RaaS) ecosystem has continued to grow.⁵ Jeremy singles out DEV-0401, also known as Bronze Starlight or Emperor Dragon, as a China-based threat actor that’s “shifted their payloads to LockBit 2.0, developing their technology and emerging some of their tradecraft in order to evade detection and target our customers more prolifically.”⁶ Jeremy also calls out DEV-0846 as a provider of custom ransomware,⁷ as well as Russia’s Iridium as a source of ongoing attacks against transportation and logistics industries in Ukraine and Poland.⁸ He also cites Russia-based actor DEV-0586 as using ransomware as a ruse to target customers, then following up with destructive data “wiper” attacks.⁹

In his position as Director of Microsoft Defender Experts, Ryan brings a unique perspective on the changing threat landscape.¹⁰ “It’s been a proliferation of credential theft activity, largely stemming from adversary-in-the-middle attacks.” He points out that this kind of attack “underscores the importance of having a strategy for detection and hunting that’s beyond the endpoint; for example, in the email and identity space.”

“Identity compromises have been on the rise,” Ping concurs. “Attackers are just taking advantage of any vectors of entry that any customer has in their environment. So, it’s really important customers exercise good basic security hygiene.” She stresses that defenders should think of their environment as one organic whole, instead of separate parts. “If you have anything that touches the external world—domain controllers, email—those are all potential vectors of entry by attackers.” In short, protecting against the constantly evolving threats of today (and tomorrow) requires embracing a Zero Trust comprehensive approach to security.¹¹

Understanding cyber-influence operations

Cyber-enabled influence operations don’t grab headlines the way ransomware attacks do, but their effects are more pernicious. In this kind of cybercrime, a nation-state or non-state actor seeks to shift public opinion or change behavior through subversive means online. In Jeremy’s talk with Rachel, she breaks down how these types of attacks unfold in three phases:

1. Pre-positioning: Reconnaissance on a target audience, registering web domains to spread propaganda, or setting up inauthentic social media accounts.
2. Launch: Laundering propaganda narratives through fake organizations or media outlets, coordinated overt media coverage, stoking real-world provocations, or the publishing of leaked or sensitive material.
3. Amplification: Messengers unaffiliated with the actor repeat or repost the content.

The most prolific influence actors are labeled advanced persistent manipulators (APMs). Rachel uses the analogy that “APMs are to the information space what APTs (advanced persistent threats) are to cyberspace.” APMs are usually nation-state actors, though not always. Increasingly, the Microsoft Digital Threat Analysis Center (DTAC) sees non-state or private-sector actors employing the same influence techniques. In this way, a threat actor that wages a successful cyberattack might repurpose that capability for subsequent influence operations.

Rachel explains how DTAC uses the “four M model:” message, messenger, medium, and method. The message is just the rhetoric or the content that an actor seeks to spread, which typically aligns with the nation-state’s geopolitical goals. The messengers include the influencers, correspondence, and propaganda outlets that amplify the message in the digital environment. The mediums are the platforms and technologies used to spread the message, with video typically being the most effective. And finally, the methods consist of anything from a hack-and-leak operation to using bots or computational propaganda, or real-world elements like party-to-party political engagement.

So why should private organizations be concerned with cyber-influence operations? “Influence operations inherently seek to sow distrust, and that creates challenges between businesses and users,” Rachel explains. “Increasingly, our team is looking at the nexus between cyberattacks and subsequent influence operations to understand the full picture and better combat these digital threats.”

Microsoft DCU—Tracking cybercrime across the globe

The Microsoft Digital Crimes Unit (DCU) consists of a global cross-disciplinarian team of lawyers, investigators, data scientists, engineers, analysts, and business professionals.¹² The DCU is committed to fighting cybercrime globally through the application of technology, forensics, civil actions, criminal referrals, public and private partnerships, and the determined assistance of 8,500 Microsoft security researchers and security engineers. The DCU focuses on five key areas: Business Email Compromise (BEC), Ransomware, Malware, Tech Support Fraud, and Malicious Use of Microsoft Azure. According to Peter Anaman, Director and Principal Investigator at DCU, their investigations reveal that cybercriminals are moving away from a “spray-and-pray” approach toward the as a service model. Along with ransomware, cybercriminals are extending their retail services into new areas such as phishing as a service (PhaaS) and distributed denial of service (DDoS).

Threat actors have even created specialized tools to facilitate BEC, including phishing kits and lists of verified email addresses targeting specific roles, such as C-suite leaders or accounts-payable employees. As part of the service, the seller will design the email template and even scrub the responses to make sure they’re valid. “All for a subscription model of, like, USD200 dollars a month,” Peter explains. DCU investigative evidence has observed a more than 70 percent increase in these services.¹ “We’re finding that there’s a higher number of people who are committing these crimes. They have greater know-how on different technologies and online platforms that could be used as part of the [attack] vector.”

Regardless of the type of cybercrime, DCU goes after threat actors by executing on three main strategies:

• Investigate: Track online criminal networks and make criminal referrals to law enforcement, along with civil actions to disrupt key aspects of technical infrastructure used by cybercriminals.
• Share evidence: Assist with victim remediation and allow for the development of technical countermeasures that strengthen the security of Microsoft products and services.
• Use our voice and expertise: Build on our partnerships to inform education campaigns and influence legislation and global cooperation to advance the fight against cybercrime.

In addition to arrest and prosecution, DCU deters cybercrime by disrupting the technical infrastructure used by criminals, causing them to lose their investments. In 2022, DCU helped to take down more than 500,000 unique phishing URLs hosted outside Microsoft while disrupting cybercriminals’ technical infrastructure, such as virtual machines, email, homoglyph domain names, and public blockchain websites.

DCU also works with Microsoft DART to gather intelligence and share it with other security professionals. Some of those indicators—a URL, domain name, or phishing email—may help with future investigations. “That intelligence [we gather] feeds back into our machine learning models,” Peter explains. “If that phishing page or kit is used again there will be better measures to block it at the gate, so our monitoring systems become stronger over time.”

When asked what an organization can do to protect itself, Peter suggests sticking to three cybersecurity basics. First: “Use multifactor authentication,” he stresses. “Ninety percent of [attacks] could have been stopped just by having multifactor authentication.” Second: “Practice [cyber] hygiene. Don’t just click links because you think it comes from a friend.” Cyber hygiene includes installing all software patches and system upgrades as soon as they become available. And third: “You’re really looking at the Zero Trust model,” Peter says. “Enforce least privilege [access]” so people only have access to the information they need. Bonus tip: “Make sure you have the same level of security on your personal email as you do on your work [email].”

Winning in the room—Communicating to the board

In this segment, I have a chance to speak with one of my favorite folks at Microsoft. Mark Simos is Lead Cybersecurity Architect, Microsoft, (and PowerPoint super genius) with more than two decades of experience, so he knows something about dealing with a board of directors. Whether you work for a public or private company, the board is responsible for oversight. That means making sure that the leadership team is not only managing the business but also managing risks. And cybercrime is one of the biggest risks today’s organization contends with.

But for the board to understand the organization’s security positioning, they need to grasp how it relates to the business. Unlike dealing with finances, legal issues, or people management, cybersecurity is a new area for a lot of board members. According to Mark, a big part of winning them over is “making sure that the board members understand that cybersecurity is not just a technical problem to be solved, check, and move on. It’s an ongoing risk.”

In our talk, Mark lays out three basic things the board needs to know:

• Problem or requirement: Frame this in terminology relating to the business.
• Status: How well are you managing risk to your targeted tolerances?
• Solution: What is your plan to get there, and how is it progressing?

Bonus tips:

• Learn about your board. Read their bios and study their backgrounds and professions. These are highly capable and intelligent humans who have mastered demanding disciplines like finance, supply chain management, manufacturing, and more. They are capable of understanding cybersecurity when it’s presented clearly.
• Learn their language. This goes back to framing the cybersecurity problem in concepts they’ll understand, helping you land your points accurately.
• Find a board buddy. Establish a relationship with someone on the board who has an interest in learning cybersecurity. A mutual mentorship can help you learn about the other person’s area of expertise, which can help you make your case in clear terms.

Mark provides a wealth of free resources you can access anytime on Mark’s List.¹³ Also, there’s a chief information security officer (CISO) workshop available as public videos and as a live workshop from Microsoft Unified (formerly Premier Support). The workshop provides plenty of material to help accelerate a productive relationship with your board, including:

• Sample questions the board should be asking of the security team (and you should be proactively answering).
• Roleplay video on how CISOs can engage with hostile business leaders.
• Kaplan-style scorecards based on the familiar approach used in many organizations.

Often board members don’t consider that security decisions can be made by asset owners, not just security teams. Mark suggests stressing the holistic aspect of cybersecurity as a differentiator from typical business unit concerns. “With security, it doesn’t matter where the leak is on the boat; it’s still going to sink,” he says. “So, it’s really important for folks to work together as a team and recognize that ‘I’m not just accepting the risk for me; I’m accepting it for everyone.’”

Security on the edge—Manufacturing and IoT

For the last segment of the webinar, we invited an expert to weigh in on one of the most-attacked industry segments across the globe—manufacturing. Myrna Soto is the CEO and founder of Apogee Executive Advisors, and a board member of prominent companies such as Headspace Health, CMS Energy, Banco Popular, Spirit Airlines, and many more. Cybersecurity in the manufacturing sector carries added urgency because many of these entities are part of the nation’s critical infrastructure—whether it’s manufacturing pharmaceuticals, supporting transportation, or feeding the power grid.

The smart factory has introduced more automation into the manufacturing ecosystem, creating new vulnerabilities. “One of the biggest challenges is the number of third-party connections,” Myrna explains. “It relates to how entities are interacting with one another; how certain companies have either air-gapped their Internet of Things (IoT) networks or not.” Myrna points out that the supply chain is never holistically managed by one entity, which means those third-party interactions are critical. She mentions the ability to encrypt certain data in machine-to-machine communications as a crucial part of securing an interconnected manufacturing ecosystem. “The ability to understand where assets are across the ecosystem is one of the key components that need attention,” she points out.

With the prospect of intellectual property loss, disruption to critical infrastructure, along with health and safety risks, Myra sees manufacturing as one area where security teams and board members need to work together with urgency. I asked her to offer some insights gleaned from time spent on the other side of the table—particularly what not to do. “Probably the most annoying thing is the tendency to provide us a deluge of data without the appropriate business context,” she relates. “I’ve seen my share of charts around malware detections, charts on network penetrations. That is difficult for most non-technical board members to understand.”

Security is a team sport—Join us

Be sure to watch the full Security Experts Roundtable episode. We’ll be doing one of these every other month until they kick us off the stage, so remember to sign up for our May episode. Before we wrap up for today, I’d like to invite you to join us on March 28, 2023, for a brand-new event: Microsoft Secure. This event will bring together a community of defenders, innovators, and security experts in a setting where we can share insights, ideas, and real-world skills to help create a safer world for all. Register today, and I’ll see you there!

For more cybersecurity insights and the latest on threat intelligence, visit Microsoft Security Insider.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Microsoft Digital Defense Report 2022, Microsoft. 2022.

²Based on internal research conducted by Microsoft Digital Crimes Unit, January 2023.

³The hunt for NOBELIUM, the most sophisticated nation-state attack in history, John Lambert. November 10, 2021.

⁴DEV-0537 criminal actor targeting organizations for data exfiltration and destruction, Microsoft Threat Intelligence Center. March 22, 2022.

⁵Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself, Microsoft Defender Threat Intelligence. May 9, 2022.

⁶Part 1: LockBit 2.0 ransomware bugs and database recovery attempts, Danielle Veluz. March 11, 2022.

⁷Monthly news—January 2023, Heike Ritter. January 11, 2023.

⁸New “Prestige” ransomware impacts organizations in Ukraine and Poland, Microsoft Security Threat Intelligence. October 14, 2022.

⁹Destructive malware targeting Ukrainian organizations, Microsoft Threat Intelligence Center. January 15, 2022.

¹⁰Microsoft Defender Experts for Hunting proactively hunts threats, Microsoft Security Experts. August 3, 2022.

¹¹Implementing a Zero Trust security model at Microsoft, Inside Track staff. January 10, 2023.

¹²Digital Crimes Unit: Leading the fight against cybercrime, Microsoft. May 3, 2022.

¹³Mark’s List, Mark Simos.

The post Microsoft Security Experts discuss evolving threats in roundtable chat appeared first on Microsoft Security Blog.

For example, one of the most impactful cyberattack trends today is human-operated ransomware attacks, which succeed through a combination of components, including leveraging C2 infrastructure. To gain initial access, human-operated ransomware attacks are often delivered via spear-phishing with malicious attachments that, once launched by the target, typically reach out to a C2 server to download instructions and run payloads. These payloads persist on the device and periodically reach out to a (usually) separate set of C2s, awaiting instructions and takeover by a human operator as part of ransomware-as-a-service. After the hands-on-keyboard transition, remote C2s are commonly used to control post-exploitation frameworks to initiate reconnaissance, elevate privileges, and move laterally within the network to achieve data exfiltration and mass file encryption.

Ransomware has evolved from a pre-programmed commodity threat to a complex threat that’s human-driven, adaptive, and focused on a larger scale. These days, ransomware attacks go beyond encryption and usually involve significant data theft as well to maximize the potential harm to the target, therefore increasing their chances of receiving a higher payout. Attackers engage in double extortion, demanding victims either pay the ransom or stolen confidential information is leaked and encrypted data remains inaccessible. As such, successful ransomware attacks can have lasting, damaging impacts on targets.

As ransomware attacks continue to target various entities, including businesses, governments, critical infrastructure, educational institutions, and healthcare facilities, organizations much be prepared to defend networks against human-operated attacks and other sophisticated threats. Microsoft Defender for Endpoint’s updated network protection enables organizations to protect against these C2-based attacks by blocking any outbound traffic attempting to connect to malicious C2 servers, even if attackers manage to gain initial access to a device. Additionally, network protection is continuously informed by our integrated threat intelligence to identify active C2 infrastructure and uses machine learning models to quickly assess information on domains and IPs.

This blog details how the new C2 blocking capability in Microsoft Defender for Endpoint’s network protection works. We show examples of how network protection functions with other technologies in Microsoft Defender for Endpoint to deliver comprehensive protection against C2-based attacks. Lastly, we discuss how our threat research and use of advanced machine learning models inform network protection to intelligently block ransomware and C2-based attacks before widespread impact.

Network protection detecting C2 activity in various attacks

The following cases of human-operated ransomware attacks from our threat data and investigations show how the new C2 blocking capability in network protection stop attacks and, in some cases, could have prevented attacks much earlier.

Disrupting the ransomware attack chain

In early October 2022, we observed an attack leveraging the Raspberry Robin worm as the initial access vector. Upon launch by the user, the attack attempted to connect to the domain tddshht[.]com via HTTP using msiexec.exe to download a TrueBot payload. As part of these attacks, TrueBot is typically downloaded to a user’s local application data directory where Windows Management Instrumentation (WMI) is used to run the TrueBot DLL using rundll32. In this case, network protection was enabled in the environment and blocked the C2 communication from msiexec.exe to tddshht[.]com, which prevented TrueBot from being downloaded and launched, disrupting the attack.

In similar attacks on organizations originating from Raspberry Robin, we’ve seen TrueBot lead to Cobalt Strike for post-exploitation human-operated ransomware attacks. After launching TrueBot, we observed various follow-on actions, such as reconnaissance, persistence via scheduled tasks, and ransomware deployment.

Stopping ransomware activity before it could wreak havoc

In another ransomware-related case from March 2022, Microsoft researchers discovered a LockBit ransomware attack that was successfully detected and blocked. LockBit is an encryptor payload leveraged by many different operators who specialize in the post-exploitation phase of the attack as part ransomware as a service. In this case, there were multiple security products in different segments of the environment, and we didn’t have visibility of the initial access vector. As the attackers moved laterally within the network, we observed the operator using the Cobalt Strike framework for the post-exploitation stages of the attack, using Remote Desktop Protocol (RDP) with Rclone for data exfiltration, and LockBit at the final encryption stage. The encryption attempt followed the exfiltration stage by just two hours.

Throughout the attack, Microsoft Defender for Endpoint proactively displayed repeated alerts for the targeted customer that an active hands-on-keyboard attacker was active on their network, as well as repeated Cobalt Strike activity alerts and suspicious behaviors. Microsoft Defender Antivirus’s behavior detections repeatedly alerted and blocked Cobalt Strike in addition to fully blocking the attack’s LockBit encryptor payload, preventing impact on the subset of the network that had onboarded to Microsoft Defender for Endpoint.

Prior to this attack, network protection had already flagged the Cobalt Strike C2 domain sikescomposites[.]com as malicious. Had network protection C2 protection been enabled across the organization, then the Cobalt Strike C2 server would have been automatically blocked – further disrupting this attack earlier in the attack chain and potentially preventing or delaying the data exfiltration impact of the attack.

The network protection intelligence on the C2 was sourced two weeks before the attack in February 2022 through expert intelligence from Microsoft Threat Intelligence Center (MSTIC) and also incriminated via Cobalt Strike configuration extraction monitoring. Microsoft Defender for Endpoint could have disrupted this LockBit attack much earlier had network protection been enabled. Moreover, even if the attacker used a different or new payload, network protection would have blocked the attack if it used the same C2 infrastructure. The diagram below illustrates the timeline of events in this ransomware incident.

End-to-end protection against C2-based attacks

The range of protection capabilities in Microsoft Defender for Endpoint ensure our customers are provided with synchronous protection, integrated remediation, and actionable alerts against these C2-based attacks. The combination of technologies and features within Defender for Endpoint assures customers that their assets are adequately protected.

Network protection blocks any outbound traffic when an application attempts to connect to known malicious C2 and informs customers of the block.

Network protection then sends this intelligence to Microsoft Defender Antivirus, which remediates the process against known malware that attempted the C2 connection. Customers are then notified of these actions on the Defender for Endpoint portal, where they can see the attack chain, follow remediation steps, or do further investigation.

Network protection uses a dynamic reputation database that stores information on IPs, domains, and URLs gathered from a wide range of sources including threat research, detonation, adversary tracking, memory scanning, and active C2 web scanning. These activities lead to identifying C2 servers operated by human-operated ransomware actors and botnet actors and discovering compromised IPs and domains associated with known nation-state actors.

Network protection is aided by machine learning models that incriminate IP addresses used for C2 by inspecting network traffic telemetry. These models are trained on an extensive data set and use a diverse feature set, including DNS records, prevalence, location, and associations with compromised files or domains. Our threat experts’ knowledge further helps refine these models, which are re-trained and redeployed daily to adapt to the ever-changing threat landscape.

Preventing C2-based attacks

Attackers often rely heavily on leveraging C2 communications to start and progress attacks, including human-operated ransomware attacks. C2 infrastructure enables attackers to control infected devices, perform malicious activities, and quickly adapt to their target environment in the pursuit of organizations’ valuable data and assets.

Breaking this link to C2 infrastructure disrupts attacks—either by stopping it completely or delaying its progression, allowing more time for the SOC to investigate and mitigate the intrusion. Microsoft Defender for Endpoint’s network protection capability identifies and blocks connections to C2 infrastructure used in human-operated ransomware attacks, leveraging techniques like machine learning and intelligent indicators of compromise (IOC) identification.

Microsoft customers can use the new C2 blocking capability to prevent malicious C2 IP and domain access by enabling network protection. Network protection examines network metadata to match them to threat-related patterns and determines the true nature of C2 connections. Enhanced by continuously fine-tuned machine learning models and constant threat intelligence updates, Microsoft Defender for Endpoint can take appropriate actions to block malicious C2 connections and stop malware from launching or propagating. Customers can also refer to our Tech community blog post for guidance on validating functionality and more information on C2 detection and remediation.

In addition to enabling network protection C2 blocking, it’s recommended to follow the general best practices to defend your network against human-operated ransomware attacks.

The post Stopping C2 communications in human-operated ransomware through network protection appeared first on Microsoft Security Blog.

April 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned around the theme of weather.

• DEV-0206 is now tracked as Mustard Tempest
• DEV-0243 is now tracked as Manatee Tempest
• DEV-0950 is now tracked as Lace Tempest
• DEV-0651 is now tracked as Storm-0651
• DEV-0856 is now tracked as Storm-0856

To learn about how the new taxonomy represents the origin, unique traits, and impact of threat actors, and to get a complete mapping of threat actor names, read this blog: Microsoft shifts to a new threat actor naming taxonomy.

Microsoft has discovered recent activity indicating that the Raspberry Robin worm is part of a complex and interconnected malware ecosystem, with links to other malware families and alternate infection methods beyond its original USB drive spread. These infections lead to follow-on hands-on-keyboard attacks and human-operated ransomware activity. Our continuous tracking of Raspberry Robin-related activity also shows a very active operation: Microsoft Defender for Endpoint data indicates that nearly 3,000 devices in almost 1,000 organizations have seen at least one Raspberry Robin payload-related alert in the last 30 days.

Raspberry Robin has evolved from being a widely distributed worm with no observed post-infection actions when Red Canary first reported it in May 2022, to one of the largest malware distribution platforms currently active. In July 2022, Microsoft security researchers observed devices infected with Raspberry Robin being installed with the FakeUpdates malware, which led to DEV-0243 activity. DEV-0243, a ransomware-associated activity group that overlaps with actions tracked as EvilCorp by other vendors, was first observed deploying the LockBit ransomware as a service (RaaS) payload in November 2021. Since then, Raspberry Robin has also started deploying IcedID, Bumblebee, and Truebot based on our investigations.

In October 2022, Microsoft observed Raspberry Robin being used in post-compromise activity attributed to another actor, DEV-0950 (which overlaps with groups tracked publicly as FIN11/TA505). From a Raspberry Robin infection, the DEV-0950 activity led to Cobalt Strike hands-on-keyboard compromises, sometimes with a Truebot infection observed in between the Raspberry Robin and Cobalt Strike stage. The activity culminated in deployments of the Clop ransomware. DEV-0950 traditionally uses phishing to acquire the majority of their victims, so this notable shift to using Raspberry Robin enables them to deliver payloads to existing infections and move their campaigns more quickly to ransomware stages.

Given the interconnected nature of the cybercriminal economy, it’s possible that the actors behind these Raspberry Robin-related malware campaigns—usually distributed through other means like malicious ads or email—are paying the Raspberry Robin operators for malware installs.

Raspberry Robin attacks involve multi-stage intrusions, and its post-compromise activities require access to highly privileged credentials to cause widespread impact. Organizations can defend their networks from this threat by having security solutions like Microsoft Defender for Endpoint and Microsoft Defender Antivirus, which is built into Windows, to help detect Raspberry Robin and its follow-on activities, and by applying best practices related to credential hygiene, network segmentation, and attack surface reduction.

In this blog, we share our detailed analysis of these attacks and shed light on Raspberry Robin’s origins, since its earliest identified activity in September 2021, and motivations which have been debated since it was first reported in May 2022. We also provide mitigation guidance and other recommendations defenders can use to limit this malware’s spread and impact from follow-on hands-on-keyboard attacks.

A new worm hatches: Raspberry Robin’s initial propagation via USB drives

The Microsoft Detection and Response Team (DART) has been renamed to Microsoft Incident Response (Microsoft IR). For more information on IR services, go to Microsoft Incident Response

In early May 2022, Red Canary reported that a new worm named Raspberry Robin was spreading to Windows systems through infected USB drives. The USB drive contains a Windows shortcut (LNK) file disguised as a folder. In earlier infections, this file used a generic file name like recovery.lnk, but in more recent ones, it uses brands of USB drives. It should be noted that USB-worming malware isn’t new, and many organizations no longer track these as a top threat.  

For an attack relying on a USB drive to run malware upon insertion, the targeted system’s autorun.inf must be edited or configured to specify which code to start when the drive is plugged in. Autorun of removable media is disabled on Windows by default. However, many organizations have widely enabled it through legacy Group Policy changes.

There has been much public debate about whether the Raspberry Robin drives use autoruns to launch or if it relies purely on social engineering to encourage users to click the LNK file. Microsoft Threat Intelligence Center (MSTIC) and Microsoft Detection and Response Team (DART) research has confirmed that both instances exist in observed attacks. Some Raspberry Robin drives only have the LNK and executable files, while drives from earlier infections have a configured autorun.inf. This change could be linked to why the names of the shortcut files changed from more generic names to brand names of USB drives, possibly encouraging a user to execute the LNK file.

Upon insertion of the infected drive or launching of the LNK file, the UserAssist registry key in Windows—where Windows Explorer maintains a list of launched programs—is updated with a new value indicating a program was launched by Windows. 

The UserAssist key stores the names of launched programs in ROT13-ciphered format, which means that every letter in the name of the program is replaced with the 13^th letter in the alphabet after it. This routine makes the entries in this registry key not immediately readable. The UserAssist key is a useful forensic artifact to demonstrate which applications were launched on Windows, as outlined in Red Canary’s blog.

Windows shortcut files are mostly used to create an easy-to-find shortcut to launch a program, such as pinning a link to a user’s browser on the taskbar. However, the format allows the launching of any code, and attackers often use LNK files to launch malicious scripts or run stored code remotely. Raspberry Robin’s LNK file points to cmd.exe to launch the Windows Installer service msiexec.exe and install a malicious payload hosted on compromised QNAP network attached storage (NAS) devices.

Once the Raspberry Robin payload is running, it spawns additional processes by using system binaries such as rundll32.exe, odbcconf.exe, and control.exe to use as living-off-the-land binaries (LOLBins) to run malicious code. Raspberry Robin also launches code via fodhelper.exe, a system binary for managing optional features, as a user access control (UAC) bypass.

The malware injects into system processes including regsvr32.exe, rundll32.exe, and dllhost.exe and connects to various command-and-control (C2) servers hosted on Tor nodes.

In most instances, Raspberry Robin persists by adding itself to the RunOnce key of the registry hive associated with the user who executed the initial malware install. The registry key points to the Raspberry Robin binary, which has a random name and a random extension such as .mh or .vdm in the user’s AppData folder or to ProgramData. The key uses the intended purpose of regsvr32.exe to launch the portable executable (PE) file, allowing the randomized non-standard file extension to launch the executable content. 

Entries in the RunOnce key delete the registry entry prior to launching the executable content at sign-in. Raspberry Robin re-adds this key once it is successfully running to ensure persistence. After the initial infection, this leads to RunOnce.exe launching the malware payload in timelines. Raspberry Robin also temporarily renames the RunOnce key when writing to it to evade detections.

Raspberry Robin’s connection to a larger malware ecosystem

Since our initial analysis, Microsoft security researchers have discovered links between Raspberry Robin and other malware families. The Raspberry Robin implant has also started to distribute other malware families, which is not uncommon in the cybercriminal economy, where attackers purchase “loads” or installs from operators of successful and widespread malware to facilitate their goals.

Introducing Fauppod: Like FakeUpdates but without the fake updates

On July 26, 2022, Microsoft witnessed the first reported instance of a Raspberry Robin-infected host deploying a FakeUpdates (also known as SocGholish) JavaScript backdoor. Previously, FakeUpdates were delivered primarily through drive-by downloads or malicious ads masquerading as browser updates. Microsoft tracks the activity group behind FakeUpdates as DEV-0206 and the USB-based Raspberry Robin infection operators as DEV-0856.

After discovering Raspberry Robin-deployed FakeUpdates, Microsoft security researchers continued monitoring for other previously unidentified methodologies in FakeUpdates deployments. Research into the various malware families dropped by Raspberry Robin’s USB-delivered infections continued, and new signatures were created to track the various outer layers of packed malware under the family name Fauppod.

On July 27, 2022, Microsoft identified samples detected as Fauppod that have similar process trees with DLLs written by Raspberry Robin LNK infections in similar locations and using similar naming conventions. Their infection chains also dropped the FakeUpdates malware. However, the victim hosts where these samples were detected didn’t have the traditional infection vector of an LNK file launched from an infected USB drive, as detailed in Red Canary’s blog.

In this instance, Fauppod was delivered via codeload[.]github[.]com, a fraudulent and malicious repository created by a cybercriminal actor that Microsoft tracks as DEV-0651. The payload was delivered as a ZIP archive file containing another ZIP file, which then had a massive (700MB) Control Panel (CPL) file inside. Attackers use nested containers such as ZIP, RAR, and ISO files to avoid having their malicious payloads stamped with Mark of the Web (MOTW), which Windows uses to mark files from the internet and thus enable security solutions to block certain actions. Control Panel files are similar to other PEs like EXE and DLL files.

Microsoft has since seen DEV-0651 deliver Fauppod samples by taking advantage of various public-facing trusted and legitimate cloud services beyond GitHub, including Azure, Discord, and SpiderOak. Refer to the indicators of compromise (IOCs) below for more details. Microsoft has shared information about this threat activity and service abuse with these hosting providers.

Connecting the dot(net malware)

With the discovery of the DEV-0651 link, Microsoft had two pieces of evidence suggesting a relationship between Fauppod and Raspberry Robin:

• Both malware families were delivering FakeUpdates
• Signatures created to detect Raspberry Robin DLL samples on hosts infected by the publicly known LNK file spreading mechanism were detecting malware that wasn’t being delivered through any previously known Raspberry Robin connections

Following DEV-0651’s previous leveraging of cloud hosting services, the earliest iteration of a DEV-0651-related campaign that Microsoft was able to identify occurred in September 2021, which was around the same time Red Canary stated Raspberry Robin began to propagate.

Based on these facts, Microsoft reached low-confidence assessment that the Fauppod malware samples were related to the later delivery of what was publicly known as Raspberry Robin and started investigating these links to raise confidence and discover more information.

While authoring both file-based and behavior-based detections for Fauppod samples, Microsoft utilized existing detections based on the use of OBDCCONF as a LOLBin to launch regsvr32 (which was also detailed in Red Canary’s blog as a Raspberry Robin tactic, technique, and procedure (TTP)):

Microsoft noted a unique quality in the command execution that was persistent through all Raspberry Robin infections stemming from an infected USB drive: there was a trailing “.” character at the end of the DLL name within the command above.

While reviewing DEV-0651 Fauppod-delivered malware, Microsoft identified a Fauppod CPL sample served via GitHub when the following command is run:

Notable in the above Fauppod command are the following:

• The use of msiexec.exe to launch the Windows binary shell32.dll as a LOLBin, instead of launching the malware PE directly via rundll32.exe, using rundll32.exe to launch shell32.dll, and passing ShellExec_RunDLL to load the commands—a TTP consistent with Raspberry Robin.
• Fauppod CPL file’s use of a staging directory to copy a payload to disk using randomly generated directories in ProgramData that then contain malicious PE files with randomly generated names and extensions. This naming pattern overlaps with those leveraged by publicly known Raspberry Robin DLLs.
• The same trailing “.” in the DLL name as seen in the ODBCCONF proxying detailed in Red Canary’s blog. Avast also later noted this trailing in the DLL implant dropped by Raspberry Robin, which they refer to as Roshtyak.

These findings raised Microsoft’s confidence in assessing whether there is a connection between Fauppod’s CPL files and Raspberry Robin extending beyond a similarity in outer layers and packing of the malware.

Microsoft security researchers also identified a payload within a Fauppod sample communicating with a compromised QNAP storage server to send information about the infected device, overlapping with Raspberry Robin’s use of compromised QNAP appliances for C2.

While continuing to monitor the prevalence and infection sources of Fauppod, Microsoft identified a heavily obfuscated .NET malware (SHA-256: a9d5ec72fad42a197cbadcb1edc6811e3a8dd8c674df473fd8fa952ba0a23c15) arriving on hosts that had previously been infected with either Raspberry Robin LNK infected hosts or Fauppod CPL malware.

While inspecting these samples, Microsoft noted that many were responsible for creating LNK files on external USB drives.

Based on our investigation, Microsoft currently assesses with medium confidence that the above .NET DLLs delivered both by Raspberry Robin LNK infections and Fauppod CPL samples are responsible for spreading Raspberry Robin LNK files to USB drives. These LNK files, in turn, infect other hosts via the infection chain detailed in Red Canary’s blog.

Microsoft also assesses with medium confidence that the Fauppod-packed CPL samples are currently the earliest known point in the attack chain for propagating Raspberry Robin infections to targets. Microsoft findings suggest that the Fauppod CPL entities, the obfuscated .NET LNK spreader modules they drop, the Raspberry Robin LNK files Red Canary documented, and the Raspberry Robin DLL files (or, Roshtyak, as per Avast) could all be considered as various components to the “Raspberry Robin” malware infection chain.

The Fauppod-Dridex connection

In July 2022, Microsoft found Raspberry Robin infections that led to hands-on-keyboard activity by DEV-0243. One of the earliest malware campaigns to bring notoriety to DEV-0243 was the Dridex banking trojan.

Code similarity between malware families is often used to demonstrate a link between families to a tracked actor. In IBM’s blog post published after we observed the Raspberry Robin and DEV-0243 connection, they highlighted several code similarities between the loader for the Raspberry Robin DLLs and the Dridex malware.

Microsoft’s analysis of Fauppod samples also identified some Dridex filename testing features, which are used to avoid running in certain environments. Fauppod has similar functionality to avoid execution if it recognizes it’s running as testapp.exe or self.exe. This code similarity has historically caused some Fauppod samples to trip Dridex detection alerts.

Given the previously documented relationship between Raspberry Robin and DEV-0206/DEV-0243 (EvilCorp), this behavioral similarity in the initial vector for Raspberry Robin infections adds another piece of evidence to the connection between the development and propagation of Fauppod/Raspberry Robin and DEV-0206/DEV-0243.

Raspberry Robin’s future as part of the cybercriminal gig economy

Cybercriminal malware is an ever-present threat for most organizations today, taking advantage of common weaknesses in security strategies and using social engineering to trick users. Almost every organization risks encountering these threats, including Fauppod/Raspberry Robin and FakeUpdates. Developing a robust protection and detection strategy and investing in credential hygiene, least privileges, and network segmentation are keys to preventing the impact of these complex and highly connected cybercriminal threats.

Raspberry Robin’s infection chain is a confusing and complicated map of multiple infection points that can lead to many different outcomes, even in scenarios where two hosts are infected simultaneously. There are numerous components involved; differentiating them could be challenging as the attackers behind the threat have gone to extreme lengths to protect the malware at each stage with complex loading mechanisms. These attackers also hand off to other actors for some of the more impactful attack stages, such as ransomware deployment.

As of this writing, Microsoft is aware of at least four confirmed Raspberry Robin entry vectors. These entry points were linked to hands-on-keyboard actions by attackers, and they all led to intrusions where the end goal was likely deployment of ransomware.

Infections from Fauppod CPL files and the Raspberry Robin worm component have facilitated human-operated intrusions indicative of pre-ransomware activity. Based on the multiple infection stages and varied payloads, Microsoft assesses that DEV-0651’s initial access vector, the various spreading techniques of the malicious components, and high infection numbers have provided an attractive distribution option for follow-on payloads.

Beginning on September 19, 2022, Microsoft identified Raspberry Robin worm infections deploying IcedID and—later at other victims—Bumblebee and TrueBot payloads. In October 2022, Microsoft researchers observed Raspberry Robin infections followed by Cobalt Strike activity from DEV-0950. This activity, which in some cases included a Truebot infection, eventually deployed the Clop ransomware.

Defending against Raspberry Robin infections

Worms can be noisy and could lead to alert fatigue in security operations centers (SOCs). Such fatigue could lead to improper or untimely remediation, providing the worm operator ample opportunity to sell access to the affected network to other cybercriminals.

While Raspberry Robin seemed to have no purpose when it was first discovered, it has evolved and is heading towards providing a potentially devastating impact on environments where it’s still installed. Raspberry Robin will likely continue to develop and lead to more malware distribution and cybercriminal activity group relationships as its install footprint grows.

Microsoft Defender for Endpoint and Microsoft Defender Antivirus detect Raspberry Robin and follow-on activities described in this blog. Defenders can also apply the following mitigations to reduce the impact of this threat:

• Prevent drives from using autorun and execution code on insertion or mount. This can be done via registry settings or Group Policy.
• Follow the defending against ransomware guidance in Microsoft’s RaaS blog post
• Enable tamper protection to prevent attacks from stopping or interfering with Microsoft Defender Antivirus.
• Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.

Microsoft customers can turn on attack surface reduction rules to prevent several of the infection vectors of this threat. Attack surface reduction rules, which any security administrator can configure, offer significant hardening against the worm. In observed attacks, Microsoft customers who had the following rules enabled were able to mitigate the attack in the initial stages and prevent hands-on-keyboard activity:

• Block untrusted and unsigned processes that run from USB
• Block execution of potentially obfuscated scripts
• Block executable files from running unless they meet a prevalence, age, or trusted list criterion
• Block credential stealing from the Windows local security authority subsystem (lsass.exe)

Defenders can also refer to detection details and indicators or compromise in the following sections for more information about surfacing this threat.

Detection details

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects threat components as the following malware:

• Trojan:Win32/Fauppod

Configure Defender Antivirus scans to include removable drives. The following command lets admins scan removable drives, such as flash drives, during a full scan using the Set-MpPreference cmdlet:

Set-MpPreference -DisableRemovableDriveScanning

If you specify a value of $False or do not specify a value, Defender Antivirus scans removable drives during any type of scan. If you specify a value of $True, Defender Antivirus doesn’t scan removable drives during a full scan. Defender Antivirus can still scan removable drives during quick scans or custom scans.

Defender Antivirus also detects identified post-compromise payloads as the following malware:

• Behavior:Win32/Socgolsh.SB
• Trojan:JS/Socgolsh.A
• Trojan:JS/FakeUpdate.C
• Trojan:JS/FakeUpdate.B
• Trojan:Win32/IcedId
• Backdoor:Win32/Truebot
• TrojanDownloader:Win32/Truebot
• Trojan:Win32/Truebot
• Trojan:Win32/Bumblebee.E

Microsoft Defender for Endpoint

Alerts with the following titles in the security center can indicate threat activity on your network:

• Potential Raspberry Robin worm command
• Possible Raspberry Robin worm activity

Microsoft also clusters indicators related to the presence of the Raspberry Robin worm under DEV-0856. The following alert can indicate threat activity on your network:

• DEV-0856 activity group

The following alerts might also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and therefore are not monitored in the status cards provided with this report.

• Suspicious process launched using cmd.exe
• Suspicious behavior by msiexec.exe
• Observed BumbleBee malware activity
• Malware activity resembling Bumblebee loader detected
• BumbleBeeLoader malware was prevented
• Ransomware-linked emerging threat activity group detected
• Ongoing hands-on-keyboard attacker activity detected (Cobalt Strike)
• SocGholish command-and-control
• Suspicious ‘Socgolsh’ behavior was blocked
• DEV-0651 threat group activity associated with FakeUpdates JavaScript backdoor

Indicators of compromise (IOCs)

NOTE: These indicators should not be considered exhaustive for this observed activity.

Fauppod samples delivered by DEV-0651 via legitimate cloud services

Timeline of Raspberry Robin deployments of various payloads

The post Raspberry Robin worm part of larger ecosystem facilitating pre-ransomware activity appeared first on Microsoft Security Blog.

April 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned around the theme of weather. DEV-0237 is now tracked as Pistachio Tempest and DEV-504 is now tracked as Velvet Tempest.

To learn about how the new taxonomy represents the origin, unique traits, and impact of threat actors, and to get a complete mapping of threat actor names, read this blog: Microsoft shifts to a new threat actor naming taxonomy.

The BlackCat ransomware, also known as ALPHV, is a prevalent threat and a prime example of the growing ransomware as a service (RaaS) gig economy. It’s noteworthy due to its unconventional programming language (Rust), multiple target devices and possible entry points, and affiliation with prolific threat activity groups. While BlackCat’s arrival and execution vary based on the actors deploying it, the outcome is the same—target data is encrypted, exfiltrated, and used for “double extortion,” where attackers threaten to release the stolen data to the public if the ransom isn’t paid.

First observed in November 2021, BlackCat initially made headlines because it was one of the first ransomware families written in the Rust programming language. By using a modern language for its payload, this ransomware attempts to evade detection, especially by conventional security solutions that might still be catching up in their ability to analyze and parse binaries written in such language. BlackCat can also target multiple devices and operating systems. Microsoft has observed successful attacks against Windows and Linux devices and VMWare instances.

As we previously explained, the RaaS affiliate model consists of multiple players: access brokers, who compromise networks and maintain persistence; RaaS operators, who develop tools; and RaaS affiliates, who perform other activities like moving laterally across the network and exfiltrating data before ultimately launching the ransomware payload. Thus, as a RaaS payload, how BlackCat enters a target organization’s network varies, depending on the RaaS affiliate that deploys it. For example, while the common entry vectors for these threat actors include remote desktop applications and compromised credentials, we also saw a threat actor leverage Exchange server vulnerabilities to gain target network access. In addition, at least two known affiliates are now adopting BlackCat: DEV-0237 (known for previously deploying Ryuk, Conti, and Hive) and DEV-0504 (previously deployed Ryuk, REvil, BlackMatter, and Conti).

Such variations and adoptions markedly increase an organization’s risk of encountering BlackCat and pose challenges in detecting and defending against it because these actors and groups have different tactics, techniques, and procedures (TTPs). Thus, no two BlackCat “lives” or deployments might look the same. Indeed, based on Microsoft threat data, the impact of this ransomware has been noted in various countries and regions in Africa, the Americas, Asia, and Europe.

Human-operated ransomware attacks like those that deploy BlackCat continue to evolve and remain one of the attackers’ preferred methods to monetize their attacks. Organizations should consider complementing their security best practices and policies with a comprehensive solution like Microsoft 365 Defender, which offers protection capabilities that correlate various threat signals to detect and block such attacks and their follow-on activities.

In this blog, we provide details about the ransomware’s techniques and capabilities. We also take a deep dive into two incidents we’ve observed where BlackCat was deployed, as well as additional information about the threat activity groups that now deliver it. Finally, we offer best practices and recommendations to help defenders protect their organizations against this threat, including hunting queries and product-specific mitigations.

BlackCat’s anatomy: Payload capabilities

As mentioned earlier, BlackCat is one of the first ransomware written in the Rust programming language. Its use of a modern language exemplifies a recent trend where threat actors switch to languages like Rust or Go for their payloads in their attempt to not only avoid detection by conventional security solutions but also to challenge defenders who may be trying to reverse engineer the said payloads or compare them to similar threats.

BlackCat can target and encrypt Windows and Linux devices and VMWare instances. It has extensive capabilities, including self-propagation configurable by an affiliate for their usage and to environment encountered.

In the instances we’ve observed where the BlackCat payload did not have administrator privileges, the payload was launched via dllhost.exe, which then launched the following commands below (Table 1) via cmd.exe. These commands could vary, as the BlackCat payload allows affiliates to customize execution to the environment.

The flags used by the attackers and the options available were the following: -s -d -f -c; –access-token; –propagated; -no-prop-servers

User account control (UAC) bypass

BlackCat can bypass UAC, which means the payload will successfully run even if it runs from a non-administrator context. If the ransomware isn’t run with administrative privileges, it runs a secondary process under dllhost.exe with sufficient permissions needed to encrypt the maximum number of files on the system.

Domain and device enumeration

The ransomware can determine the computer name of the given system, local drives on a device, and the AD domain name and username on a device. The malware can also identify whether a user has domain admin privileges, thus increasing its capability of ransoming more devices.

Self-propagation

BlackCat discovers all servers that are connected to a network. The process first broadcasts NetBIOS Name Service (NBNC) messages to check for these additional devices. The ransomware then attempts to replicate itself on the answering servers using the credentials specified within the config via PsExec.

Hampering recovery efforts

BlackCat has numerous methods to make recovery efforts more difficult. The following are commands that might be launched by the payload, as well as their purposes:

• Modify boot loader
  • “C:\Windows\system32\cmd.exe” /c “bcdedit /set {default}”
  • “C:\Windows\system32\cmd.exe” /c “bcdedit /set {default} recoveryenabled No”
• Delete volume shadow copies
  • “C:\Windows\system32\cmd.exe” /c “vssadmin.exe Delete Shadows /all /quiet”
  • “C:\Windows\system32\cmd.exe” /c “wmic.exe Shadowcopy Delete”
• Clear Windows event logs
  • “C:\Windows\system32\cmd.exe” /c “cmd.exe /c  for /F \”tokens=*\” Incorrect function. in (‘ wevtutil.exe el ‘) DO wevtutil.exe cl \”Incorrect function. \””

Slinking its way in: Identifying attacks that can lead to BlackCat ransomware

Consistent with the RaaS model, threat actors utilize BlackCat as an additional payload to their ongoing campaigns. While their TTPs remain largely the same (for example, using tools like Mimikatz and PsExec to deploy the ransomware payload), BlackCat-related compromises have varying entry vectors, depending on the ransomware affiliate conducting the attack. Therefore, the pre-ransom steps of these attacks can also be markedly different.

For example, our research noted that one affiliate that deployed BlackCat leveraged unpatched Exchange servers or used stolen credentials to access target networks. The following sections detail the end-to-end attack chains of these two incidents we’ve observed.

Case study 1: Entry via unpatched Exchange

In one incident we’ve observed, attackers took advantage of an unpatched Exchange server to enter the target organization.

Discovery

Upon exploiting the Exchange vulnerability, the attackers launched the following discovery commands to gather information about the device they had compromised:

• cmd.exe and the commands ver and systeminfo – to collect operating system information
• net.exe – to determine domain computers, domain controllers, and domain admins in the environment

After executing these commands, the attackers navigated through directories and discovered a passwords folder that granted them access to account credentials they could use in the subsequent stages of the attack. They also used the del command to delete files related to their initial compromise activity.

The attackers then mounted a network share using net use and the stolen credentials and began looking for potential lateral movement targets using a combination of methods. First, they used WMIC.exe using the previously gathered device name as the node, launched the command whoami /all, and pinged google.com to check network connectivity. The output of the results were then written to a .log file on the mounted share. Second, the attackers used PowerShell.exe with the cmdlet Get-ADComputer and a filter to gather the last sign-in event.

Lateral movement

Two and a half days later, the attackers signed into one of the target devices they found during their initial discovery efforts using compromised credentials via interactive sign-in. They opted for a credential theft technique that didn’t require dropping a file like Mimikatz that antivirus products might detect. Instead, they opened Taskmgr.exe, created a dump file of the LSASS.exe process, and saved the file to a ZIP archive.

The attackers continued their previous discovery efforts using a PowerShell script version of ADRecon (ADRecon.ps1), which is a tool designed to gather extensive information about an Active Directory (AD) environment. The attacker followed up this action with a net scanning tool that opened connections to devices in the organization on server message block (SMB) and remote desktop protocol (RDP). For discovered devices, the attackers attempted to navigate to various network shares and used the Remote Desktop client (mstsc.exe) to sign into these devices, once again using the compromised account credentials.

These behaviors continued for days, with the attackers signing into numerous devices throughout the organization, dumping credentials, and determining what devices they could access.

Collection and exfiltration

On many of the devices the attackers signed into, efforts were made to collect and exfiltrate extensive amounts of data from the organization, including domain settings and information and intellectual property. To do this, the attackers used both MEGAsync and Rclone, which were renamed as legitimate Windows process names (for example, winlogon.exe, mstsc.exe).

Exfiltration of domain information to identify targets for lateral movement

Collecting domain information allowed the attackers to progress further in their attack because the said information could identify potential targets for lateral movement or those that would help the attackers distribute their ransomware payload. To do this, the attackers once again used ADRecon.ps1with numerous PowerShell cmdlets such as the following:

• Get-ADRGPO – gets group policy objects (GPO) in a domain
• Get-ADRDNSZone – gets all DNS zones and records in a domain
• Get-ADRGPLink – gets all group policy links applied to a scope of management in a domain

Additionally, the attackers dropped and used ADFind.exe commands to gather information on persons, computers, organizational units, and trust information, as well as pinged dozens of devices to check connectivity.

Exfiltration for double extortion

Intellectual property theft likely allowed the attackers to threaten the release of information if the subsequent ransom wasn’t paid—a practice known as “double extortion.” To steal intellectual property, the attackers targeted and collected data from SQL databases. They also navigated through directories and project folders, among others, of each device they could access, then exfiltrated the data they found in those. 

The exfiltration occurred for multiple days on multiple devices, which allowed the attackers to gather large volumes of information that they could then use for double extortion.

Encryption and ransom

It was a full two weeks from the initial compromise before the attackers progressed to ransomware deployment, thus highlighting the need for triaging and scoping out alert activity to understand accounts and the scope of access an attacker gained from their activity. Distribution of the ransomware payload using PsExec.exe proved to be the most common attack method.

Case study 2: Entry via compromised credentials

In another incident we observed, we found that a ransomware affiliate gained initial access to the environment via an internet-facing Remote Desktop server using compromised credentials to sign in.

Lateral movement

Once the attackers gained access to the target environment, they then used SMB to copy over and launch the Total Deployment Software administrative tool, allowing remote automated software deployment. Once this tool was installed, the attackers used it to install ScreenConnect (now known as ConnectWise), a remote desktop software application.

Credential theft

ScreenConnect was used to establish a remote session on the device, allowing attackers interactive control. With the device in their control, the attackers used cmd.exe to update the Registry to allow cleartext authentication via WDigest, and thus saved the attackers time by not having to crack password hashes. Shortly later, they used the Task Manager to dump the LSASS.exe process to steal the password, now in cleartext.

Eight hours later, the attackers reconnected to the device and stole credentials again. This time, however, they dropped and launched Mimikatz for the credential theft routine, likely because it can grab credentials beyond those stored in LSASS.exe. The attackers then signed out.

Persistence and encryption

A day later, the attackers returned to the environment using ScreenConnect. They used PowerShell to launch a command prompt process and then added a user account to the device using net.exe. The new user was then added to the local administrator group via net.exe.

Afterward, the attackers signed in using their newly created user account and began dropping and launching the ransomware payload. This account would also serve as a means of additional persistence beyond ScreenConnect and their other footholds in the environment to allow them to re-establish their presence, if needed. Ransomware adversaries are not above ransoming the same organization twice if access is not fully remediated.

Chrome.exe was used to navigate to a domain hosting the BlackCat payload. Notably, the folder structure included the organization name, indicating that this was a pre-staged payload specifically for the organization. Finally, the attackers launched the BlackCat payload on the device to encrypt its data.

Ransomware affiliates deploying BlackCat

Apart from the incidents discussed earlier, we’ve also observed two of the most prolific affiliate groups associated with ransomware deployments have switched to deploying BlackCat. Payload switching is typical for some RaaS affiliates to ensure business continuity or if there’s a possibility of better profit. Unfortunately for organizations, such adoption further adds to the challenge of detecting related threats.

Microsoft tracks one of these affiliate groups as DEV-0237. Also known as FIN12, DEV-0237 is notable for its distribution of Hive, Conti, and Ryuk ransomware. We’ve observed that this group added BlackCat to their list of distributed payloads beginning March 2022. Their switch to BlackCat from their last used payload (Hive) is suspected to be due to the public discourse around the latter’s decryption methodologies.

DEV-0504 is another active affiliate group that we’ve seen switching to BlackCat for their ransomware attacks. Like many RaaS affiliate groups, the following TTPs might be observed in a DEV-0504 attack:

• Entry vector that can involve the affiliate remotely signing into devices with compromised credentials, such as into devices running software solutions that allow for remote work
• The attackers’ use of their access to conduct discovery on the domain
• Lateral movement that potentially uses the initial compromised account
• Credential theft with tools like Mimikatz and Rubeus

DEV-0504 typically exfiltrates data on devices they compromise from the organization using a malicious tool such as StealBit—often named “send.exe” or “sender.exe”. PsExec is then used to distribute the ransomware payload. The group has been observed delivering the following ransom families before their adoption of BlackCat beginning December 2021:

• BlackMatter
• Conti
• LockBit 2.0
• Revil
• Ryuk

Defending against BlackCat ransomware

Today’s ransomware attacks have become more impactful because of their growing industrialization through the RaaS affiliate model and the increasing trend of double extortion. The incidents we’ve observed related to the BlackCat ransomware leverage these two factors, making this threat durable against conventional security and defense approaches that only focus on detecting the ransomware payloads. Detecting threats like BlackCat, while good, is no longer enough as human-operated ransomware continues to grow, evolve, and adapt to the networks they’re deployed or the attackers they work for.

Instead, organizations must shift their defensive strategies to prevent the end-to-end attack chain. As noted above, while attackers’ entry points may vary, their TTPs remain largely the same. In addition, these types of attacks continue to take advantage of an organization’s poor credential hygiene and legacy configurations or misconfigurations to succeed. Therefore, defenders should address these common paths and weaknesses by hardening their networks through various best practices such as access monitoring and proper patch management. We provide detailed steps on building these defensive strategies against ransomware in this blog.

In the BlackCat-related incidents we’ve observed, the common entry points for ransomware affiliates were via compromised credentials to access internet-facing remote access software and unpatched Exchange servers. Therefore, defenders should review their organization’s identity posture, carefully monitor external access, and locate vulnerable Exchange servers in their environment to update as soon as possible. The financial impact, reputation damage, and other repercussions that stem from attacks involving ransomware like BlackCat are not worth forgoing downtime, service interruption, and other pain points related to applying security updates and implementing best practices.

Leveraging Microsoft 365 Defender’s comprehensive threat defense capabilities

Microsoft 365 Defender helps protect organizations from attacks that deliver the BlackCat ransomware and other similar threats by providing cross-domain visibility and coordinated threat defense. It uses multiple layers of dynamic protection technologies and correlates threat data from email, endpoints, identities, and cloud apps. Microsoft Defender for Endpoint detects tools like Mimikatz, the actual BlackCat payload, and subsequent attacker behavior. Threat and vulnerability management capabilities also help discover vulnerable or misconfigured devices across different platforms; such capabilities could help detect and block possible exploitation attempts on vulnerable devices, such as those running Exchange. Finally, advanced hunting lets defenders create custom detections to proactively surface this ransomware and other related threats.

Additional mitigations and recommendations

Defenders can also follow the following steps to reduce the impact of this ransomware:

• Turn on Microsoft Defender Antivirus. Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a large amount of new and unknown variants.
• Enforce strong, randomized local administrator passwords. Use tools like Local Administrator Password Solution (LAPS).
• Require multifactor authentication (MFA) for local device access, RDP access, and remote connections through virtual private networks (VPNs) and Outlook Web Access. Solutions like Windows Hello or Fast ID Online (FIDO) v2.0 security keys let users sign in using biometrics and/or a physical key or device.
• Turn on Microsoft Defender Firewall.
• Implement controlled folder access to help prevent files from being altered or encrypted by ransomware. Set controlled folder access to Enabled or Audit mode.
• Investigate and remediate vulnerabilities in Exchange servers. Also, determine if implementing the Exchange Emergency Mitigation service is feasible for your environment. This service helps keep your Exchange servers secure by applying mitigations to address potential threats against your servers.

Microsoft 365 Defender customers can also apply the additional mitigations below:

• Use advanced protection against ransomware.
• Turn on tamper protection in Microsoft Defender for Endpoint to prevent malicious changes to security settings. Enable network protection in Microsoft Defender for Endpoint and Microsoft 365 Defender to prevent applications or users from accessing malicious domains and other malicious content on the internet.
• Ensure Exchange servers have applied the mitigations referenced in the related Threat Analytics report.
• Turn on the following attack surface reduction rules to block or audit activity associated with this threat:
  • Block credential stealing from the Windows local security authority subsystem (lsass.exe)
  • Block process creations originating from PSExec and WMI commands
  • Block executable files from running unless they meet a prevalence, age, or trusted list criterion

For a full list of ransomware mitigations regardless of threat, refer to this article: Rapidly protect against ransomware and extortion.

Learn how you can stop attacks through automated, cross-domain security and built-in AI with Microsoft Defender 365.

Microsoft 365 Defender Threat Intelligence Team

Appendix

Microsoft 365 Defender detections

Microsoft Defender Antivirus

• Ransom:Win32/BlackCat!MSR
• Ransom:Win32/BlackCat.MK!MTB
• Ransom:Linux/BlackCat.A!MTB

Microsoft Defender for Endpoint EDR

Alerts with the following titles in the security center can indicate threat activity on your network:

• An active ‘BlackCat’ ransomware was detected
• ‘BlackCat’ ransomware was detected
• BlackCat ransomware

Hunting queries

Microsoft 365 Defender

To locate possible ransomware activity, run the following queries.

Suspicious process execution in PerfLogs path

Use this query to look for processes executing in PerfLogs—a common path used to place the ransomware payloads.

DeviceProcessEvents
| where InitiatingProcessFolderPath has "PerfLogs"
| where InitiatingProcessFileName matches regex "[a-z]{3}.exe"
| extend Length = strlen(InitiatingProcessFileName)
| where Length == 7

Suspicious registry modification of MaxMpxCt parameters

Use this query to look for suspicious running processes that modify registry settings to increase the number of outstanding requests allowed (for example, SMB requests when distributing ransomware via its PsExec methodology).

DeviceProcessEvents
| where ProcessCommandLine has_all("LanmanServer", "parameters", "MaxMpxCt", "65535")

Suspicious command line indicative of BlackCat ransom payload execution

Use these queries to look for instances of the BlackCat payload executing based on a required command argument for it to successfully encrypt ‘–access-token’.

DeviceProcessEvents
| where ProcessCommandLine has_all("--access-token", "-v") 
| extend CommandArguments = split(ProcessCommandLine, " ")
| mv-expand CommandArguments
| where CommandArguments matches regex "^[A-Fa-f0-9]{64}$"

DeviceProcessEvents
| where InitiatingProcessCommandLine has "--access-token"
| where ProcessCommandLine has "get uuid"

Suspected data exfiltration

Use this query to look for command lines that indicate data exfiltration and the indication that an attacker may attempt double extortion.

DeviceNetworkEvents
| where InitiatingProcessCommandLine has_all("copy", "--max-age", "--ignore-existing", "--multi-thread-streams", "--transfers") and InitiatingProcessCommandLine has_any("ftp", "ssh", "-q")

The post The many lives of BlackCat ransomware appeared first on Microsoft Security Blog.

April 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned around the theme of weather. To learn more about this evolution, how the new taxonomy represents the origin, unique traits, and impact of threat actors, and a complete mapping of threat actor names, read this blog: Microsoft shifts to a new threat actor naming taxonomy.

September 2022 update – New information about recent Qakbot campaigns leading to ransomware deployment.

July 2022 update – New information about DEV-0206-associated activity wherein existing Raspberry Robin infections are used to deploy FakeUpdates, which then leads to follow-on actions resembling DEV-0243.

June 2022 update – More details in the Threat actors and campaigns section, including recently observed activities from DEV-0193 (Trickbot LLC), DEV-0504, DEV-0237, DEV-0401, and a new section on Qakbot campaigns that lead to ransomware deployments.

Microsoft processes 24 trillion signals every 24 hours, and we have blocked billions of attacks in the last year alone. Microsoft Security tracks more than 35 unique ransomware families and 250 unique threat actors across observed nation-state, ransomware, and criminal activities.

That depth of signal intelligence gathered from various domains—identity, email, data, and cloud—provides us with insight into the gig economy that attackers have created with tools designed to lower the barrier for entry for other attackers, who in turn continue to pay dividends and fund operations through the sale and associated “cut” from their tool’s success.

The cybercriminal economy is a continuously evolving connected ecosystem of many players with different techniques, goals, and skillsets. In the same way our traditional economy has shifted toward gig workers for efficiency, criminals are learning that there’s less work and less risk involved by renting or selling their tools for a portion of the profits than performing the attacks themselves. This industrialization of the cybercrime economy has made it easier for attackers to use ready-made penetration testing and other tools to perform their attacks.

Within this category of threats, Microsoft has been tracking the trend in the ransomware as a service (RaaS) gig economy, called human-operated ransomware, which remains one of the most impactful threats to organizations. We coined the industry term “human-operated ransomware” to clarify that these threats are driven by humans who make decisions at every stage of their attacks based on what they find in their target’s network.

Unlike the broad targeting and opportunistic approach of earlier ransomware infections, attackers behind these human-operated campaigns vary their attack patterns depending on their discoveries—for example, a security product that isn‘t configured to prevent tampering or a service that’s running as a highly privileged account like a domain admin. Attackers can use those weaknesses to elevate their privileges to steal even more valuable data, leading to a bigger payout for them—with no guarantee they’ll leave their target environment once they’ve been paid. Attackers are also often more determined to stay on a network once they gain access and sometimes repeatedly monetize that access with additional attacks using different malware or ransomware payloads if they aren’t successfully evicted.

Ransomware attacks have become even more impactful in recent years as more ransomware as a service ecosystems have adopted the double extortion monetization strategy. All ransomware is a form of extortion, but now, attackers are not only encrypting data on compromised devices but also exfiltrating it and then posting or threatening to post it publicly to pressure the targets into paying the ransom. Most ransomware attackers opportunistically deploy ransomware to whatever network they get access to, and some even purchase access to networks from other cybercriminals. Some attackers prioritize organizations with higher revenues, while others prefer specific industries for the shock value or type of data they can exfiltrate.

All human-operated ransomware campaigns—all human-operated attacks in general, for that matter—share common dependencies on security weaknesses that allow them to succeed. Attackers most commonly take advantage of an organization’s poor credential hygiene and legacy configurations or misconfigurations to find easy entry and privilege escalation points in an environment. 

In this blog, we detail several of the ransomware ecosystems  using the RaaS model, the importance of cross-domain visibility in finding and evicting these actors, and best practices organizations can use to protect themselves from this increasingly popular style of attack. We also offer security best practices on credential hygiene and cloud hardening, how to address security blind spots, harden internet-facing assets to understand your perimeter, and more. Here’s a quick table of contents:

1. How RaaS redefines our understanding of ransomware incidents
   • The RaaS affiliate model explained
   • Access for sale and mercurial targeting
2. “Human-operated” means human decisions
   • Exfiltration and double extortion
   • Persistent and sneaky access methods
3. Threat actors and campaigns deep dive: Threat intelligence-driven response to human-operated ransomware attacks
4. Defending against ransomware: Moving beyond protection by detection
   • Building credential hygiene
   • Auditing credential exposure
   • Prioritizing deployment of Active Directory updates
   • Cloud hardening
   • Addressing security blind spots
   • Reducing the attack surface
   • Hardening internet-facing assets and understanding your perimeter

How RaaS redefines our understanding of ransomware incidents

With ransomware being the preferred method for many cybercriminals to monetize attacks, human-operated ransomware remains one of the most impactful threats to organizations today, and it only continues to evolve. This evolution is driven by the “human-operated” aspect of these attacks—attackers make informed and calculated decisions, resulting in varied attack patterns tailored specifically to their targets and iterated upon until the attackers are successful or evicted.

In the past, we’ve observed a tight relationship between the initial entry vector, tools, and ransomware payload choices in each campaign of one strain of ransomware. The RaaS affiliate model, which has allowed more criminals, regardless of technical expertise, to deploy ransomware built or managed by someone else, is weakening this link. As ransomware deployment becomes a gig economy, it has become more difficult to link the tradecraft used in a specific attack to the ransomware payload developers.

Reporting a ransomware incident by assigning it with the payload name gives the impression that a monolithic entity is behind all attacks using the same ransomware payload and that all incidents that use the ransomware share common techniques and infrastructure. However, focusing solely on the ransomware stage obscures many stages of the attack that come before, including actions like data exfiltration and additional persistence mechanisms, as well as the numerous detection and protection opportunities for network defenders.

We know, for example, that the underlying techniques used in human-operated ransomware campaigns haven’t changed very much over the years—attacks still prey on the same security misconfigurations to succeed. Securing a large corporate network takes disciplined and sustained focus, but there’s a high ROI in implementing critical controls that prevent these attacks from having a wider impact, even if it’s only possible on the most critical assets and segments of the network. 

Without the ability to steal access to highly privileged accounts, attackers can’t move laterally, spread ransomware widely, access data to exfiltrate, or use tools like Group Policy to impact security settings. Disrupting common attack patterns by applying security controls also reduces alert fatigue in security SOCs by stopping the attackers before they get in. This can also prevent unexpected consequences of short-lived breaches, such as exfiltration of network topologies and configuration data that happens in the first few minutes of execution of some trojans.

In the following sections, we explain the RaaS affiliate model and disambiguate between the attacker tools and the various threat actors at play during a security incident. Gaining this clarity helps surface trends and common attack patterns that inform defensive strategies focused on preventing attacks rather than detecting ransomware payloads. Threat intelligence and insights from this research also enrich our solutions like Microsoft 365 Defender, whose comprehensive security capabilities help protect customers by detecting RaaS-related attack attempts.

The RaaS affiliate model explained

The cybercriminal economy—a connected ecosystem of many players with different techniques, goals, and skillsets—is evolving. The industrialization of attacks has progressed from attackers using off-the-shelf tools, such as Cobalt Strike, to attackers being able to purchase access to networks and the payloads they deploy to them. This means that the impact of a successful ransomware and extortion attack remains the same regardless of the attacker’s skills.

RaaS is an arrangement between an operator and an affiliate. The RaaS operator develops and maintains the tools to power the ransomware operations, including the builders that produce the ransomware payloads and payment portals for communicating with victims. The RaaS program may also include a leak site to share snippets of data exfiltrated from victims, allowing attackers to show that the exfiltration is real and try to extort payment. Many RaaS programs further incorporate a suite of extortion support offerings, including leak site hosting and integration into ransom notes, as well as decryption negotiation, payment pressure, and cryptocurrency transaction services

RaaS thus gives a unified appearance of the payload or campaign being a single ransomware family or set of attackers. However, what happens is that the RaaS operator sells access to the ransom payload and decryptor to an affiliate, who performs the intrusion and privilege escalation and who is responsible for the deployment of the actual ransomware payload. The parties then split the profit. In addition, RaaS developers and operators might also use the payload for profit, sell it, and run their campaigns with other ransomware payloads—further muddying the waters when it comes to tracking the criminals behind these actions.

Access for sale and mercurial targeting

A component of the cybercriminal economy is selling access to systems to other attackers for various purposes, including ransomware. Access brokers can, for instance, infect systems with malware or a botnet and then sell them as a “load”. A load is designed to install other malware or backdoors onto the infected systems for other criminals. Other access brokers scan the internet for vulnerable systems, like exposed Remote Desktop Protocol (RDP) systems with weak passwords or unpatched systems, and then compromise them en masse to “bank” for later profit. Some advertisements for the sale of initial access specifically cite that a system isn’t managed by an antivirus or endpoint detection and response (EDR) product and has a highly privileged credential such as Domain Administrator associated with it to fetch higher prices.

Most ransomware attackers opportunistically deploy ransomware to whatever network they get access to. Some attackers prioritize organizations with higher revenues, while some target specific industries for the shock value or type of data they can exfiltrate (for example, attackers targeting hospitals or exfiltrating data from technology companies). In many cases, the targeting doesn’t manifest itself as specifically attacking the target’s network, instead, the purchase of access from an access broker or the use of existing malware infection to pivot to ransomware activities.

In some ransomware attacks, the affiliates who bought a load or access may not even know or care how the system was compromised in the first place and are just using it as a “jump server” to perform other actions in a network. Access brokers often list the network details for the access they are selling, but affiliates aren’t usually interested in the network itself but rather the monetization potential. As a result, some attacks that seem targeted to a specific industry might simply be a case of affiliates purchasing access based on the number of systems they could deploy ransomware to and the perceived potential for profit.

“Human-operated” means human decisions

Microsoft coined the term “human-operated ransomware” to clearly define a class of attacks driven by expert human intelligence at every step of the attack chain and culminate in intentional business disruption and extortion. Human-operated ransomware attacks share commonalities in the security misconfigurations of which they take advantage and the manual techniques used for lateral movement and persistence. However, the human-operated nature of these actions means that variations in attacks—including objectives and pre-ransom activity—evolve depending on the environment and the unique opportunities identified by the attackers.

These attacks involve many reconnaissance activities that enable human operators to profile the organization and know what next steps to take based on specific knowledge of the target. Many of the initial access campaigns that provide access to RaaS affiliates perform automated reconnaissance and exfiltration of information collected in the first few minutes of an attack.

After the attack shifts to a hands-on-keyboard phase, the reconnaissance and activities based on this knowledge can vary, depending on the tools that come with the RaaS and the operator’s skill. Frequently attackers query for the currently running security tools, privileged users, and security settings such as those defined in Group Policy before continuing their attack. The data discovered via this reconnaissance phase informs the attacker’s next steps.

If there’s minimal security hardening to complicate the attack and a highly privileged account can be gained immediately, attackers move directly to deploying ransomware by editing a Group Policy. The attackers take note of security products in the environment and attempt to tamper with and disable these, sometimes using scripts or tools provided with RaaS purchase that try to disable multiple security products at once, other times using specific commands or techniques performed by the attacker.  

This human decision-making early in the reconnaissance and intrusion stages means that even if a target’s security solutions detect specific techniques of an attack, the attackers may not get fully evicted from the network and can use other collected knowledge to attempt to continue the attack in ways that bypass security controls. In many instances, attackers test their attacks “in production” from an undetected location in their target’s environment, deploying tools or payloads like commodity malware. If these tools or payloads are detected and blocked by an antivirus product, the attackers simply grab a different tool, modify their payload, or tamper with the security products they encounter. Such detections could give SOCs a false sense of security that their existing solutions are working. However, these could merely serve as a smokescreen to allow the attackers to further tailor an attack chain that has a higher probability of success. Thus, when the attack reaches the active attack stage of deleting backups or shadow copies, the attack would be minutes away from ransomware deployment. The adversary would likely have already performed harmful actions like the exfiltration of data. This knowledge is key for SOCs responding to ransomware: prioritizing investigation of alerts or detections of tools like Cobalt Strike and performing swift remediation actions and incident response (IR) procedures are critical for containing a human adversary before the ransomware deployment stage.

Exfiltration and double extortion

Ransomware attackers often profit simply by disabling access to critical systems and causing system downtime. Although that simple technique often motivates victims to pay, it is not the only way attackers can monetize their access to compromised networks. Exfiltration of data and “double extortion,” which refers to attackers threatening to leak data if a ransom hasn’t been paid, has also become a common tactic among many RaaS affiliate programs—many of them offering a unified leak site for their affiliates. Attackers take advantage of common weaknesses to exfiltrate data and demand ransom without deploying a payload.

This trend means that focusing on protecting against ransomware payloads via security products or encryption, or considering backups as the main defense against ransomware, instead of comprehensive hardening, leaves a network vulnerable to all the stages of a human-operated ransomware attack that occur before ransomware deployment. This exfiltration can take the form of using tools like Rclone to sync to an external site, setting up email transport rules, or uploading files to cloud services. With double extortion, attackers don’t need to deploy ransomware and cause downtime to extort money. Some attackers have moved beyond the need to deploy ransomware payloads and are shifting straight to extortion models or performing the destructive objectives of their attacks by directly deleting cloud resources. One such extortion attackers is DEV-0537 (also known as LAPSUS$), which is profiled below.  

Persistent and sneaky access methods

Paying the ransom may not reduce the risk to an affected network and potentially only serves to fund cybercriminals. Giving in to the attackers’ demands doesn’t guarantee that attackers ever “pack their bags” and leave a network. Attackers are more determined to stay on a network once they gain access and sometimes repeatedly monetize attacks using different malware or ransomware payloads if they aren’t successfully evicted.

The handoff between different attackers as transitions in the cybercriminal economy occur means that multiple attackers may retain persistence in a compromised environment using an entirely different set of tools from those used in a ransomware attack. For example, initial access gained by a banking trojan leads to a Cobalt Strike deployment, but the RaaS affiliate that purchased the access may choose to use a less detectable remote access tool such as TeamViewer to maintain persistence on the network to operate their broader series of campaigns. Using legitimate tools and settings to persist versus malware implants such as Cobalt Strike is a popular technique among ransomware attackers to avoid detection and remain resident in a network for longer.

Some of the common enterprise tools and techniques for persistence that Microsoft has observed being used include:

• AnyDesk
• Atera Remote Management
• ngrok.io
• Remote Manipulator System
• Splashtop
• TeamViewer

Another popular technique attackers perform once they attain privilege access is the creation of new backdoor user accounts, whether local or in Active Directory. These newly created accounts can then be added to remote access tools such as a virtual private network (VPN) or Remote Desktop, granting remote access through accounts that appear legitimate on the network. Ransomware attackers have also been observed editing the settings on systems to enable Remote Desktop, reduce the protocol’s security, and add new users to the Remote Desktop Users group.

The time between initial access to a hands-on keyboard deployment can vary wildly depending on the groups and their workloads or motivations. Some activity groups can access thousands of potential targets and work through these as their staffing allows, prioritizing based on potential ransom payment over several months. While some activity groups may have access to large and highly resourced companies, they prefer to attack smaller companies for less overall ransom because they can execute the attack within hours or days. In addition, the return on investment is higher from companies that can’t respond to a major incident. Ransoms of tens of millions of dollars receive much attention but take much longer to develop. Many groups prefer to ransom five to 10 smaller targets in a month because the success rate at receiving payment is higher in these targets. Smaller organizations that can’t afford an IR team are often more likely to pay tens of thousands of dollars in ransom than an organization worth millions of dollars because the latter has a developed IR capability and is likely to follow legal advice against paying. In some instances, a ransomware associate threat actor may have an implant on a network and never convert it to ransom activity. In other cases, initial access to full ransom (including handoff from an access broker to a RaaS affiliate) takes less than an hour.

The human-driven nature of these attacks and the scale of possible victims under control of ransomware-associated threat actors underscores the need to take targeted proactive security measures to harden networks and prevent these attacks in their early stages.

Threat actors and campaigns deep dive: Threat intelligence-driven response to human-operated ransomware attacks

For organizations to successfully respond to evict an active attacker, it’s important to understand the active stage of an ongoing attack. In the early attack stages, such as deploying a banking trojan, common remediation efforts like isolating a system and resetting exposed credentials may be sufficient. As the attack progresses and the attacker performs reconnaissance activities and exfiltration, it’s important to implement an incident response process that scopes the incident to address the impact specifically. Using a threat intelligence-driven methodology for understanding attacks can assist in determining incidents that need additional scoping.

In the next sections, we provide a deep dive into the following prominent ransomware threat actors and their campaigns to increase community understanding of these attacks and enable organizations to better protect themselves:

• DEV-0193 cluster (Trickbot LLC): The most prolific ransomware group today  
• ELBRUS: (Un)arrested development
• DEV-0504: Shifting payloads reflecting the rise and fall of RaaS programs
• DEV-0237: Prolific collaborator
• DEV-0450 and DEV-0464: Distributing Qakbot for ransomware deployment
• DEV-0206 and DEV-0243: An “evil” partnership
• DEV-0401: China-based lone wolf turned LockBit 2.0 affiliate
• DEV-0537: From extortion to destruction

Microsoft threat intelligence directly informs our products as part of our commitment to track adversaries and protect customers. Microsoft 365 Defender customers should prioritize alerts titled “Ransomware-linked emerging threat activity group detected”. We also add the note “Ongoing hands-on-keyboard attack” to alerts that indicate a human attacker is in the network. When these alerts are raised, it’s highly recommended to initiate an incident response process to scope the attack, isolate systems, and regain control of credentials attackers may be in control of.

A note on threat actor naming: as part of Microsoft’s ongoing commitment to track both nation-state and cybercriminal threat actors, we refer to the unidentified threat actors as a “development group”. We use a naming structure with a prefix of “DEV” to indicate an emerging threat group or unique activity during investigation. When a nation-state group moves out of the DEV stage, we use chemical elements (for example, PHOSPHORUS and NOBELIUM) to name them. On the other hand, we use volcano names (such as ELBRUS) for ransomware or cybercriminal activity groups that have moved out of the DEV state. In the cybercriminal economy, relationships between groups change very rapidly. Attackers are known to hire talent from other cybercriminal groups or use “contractors,” who provide gig economy-style work on a limited time basis and may not rejoin the group. This shifting nature means that many of the groups Microsoft tracks are labeled as DEV, even if we have a concrete understanding of the nature of the activity group.

DEV-0193 cluster (Trickbot LLC): The most prolific ransomware group today

A vast amount of the current cybercriminal economy connects to a nexus of activity that Microsoft tracks as DEV-0193, also referred to as Trickbot LLC. DEV-0193 is responsible for developing, distributing, and managing many different payloads, including Trickbot, Bazaloader, and AnchorDNS. In addition, DEV-0193 managed the Ryuk RaaS program before the latter’s shutdown in June 2021, and Ryuk’s successor, Conti as well as Diavol. Microsoft has been tracking the activities of DEV-0193 since October 2020 and has observed their expansion from developing and distributing the Trickbot malware to becoming the most prolific ransomware-associated cybercriminal activity group active today. 

DEV-0193’s actions and use of the cybercriminal gig economy means they often add new members and projects and utilize contractors to perform various parts of their intrusions. As other malware operations have shut down for various reasons, including legal actions, DEV-0193 has hired developers from these groups. Most notable are the acquisitions of developers from Emotet, Qakbot, and IcedID, bringing them to the DEV-0193 umbrella.

A subgroup of DEV-0193, which Microsoft tracks as DEV-0365, provides infrastructure as a service for cybercriminals. Most notably, DEV-0365 provides Cobalt Strike Beacon as a service. These DEV-0365 Beacons have replaced unique C2 infrastructure in many active malware campaigns. DEV-0193 infrastructure has also been implicated in attacks deploying novel techniques, including exploitation of CVE-2021-40444. 

The leaked chat files from a group publicly labeled as the “Conti Group” in February 2022 confirm the wide scale of DEV-0193 activity tracked by Microsoft. Based on our telemetry from 2021 and 2022, Conti has become one of the most deployed RaaS ecosystems, with multiple affiliates concurrently deploying their payload—even as other RaaS ecosystems (DarkSide/BlackMatter and REvil) ceased operations. However, payload-based attribution meant that much of the activity that led to Conti ransomware deployment was attributed to the “Conti Group,” even though many affiliates had wildly different tradecraft, skills, and reporting structures. Some Conti affiliates performed small-scale intrusions using the tools offered by the RaaS, while others performed weeks-long operations involving data exfiltration and extortion using their own techniques and tools. One of the most prolific and successful Conti affiliates—and the one responsible for developing the “Conti Manual” leaked in August 2021—is tracked as DEV-0230. This activity group also developed and deployed the FiveHands and HelloKitty ransomware payloads and often gained access to an organization via DEV-0193’s BazaLoader infrastructure.

Microsoft hasn’t observed a Conti deployment in our data since April 19, 2022, suggesting that the Conti program has shut down or gone on hiatus, potentially in response to the visibility of DEV-0230’s deployment of Conti in high-profile incidents or FBI’s announcement of a reward for information related to Conti. As can be expected when a RaaS program shuts down, the gig economy nature of the ransomware ecosystem means that affiliates can easily shift between payloads. Conti affiliates who had previously deployed Conti have moved on to other RaaS payloads. For example, DEV-0506 was deploying BlackBasta part-time before the Conti shutdown and is now deploying it regularly. Similarly, DEV-0230 shifted to deploying QuantumLocker around April 23, 2022.

ELBRUS: (Un)arrested development

ELBRUS, also known as FIN7, has been known to be in operation since 2012 and has run multiple campaigns targeting a broad set of industries for financial gain. ELBRUS has deployed point-of-sale (PoS) and ATM malware to collect payment card information from in-store checkout terminals. They have also targeted corporate personnel who have access to sensitive financial data, including individuals involved in SEC filings.

In 2018, this activity group made headlines when three of its members were arrested. In May 2020, another arrest was made for an individual with alleged involvement with ELBRUS. However, despite law enforcement actions against suspected individual members, Microsoft has observed sustained campaigns from the ELBRUS group itself during these periods.

ELBRUS is responsible for developing and distributing multiple custom malware families used for persistence, including JSSLoader and Griffon. ELBRUS has also created fake security companies called “Combi Security” and “Bastion Security” to facilitate the recruitment of employees to their operations under the pretense of working as penetration testers.

In 2020 ELBRUS transitioned from using PoS malware to deploying ransomware as part of a financially motivated extortion scheme, specifically deploying the MAZE and Revil RaaS families. ELBRUS developed their own RaaS ecosystem named DarkSide. They deployed DarkSide payloads as part of their operations and recruited and managed affiliates that deployed the DarkSide ransomware. The tendency to report on ransomware incidents based on payload and attribute it to a monolithic gang often obfuscates the true relationship between the attackers, which is very accurate of the DarkSide RaaS. Case in point, one of the most infamous DarkSide deployments wasn’t performed by ELBRUS but by a ransomware as a service affiliate Microsoft tracks as DEV-0289.

ELBRUS retired the DarkSide ransomware ecosystem in May 2021 and released its successor, BlackMatter, in July 2021. Replicating their patterns from DarkSide, ELBRUS deployed BlackMatter themselves and ran a RaaS program for affiliates. The activity group then retired the BlackMatter ransomware ecosystem in November 2021.

While they aren’t currently publicly observed to be running a RaaS program, ELBRUS is very active in compromising organizations via phishing campaigns that lead to their JSSLoader and Griffon malware. Since 2019, ELBRUS has partnered with DEV-0324 to distribute their malware implants. DEV-0324 acts as a distributor in the cybercriminal economy, providing a service to distribute the payloads of other attackers through phishing and exploit kit vectors. ELBRUS has also been abusing CVE-2021-31207 in Exchange to compromise organizations in April of 2022, an interesting pivot to using a less popular authenticated vulnerability in the ProxyShell cluster of vulnerabilities. This abuse has allowed them to target organizations that patched only the unauthenticated vulnerability in their Exchange Server and turn compromised low privileged user credentials into highly privileged access as SYSTEM on an Exchange Server.  

DEV-0504: Shifting payloads reflecting the rise and fall of RaaS programs

An excellent example of how clustering activity based on ransomware payload alone can lead to obfuscating the threat actors behind the attack is DEV-0504. DEV-0504 has deployed at least six RaaS payloads since 2020, with many of their attacks becoming high-profile incidents attributed to the “REvil gang” or “BlackCat ransomware group”. This attribution masks the actions of the set of the attackers in the DEV-0504 umbrella, including other REvil and BlackCat affiliates. This has resulted in a confusing story of the scale of the ransomware problem and overinflated the impact that a single RaaS program shutdown can have on the threat environment.  

DEV-0504 shifts payloads when a RaaS program shuts down, for example the deprecation of REvil and BlackMatter, or possibly when a program with a better profit margin appears. These market dynamics aren’t unique to DEV-0504 and are reflected in most RaaS affiliates. They can also manifest in even more extreme behavior where RaaS affiliates switch to older “fully owned” ransomware payloads like Phobos, which they can buy when a RaaS isn’t available, or they don’t want to pay the fees associated with RaaS programs.

DEV-0504 appears to rely on access brokers to enter a network, using Cobalt Strike Beacons they have possibly purchased access to. Once inside a network, they rely heavily on PsExec to move laterally and stage their payloads. Their techniques require them to have compromised elevated credentials, and they frequently disable antivirus products that aren’t protected with tamper protection.

DEV-0504 was responsible for deploying BlackCat ransomware in companies in the energy sector in January 2022. Around the same time, DEV-0504 also deployed BlackCat in attacks against companies in the fashion, tobacco, IT, and manufacturing industries, among others. BlackCat remains DEV-0504’s primary payload as of June 2022.

DEV-0237: Prolific collaborator

Like DEV-0504, DEV-0237 is a prolific RaaS affiliate that alternates between different payloads in their operations based on what is available. DEV-0237 heavily used Ryuk and Conti payloads from Trickbot LLC/DEV-0193, then Hive payloads more recently. Many publicly documented Ryuk and Conti incidents and tradecraft can be traced back to DEV-0237.

After the activity group switched to Hive as a payload, a large uptick in Hive incidents was observed. Their switch to the BlackCat RaaS in March 2022 is suspected to be due to public discourse around Hive decryption methodologies; that is, DEV-0237 may have switched to BlackCat because they didn’t want Hive’s decryptors to interrupt their business. Overlap in payloads has occurred as DEV-0237 experiments with new RaaS programs on lower-value targets. They have been observed to experiment with some payloads only to abandon them later.

Beyond RaaS payloads, DEV-0237 uses the cybercriminal gig economy to also gain initial access to networks. DEV-0237’s proliferation and success rate come in part from their willingness to leverage the network intrusion work and malware implants of other groups versus performing their own initial compromise and malware development.

Like all RaaS operators, DEV-0237 relies on compromised, highly privileged account credentials and security weaknesses once inside a network. DEV-0237 often leverages Cobalt Strike Beacon dropped by the malware they have purchased, as well as tools like SharpHound to conduct reconnaissance. The group often utilizes BITSadmin /transfer to stage their payloads. An often-documented trademark of Ryuk and Conti deployments is naming the ransomware payload xxx.exe, a tradition that DEV-0237 continues to use no matter what RaaS they are deploying, as most recently observed with BlackCat. In late March of 2022, DEV-0237 was observed to be using a new version of Hive again.

In May 2022, DEV-0237 started to routinely deploy Nokoyawa, a payload that we observed the group previously experimenting with when they weren’t using Hive. While the group used other payloads such as BlackCat in the same timeframe, Nokoyawa became a more regular part of their toolkits. By June 2022, DEV-0237 was still primarily deploying Hive and sometimes Nokoyawa but was seen experimenting with other ransomware payloads, including Agenda and Mindware.

DEV-0237 is also one of several actors observed introducing other tools into their attacks to replace Cobalt Strike. Cobalt Strike’s ubiquity and visible impact has led to improved detections and heightened awareness in security organizations, leading to observed decreased use by actors. DEV-0237 now uses the SystemBC RAT and the penetration testing framework Sliver in their attacks, replacing Cobalt Strike.

DEV-0450 and DEV-0464: Distributing Qakbot for ransomware deployment

The evolution of prevalent trojans from being commodity malware to serving as footholds for ransomware is well documented via the impact of Emotet, Trickbot, and BazaLoader. Another widely distributed malware, Qakbot, also leads to handoffs to RaaS affiliates. Qakbot is delivered via email, often downloaded by malicious macros in an Office document. Qakbot’s initial actions include profiling the system and the network, and exfiltrating emails (.eml files) for later use as templates in its malware distribution campaigns.

Qakbot is prevalent across a wide range of networks, building upon successful infections to continue spreading and expanding. Microsoft tracks DEV-0450 and DEV-0464 as  Qakbot distributors that result in observed ransomware attacks. DEV-0450 distributes the “presidents”-themed Qakbot, using American presidents’ names in their malware campaigns. Meanwhile, DEV-0464 distributes the “TR” Qakbot and other malware such as SquirrelWaffle. DEV-0464 also rapidly adopted the Microsoft Support Diagnostic Tool (MSDT) vulnerability (CVE-2022-30190) in their campaigns. The abuse of malicious macros and MSDT can be blocked by preventing Office from creating child processes, which we detail in the hardening guidance below.

Historically, Qakbot infections typically lead to hands-on-keyboard activity and ransomware deployments by DEV-0216, DEV-0506, and DEV-0826. DEV-0506 previously deployed Conti but switched to deploying Black Basta around April 8, 2022. This group uses DEV-0365’s Cobalt Strike Beacon infrastructure instead of maintaining their own. In late September 2022, Microsoft observed DEV-0506 adding Brute Ratel as a tool to facilitate their hands-on-keyboard access as well as Cobalt Strike Beacons.

Another RaaS affiliate that acquired access from Qakbot infections was DEV-0216, which maintains their own Cobalt Strike Beacon infrastructure and has operated as an affiliate for Egregor, Maze, Lockbit, REvil, and Conti in numerous high-impact incidents. Microsoft no longer sees DEV-0216 ransomware incidents initiating from DEV-0464 and DEV-0450 infections, indicating they may no longer be acquiring access via Qakbot.

DEV-0206 and DEV-0243: An “evil” partnership

Malvertising, which refers to taking out a search engine ad to lead to a malware payload, has been used in many campaigns, but the access broker that Microsoft tracks as DEV-0206 uses this as their primary technique to gain access to and profile networks. Targets are lured by an ad purporting to be a browser update, or a software package, to download a ZIP file and double-click it. The ZIP package contains a JavaScript file (.js), which in most environments runs when double-clicked. Organizations that have changed the settings such that script files open with a text editor by default instead of a script handler are largely immune from this threat, even if a user double clicks the script.

Once successfully executed, the JavaScript framework, also referred to SocGholish, acts as a loader for other malware campaigns that use access purchased from DEV-0206, most commonly Cobalt Strike payloads. These payloads have, in numerous instances, led to custom Cobalt Strike loaders attributed to DEV-0243. DEV-0243 falls under activities tracked by the cyber intelligence industry as “EvilCorp,”  The custom Cobalt Strike loaders are similar to those seen in publicly documented Blister malware’s inner payloads. In DEV-0243’s initial partnerships with DEV-0206, the group deployed a custom ransomware payload known as WastedLocker, and then expanded to additional DEV-0243 ransomware payloads developed in-house, such as PhoenixLocker and Macaw.

Around November 2021, DEV-0243 started to deploy the LockBit 2.0 RaaS payload in their intrusions. The use of a RaaS payload by the “EvilCorp” activity group is likely an attempt by DEV-0243 to avoid attribution to their group, which could discourage payment due to their sanctioned status.

On July 26, 2022, Microsoft researchers discovered the FakeUpdates malware being delivered via existing Raspberry Robin infections. Raspberry Robin is a USB-based worm first publicly discussed by Red Canary. The DEV-0206-associated FakeUpdates activity on affected systems has since led to follow-on actions resembling DEV-0243 pre-ransomware behavior.

DEV-0401: China-based lone wolf turned LockBit 2.0 affiliate

Differing from the other RaaS developers, affiliates, and access brokers profiled here, DEV-0401 appears to be an activity group involved in all stages of their attack lifecycle, from initial access to ransomware development. Despite this, they seem to take some inspiration from successful RaaS operations with the frequent rebranding of their ransomware payloads. Unique among human-operated ransomware threat actors tracked by Microsoft, DEV-0401 is confirmed to be a China-based activity group.

DEV-0401 differs from many of the attackers who rely on purchasing access to existing malware implants or exposed RDP to enter a network. Instead, the group heavily utilizes unpatched vulnerabilities to access networks, including vulnerabilities in Exchange, Manage Engine AdSelfService Plus, Confluence, and Log4j 2. Due to the nature of the vulnerabilities they preferred, DEV-0401 gains elevated credentials at the initial access stage of their attack.

Once inside a network, DEV-0401 relies on standard techniques such as using Cobalt Strike and WMI for lateral movement, but they have some unique preferences for implementing these behaviors. Their Cobalt Strike Beacons are frequently launched via DLL search order hijacking. While they use the common Impacket tool for WMI lateral movement, they use a customized version of the wmiexec.py module of the tool that creates renamed output files, most likely to evade static detections. Ransomware deployment is ultimately performed from a batch file in a share and Group Policy, usually written to the NETLOGON share on a Domain Controller, which requires the attackers to have obtained highly privileged credentials like Domain Administrator to perform this action.

Because DEV-0401 maintains and frequently rebrands their own ransomware payloads, they can appear as different groups in payload-driven reporting and evade detections and actions against them. Their payloads are sometimes rebuilt from existing for-purchase ransomware tools like Rook, which shares code similarity with the Babuk ransomware family. In February of 2022, DEV-0401 was observed deploying the Pandora ransomware family, primarily via unpatched VMware Horizon systems vulnerable to the Log4j 2 CVE-2021-44228 vulnerability.

Like many RaaS operators, DEV-0401 maintained a leak site to post exfiltrated data and motivate victims to pay, however their frequent rebranding caused these systems to sometimes be unready for their victims, with their leak site sometimes leading to default web server landing pages when victims attempt to pay.  In a notable shift—possibly related to victim payment issues—DEV-0401 started deploying LockBit 2.0 ransomware payloads in April 2022. Around June 6, 2022, it began replacing Cobalt Strike with the Sliver framework in their attacks.

DEV-0537: From extortion to destruction

An example of a threat actor who has moved to a pure extortion and destruction model without deploying ransomware payloads is an activity group that Microsoft tracks as DEV-0537, also known as LAPSUS$. Microsoft has detailed DEV-0537 actions taken in early 2022 in this blog. DEV-0537 started targeting organizations mainly in Latin America but expanded to global targeting, including government entities, technology, telecom, retailers, and healthcare. Unlike more opportunistic attackers, DEV-0537 targets specific companies with an intent. Their initial access techniques include exploiting unpatched vulnerabilities in internet-facing systems, searching public code repositories for credentials, and taking advantage of weak passwords. In addition, there is evidence that DEV-0537 leverages credentials stolen by the Redline password stealer, a piece of malware available for purchase in the cybercriminal economy. The group also buys credentials from underground forums which were gathered by other password-stealing malware.

Once initial access to a network is gained, DEV-0537 takes advantage of security misconfigurations to elevate privileges and move laterally to meet their objectives of data exfiltration and extortion. While DEV-0537 doesn’t possess any unique technical capabilities, the group is especially cloud-aware. They target cloud administrator accounts to set up forwarding rules for email exfiltration and tamper with administrative settings on cloud environments. As part of their goals to force payment of ransom, DEV-0537 attempts to delete all server infrastructure and data to cause business disruption. To further facilitate the achievement of their goals, they remove legitimate admins and delete cloud resources and server infrastructure, resulting in destructive attacks. 

DEV-0537 also takes advantage of cloud admin privileges to monitor email, chats, and VOIP communications to track incident response efforts to their intrusions. DEV-0537 has been observed on multiple occasions to join incident response calls, not just observing the response to inform their attack but unmuting to demand ransom and sharing their screens while they delete their victim’s data and resources.

Defending against ransomware: Moving beyond protection by detection

A durable security strategy against determined human adversaries must include the goal of mitigating classes of attacks and detecting them. Ransomware attacks generate multiple, disparate security product alerts, but they could easily get lost or not responded to in time. Alert fatigue is real, and SOCs can make their lives easier by looking at trends in their alerts or grouping alerts into incidents so they can see the bigger picture. SOCs can then mitigate alerts using hardening capabilities like attack surface reduction rules. Hardening against common threats can reduce alert volume and stop many attackers before they get access to networks. 

Attackers tweak their techniques and have tools to evade and disable security products. They are also well-versed in system administration and try to blend in as much as possible. However, while attacks have continued steadily and with increased impact, the attack techniques attackers use haven’t changed much over the years. Therefore, a renewed focus on prevention is needed to curb the tide.

Ransomware attackers are motivated by easy profits, so adding to their cost via security hardening is key in disrupting the cybercriminal economy.

Building credential hygiene

More than malware, attackers need credentials to succeed in their attacks. In almost all attacks where ransomware deployment was successful, the attackers had access to a domain admin-level account or local administrator passwords that were consistent throughout the environment. Deployment then can be done through Group Policy or tools like PsExec (or clones like PAExec, CSExec, and WinExeSvc). Without the credentials to provide administrative access in a network, spreading ransomware to multiple systems is a bigger challenge for attackers. Compromised credentials are so important to these attacks that when cybercriminals sell ill-gotten access to a network, in many instances, the price includes a guaranteed administrator account to start with.

Credential theft is a common attack pattern. Many administrators know tools like Mimikatz and LaZagne, and their capabilities to steal passwords from interactive logons in the LSASS process. Detections exist for these tools accessing the LSASS process in most security products. However, the risk of credential exposure isn’t just limited to a domain administrator logging in interactively to a workstation. Because attackers have accessed and explored many networks during their attacks, they have a deep knowledge of common network configurations and use it to their advantage. One common misconfiguration they exploit is running services and scheduled tasks as highly privileged service accounts.

Too often, a legacy configuration ensures that a mission-critical application works by giving the utmost permissions possible. Many organizations struggle to fix this issue even if they know about it, because they fear they might break applications. This configuration is especially dangerous as it leaves highly privileged credentials exposed in the LSA Secrets portion of the registry, which users with administrative access can access. In organizations where the local administrator rights haven’t been removed from end users, attackers can be one hop away from domain admin just from an initial attack like a banking trojan. Building credential hygiene is developing a logical segmentation of the network, based on privileges, that can be implemented alongside network segmentation to limit lateral movement.

Here are some steps organizations can take to build credential hygiene:

• Aim to run services as Local System when administrative privileges are needed, as this allows applications to have high privileges locally but can’t be used to move laterally. Run services as Network Service when accessing other resources.
• Use tools like LUA Buglight to determine the privileges that applications really need.
• Look for events with EventID 4624 where the logon type is 2, 4, 5, or 10 and the account is highly privileged like a domain admin. This helps admins understand which credentials are vulnerable to theft via LSASS or LSA Secrets. Ideally, any highly privileged account like a Domain Admin shouldn’t be exposed on member servers or workstations.
• Monitor for EventID 4625 (Logon Failed events) in Windows Event Forwarding when removing accounts from privileged groups. Adding them to the local administrator group on a limited set of machines to keep an application running still reduces the scope of an attack as against running them as Domain Admin.
• Randomize Local Administrator passwords with a tool like Local Administrator Password Solution (LAPS) to prevent lateral movement using local accounts with shared passwords.
• Use a cloud-based identity security solution that leverages on-premises Active Directory signals get visibility into identity configurations and to identify and detect threats or compromised identities

Auditing credential exposure

Auditing credential exposure is critical in preventing ransomware attacks and cybercrime in general. BloodHound is a tool that was originally designed to provide network defenders with insight into the number of administrators in their environment. It can also be a powerful tool in reducing privileges tied to administrative account and understanding your credential exposure. IT security teams and SOCs can work together with the authorized use of this tool to enable the reduction of exposed credentials. Any teams deploying BloodHound should monitor it carefully for malicious use. They can also use this detection guidance to watch for malicious use.

Microsoft has observed ransomware attackers also using BloodHound in attacks. When used maliciously, BloodHound allows attackers to see the path of least resistance from the systems they have access, to highly privileged accounts like domain admin accounts and global administrator accounts in Azure.

Prioritizing deployment of Active Directory updates

Security patches for Active Directory should be applied as soon as possible after they are released. Microsoft has witnessed ransomware attackers adopting authentication vulnerabilities within one hour of being made public and as soon as those vulnerabilities are included in tools like Mimikatz. Ransomware activity groups also rapidly adopt vulnerabilities related to authentication, such as ZeroLogon and PetitPotam, especially when they are included in toolkits like Mimikatz. When unpatched, these vulnerabilities could allow attackers to rapidly escalate from an entrance vector like email to Domain Admin level privileges.

Cloud hardening

As attackers move towards cloud resources, it’s important to secure cloud resources and identities as well as on-premises accounts. Here are ways organizations can harden cloud environments:

Cloud identity hardening

• Implement the Azure Security Benchmark and general best practices for securing identity infrastructure, including:
  • Prevent on-premises service accounts from having direct rights to the cloud resources to prevent lateral movement to the cloud.
  • Ensure that “break glass” account passwords are stored offline and configure honey-token activity for account usage.
  • Implement Conditional Access policies enforcing Microsoft’s Zero Trust principles.
• Enable risk-based user sign-in protection and automate threat response to block high-risk sign-ins from all locations and enable MFA for medium-risk ones.
• Ensure that VPN access is protected via modern authentication methods.

Multifactor authentication (MFA)

• Enforce MFA on all accounts, remove users excluded from MFA, and strictly require MFA from all devices, in all locations, at all times.
• Enable passwordless authentication methods (for example, Windows Hello, FIDO keys, or Microsoft Authenticator) for accounts that support passwordless. For accounts that still require passwords, use authenticator apps like Microsoft Authenticator for MFA. Refer to this article for the different authentication methods and features.
• Identify and secure workload identities to secure accounts where traditional MFA enforcement does not apply.
• Ensure that users are properly educated on not accepting unexpected two-factor authentication (2FA).
• For MFA that uses authenticator apps, ensure that the app requires a code to be typed in where possible, as many intrusions where MFA was enabled (including those by DEV-0537) still succeeded due to users clicking “Yes” on the prompt on their phones even when they were not at their computers. Refer to this article for an example.
• Disable legacy authentication.

Cloud admins

• Ensure cloud admins/tenant admins are treated with the same level of security and credential hygiene as Domain Admins.
• Address gaps in authentication coverage.

Addressing security blind spots

In almost every observed ransomware incident, at least one system involved in the attack had a misconfigured security product that allowed the attacker to disable protections or evade detection. In many instances, the initial access for access brokers is a legacy system that isn’t protected by  antivirus or EDR solutions. It’s important to understand that the lack security controls on these systems that have access to highly privileged credentials act as blind spots that allow attackers to perform the entire ransomware and exfiltration attack chain from a single system without being detected. In some instances, this is specifically advertised as a feature that access brokers sell.

Organizations should review and verify that security tools are running in their most secure configuration and perform regular network scans to ensure appropriate security products are monitoring and protecting all systems, including servers. If this isn’t possible, make sure that your legacy systems are either physically isolated through a firewall or logically isolated by ensuring they have no credential overlap with other systems.

For Microsoft 365 Defender customers, the following checklist eliminates security blind spots:

• Turn on cloud-delivered protection in Microsoft Defender Antivirus to cover rapidly evolving attacker tools and techniques, block new and unknown malware variants, and enhance attack surface reduction rules and tamper protection.
• Turn on tamper protection features to prevent attackers from stopping security services.
• Run EDR in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when a non-Microsoft antivirus doesn’t detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode also blocks indicators identified proactively by Microsoft Threat Intelligence teams.
• Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet.
• Enable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches.
• Use device discovery to increase visibility into the network by finding unmanaged devices and onboarding them to Microsoft Defender for Endpoint.
• Protect user identities and credentials using Microsoft Defender for Identity, a cloud-based security solution that leverages on-premises Active Directory signals to monitor and analyze user behavior to identify suspicious user activities, configuration issues, and active attacks.

Reducing the attack surface

Microsoft 365 Defender customers can turn on attack surface reduction rules to prevent common attack techniques used in ransomware attacks. These rules, which can be configured by all Microsoft Defender Antivirus customers and not just those using the EDR solution, offer significant hardening against attacks. In observed attacks from several ransomware-associated activity groups, Microsoft customers who had the following rules enabled were able to mitigate the attack in the initial stages and prevented hands-on-keyboard activity:

• Common entry vectors:
  • Block all Office applications from creating child processes
  • Block Office communication application from creating child processes
  • Block Office applications from creating executable content
  • Block Office applications from injecting code into other processes
  • Block execution of potentially obfuscated scripts
  • Block JavaScript or VBScript from launching downloaded executable content
• Ransomware deployment and lateral movement stage (in order of impact based on the stage in attack they prevent):
  • Block executable files from running unless they meet a prevalence, age, or trusted list criterion
  • Block credential stealing from the Windows local security authority subsystem (lsass.exe)
  • Block process creations originating from PsExec and WMI commands
  • Use advanced protection against ransomware

In addition, Microsoft has changed the default behavior of Office applications to block macros in files from the internet, further reduce the attack surface for many human-operated ransomware attacks and other threats.

Hardening internet-facing assets and understanding your perimeter

Organizations must identify and secure perimeter systems that attackers might use to access the network. Public scanning interfaces, such as RiskIQ, can be used to augment data. Some systems that should be considered of interest to attackers and therefore need to be hardened include:

• Secure Remote Desktop Protocol (RDP) or Windows Virtual Desktop endpoints with MFA to harden against password spray or brute force attacks.
• Block Remote IT management tools such as Teamviewer, Splashtop, Remote Manipulator System, Anydesk, Atera Remote Management, and ngrok.io via network blocking such as perimeter firewall rules if not in use in your environment. If these systems are used in your environment, enforce security settings where possible to implement MFA.

Ransomware attackers and access brokers also use unpatched vulnerabilities, whether already disclosed or zero-day, especially in the initial access stage. Even older vulnerabilities were implicated in ransomware incidents in 2022 because some systems remained unpatched, partially patched, or because access brokers had established persistence on a previously compromised systems despite it later being patched.

Some observed vulnerabilities used in campaigns between 2020 and 2022 that defenders can check for and mitigate include:

• Citrix ADC systems affected by CVE-2019-19781
• Pulse Secure VPN systems affected by CVE-2019-11510, CVE-2020-8260, CVE-2020-8243, CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900
• SonicWall SSLVPN affected by CVE-2021-20016
• Microsoft SharePoint servers affected by CVE-2019-0604
• Unpatched Microsoft Exchange servers
• Zoho ManageEngine systems affected by CVE-2020-10189
• FortiGate VPN servers affected by CVE-2018-13379
• Apache log4j CVE-2021-44228

Ransomware attackers also rapidly adopt new vulnerabilities. To further reduce organizational exposure, Microsoft Defender for Endpoint customers can use the threat and vulnerability management capability to discover, prioritize, and remediate vulnerabilities and misconfigurations.

Microsoft 365 Defender: Deep cross-domain visibility and unified investigation capabilities to defend against ransomware attacks

The multi-faceted threat of ransomware requires a comprehensive approach to security. The steps we outlined above defend against common attack patterns and will go a long way in preventing ransomware attacks. Microsoft 365 Defender is designed to make it easy for organizations to apply many of these security controls.

Microsoft 365 Defender’s industry-leading visibility and detection capabilities, demonstrated in the recent MITRE Engenuity ATT&CK® Evaluations, automatically stop most common threats and attacker techniques. To equip organizations with the tools to combat human-operated ransomware, which by nature takes a unique path for every organization, Microsoft 365 Defender provides rich investigation features that enable defenders to seamlessly inspect and remediate malicious behavior across domains.

Learn how you can stop attacks through automated, cross-domain security and built-in AI with Microsoft Defender 365.

In line with the recently announced expansion into a new service category called Microsoft Security Experts, we’re introducing the availability of Microsoft Defender Experts for Hunting for public preview. Defender Experts for Hunting is for customers who have a robust security operations center but want Microsoft to help them proactively hunt for threats across Microsoft Defender data, including endpoints, Office 365, cloud applications, and identity.

Join our research team at the Microsoft Security Summit digital event on May 12 to learn what developments Microsoft is seeing in the threat landscape, as well as how we can help your business mitigate these types of attacks. Ask your most pressing questions during the live chat Q&A. Register today.

The post Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself appeared first on Microsoft Security Blog.

So far the attacks have affected aid organizations, medical billing companies, manufacturing, transport, government institutions, and educational software providers, showing that these ransomware groups give little regard to the critical services they impact, global crisis notwithstanding. These attacks, however, are not limited to critical services, so organizations should be vigilant for signs of compromise.

The ransomware deployments in this two-week period appear to cause a slight uptick in the volume of ransomware attacks. However, Microsoft security intelligence as well as forensic data from relevant incident response engagements by Microsoft Detection and Response Team (DART) showed that many of the compromises that enabled these attacks occurred earlier. Using an attack pattern typical of human-operated ransomware campaigns, attackers have compromised target networks for several months beginning earlier this year and have been waiting to monetize their attacks by deploying ransomware when they would see the most financial gain.

Many of these attacks started with the exploitation of vulnerable internet-facing network devices; others used brute force to compromise RDP servers. The attacks delivered a wide range of payloads, but they all used the same techniques observed in human-operated ransomware campaigns: credential theft and lateral movement, culminating in the deployment of a ransomware payload of the attacker’s choice. Because the ransomware infections are at the tail end of protracted attacks, defenders should focus on hunting for signs of adversaries performing credential theft and lateral movement activities to prevent the deployment of ransomware.

In this blog, we share our in-depth analysis of these ransomware campaigns. Below, we will cover:

• Vulnerable and unmonitored internet-facing systems provide easy access to human-operated attacks
• A motley crew of ransomware payloads
• Immediate response actions for active attacks
• Building security hygiene to defend networks against human-operated ransomware
• Microsoft Threat Protection: Coordinated defense against complex and wide-reaching human-operated ransomware

We have included additional technical details including hunting guidance and recommended prioritization for security operations (SecOps).

Vulnerable and unmonitored internet-facing systems provide easy access to human-operated attacks

While the recent attacks deployed various ransomware strains, many of the campaigns shared infrastructure with previous ransomware campaigns and used the same techniques commonly observed in human-operated ransomware attacks.

In stark contrast to attacks that deliver ransomware via email—which tend to unfold much faster, with ransomware deployed within an hour of initial entry—the attacks we saw in April are similar to the Doppelpaymer ransomware campaigns from 2019, where attackers gained access to affected networks months in advance. They then remained relatively dormant within environments until they identified an opportune time to deploy ransomware.

To gain access to target networks, the recent ransomware campaigns exploited internet-facing systems with the following weaknesses:

• Remote Desktop Protocol (RDP) or Virtual Desktop endpoints without multi-factor authentication (MFA)
• Older platforms that have reached end of support and are no longer getting security updates, such as Windows Server 2003 and Windows Server 2008, exacerbated by the use of weak passwords
• Misconfigured web servers, including IIS, electronic health record (EHR) software, backup servers, or systems management servers
• Citrix Application Delivery Controller (ADC) systems affected by CVE-2019-19781
• Pulse Secure VPN systems affected by CVE-2019-11510

Applying security patches for internet-facing systems is critical in preventing these attacks. It’s also important to note that, although Microsoft security researchers have not observed the recent attacks exploiting the following vulnerabilities, historical signals indicate that these campaigns may eventually exploit them to gain access, so they are worth reviewing: CVE-2019-0604, CVE-2020-0688, CVE-2020-10189.

Like many breaches, attackers employed credential theft, lateral movement capabilities using common tools, including Mimikatz and Cobalt Strike, network reconnaissance, and data exfiltration. In these specific campaigns, the operators gained access to highly privileged administrator credentials and were ready to take potentially more destructive action if disturbed. On networks where attackers deployed ransomware, they deliberately maintained their presence on some endpoints, intending to reinitiate malicious activity after ransom is paid or systems are rebuilt. In addition, while only a few of these groups gained notoriety for selling data, almost all of them were observed viewing and exfiltrating data during these attacks, even if they have not advertised or sold yet.

As with all human-operated ransomware campaigns, these recent attacks spread throughout an environment affecting email identities, endpoints, inboxes, applications, and more. Because it can be challenging even for experts to ensure complete removal of attackers from a fully compromised network, it’s critical that vulnerable internet-facing systems are proactively patched and mitigations put in place to reduce the risk from these kinds of attacks.

A motley crew of ransomware payloads

While individual campaigns and ransomware families exhibited distinct attributes as described in the sections below, these human-operated ransomware campaigns tended to be variations on a common attack pattern. They unfolded in similar ways and employed generally the same attack techniques. Ultimately, the specific ransomware payload at the end of each attack chain was almost solely a stylistic choice made by the attackers.

RobbinHood ransomware

RobbinHood ransomware operators gained some attention for exploiting vulnerable drivers late in their attack chain to turn off security software. However, like many other human-operated ransomware campaigns, they typically start with an RDP brute-force attack against an exposed asset. They eventually obtain privileged credentials, mostly local administrator accounts with shared or common passwords, and service accounts with domain admin privileges. RobbinHood operators, like Ryuk and other well-publicized ransomware groups, leave behind new local and Active Directory user accounts, so they can regain access after their malware and tools have been removed.

Vatet loader

Attackers often shift infrastructure, techniques, and tools to avoid notoriety that might attract law enforcement or security researchers. They often retain them while waiting for security organizations to start considering associated artifacts inactive, so they face less scrutiny. Vatet, a custom loader for the Cobalt Strike framework that has been seen in ransomware campaigns as early as November 2018, is one of the tools that has resurfaced in the recent campaigns.

The group behind this tool appears to be particularly intent on targeting hospitals, as well as aid organizations, insulin providers, medical device manufacturers, and other critical verticals. They are one of the most prolific ransomware operators during this time and have caused dozens of cases.

Using Vatet and Cobalt Strike, the group has delivered various ransomware payloads. More recently, they have been deploying in-memory ransomware that utilizes Alternate Data Streams (ADS) and displays simplistic ransom notes copied from older ransomware families. To access target networks, they exploit CVE-2019-19781, brute force RDP endpoints, and send email containing .lnk files that launch malicious PowerShell commands. Once inside a network, they steal credentials, including those stored in the Credential Manager vault, and move laterally until they gain domain admin privileges. The group has been observed exfiltrating data prior to deploying ransomware.

NetWalker ransomware

NetWalker campaign operators gained notoriety for targeting hospitals and healthcare providers with emails claiming to provide information about COVID-19. These emails also delivered NetWalker ransomware directly as a .vbs attachment, a technique that has gained media attention. However, the campaign operators also compromised networks using misconfigured IIS-based applications to launch Mimikatz and steal credentials, which they then used to launch PsExec, and eventually deploying the same NetWalker ransomware.

PonyFinal ransomware

This Java-based ransomware had been considered a novelty, but the campaigns deploying PonyFinal weren’t unusual. Campaign operators compromised internet-facing web systems and obtained privileged credentials. To establish persistence, they used PowerShell commands to launch the system tool mshta.exe and set up a reverse shell based on a common PowerShell attack framework. They also used legitimate tools, such as Splashtop, to maintain remote desktop connections.

Maze ransomware

One of the first ransomware campaigns to make headlines for selling stolen data, Maze continues to target technology providers and public services. Maze has a history of going after managed service providers (MSPs) to gain access to the data and networks of MSP customers.

Maze has been delivered via email, but campaign operators have also deployed Maze to networks after gaining access using common vectors, such as RDP brute force. Once inside a network, they perform credential theft, move laterally to access resources and exfiltrate data, and then deploy ransomware.

In a recent campaign, Microsoft security researchers tracked Maze operators establishing access through an internet-facing system by performing RDP brute force against the local administrator account. Using the brute-forced password, campaign operators were able to move laterally because built-in administrator accounts on other endpoints used the same passwords.

After gaining control over a domain admin account through credential theft, campaign operators used Cobalt Strike, PsExec, and a plethora of other tools to deploy various payloads and access data. They established fileless persistence using scheduled tasks and services that launched PowerShell-based remote shells. They also turned on Windows Remote Management for persistent control using stolen domain admin privileges. To weaken security controls in preparation for ransomware deployment, they manipulated various settings through Group Policy.

REvil ransomware

Possibly the first ransomware group to take advantage of the network device vulnerabilities in Pulse VPN to steal credentials to access networks, REvil (also called Sodinokibi) gained notoriety for accessing MSPs and accessing the networks and documents of customers – and selling access to both. They kept up this activity during the COVID-19 crisis, targeting MSPs and other targets like local governments. REvil attacks are differentiated in their uptake of new vulnerabilities, but their techniques overlap with many other groups, relying on credential theft tools like Mimikatz once in the network and performing lateral movement and reconnaissance with tools like PsExec.

Other ransomware families

Other ransomware families used in human-operated campaigns during this period include:

• Paradise, which used to be distributed directly via email but is now used in human-operated ransomware attacks
• RagnarLocker, which is deployed by a group that heavily uses RDP and Cobalt Strike with stolen credentials
• MedusaLocker, which is possibly deployed via existing Trickbot infections
• LockBit, which is distributed by operators that use the publicly available penetration testing tool CrackMapExec to move laterally

Immediate response actions for active attacks

We highly recommend that organizations immediately check if they have any alerts related to these ransomware attacks and prioritize investigation and remediation. Malicious behaviors relevant to these attacks that defenders should pay attention to include:

• Malicious PowerShell, Cobalt Strike, and other penetration-testing tools that can allow attacks to blend in as benign red team activities
• Credential theft activities, such as suspicious access to Local Security Authority Subsystem Service (LSASS) or suspicious registry modifications, which can indicate new attacker payloads and tools for stealing credentials
• Any tampering with a security event log, forensic artifact such as the USNJournal, or a security agent, which attackers do to evade detections and to erase chances of recovering data

Customers using Microsoft Defender Advanced Threat Protection (ATP) can consult a companion threat analytics report for more details on relevant alerts, as well as advanced hunting queries. Customers subscribed to the Microsoft Threat Experts service can also refer to the targeted attack notification, which has detailed timelines of attacks, recommended mitigation steps for disrupting attacks, and remediation advice.

If your network is affected, perform the following scoping and investigation activities immediately to understand the impact of this breach. Using indicators of compromise (IOCs) alone to determine impact from these threats is not a durable solution, as most of these ransomware campaigns employ “one-time use” infrastructure for campaigns, and often change their tools and systems once they determine the detection capabilities of their targets. Detections and mitigations should concentrate on holistic behavioral based hunting where possible, and hardening infrastructure weaknesses favored by these attackers as soon as possible.

Investigate affected endpoints and credentials

Investigate endpoints affected by these attacks and identify all the credentials present on those endpoints. Assume that these credentials were available to attackers and that all associated accounts are compromised. Note that attackers can not only dump credentials for accounts that have logged on to interactive or RDP sessions, but can also dump cached credentials and passwords for service accounts and scheduled tasks that are stored in the LSA Secrets section of the registry.

• For endpoints onboarded to Microsoft Defender ATP, use advanced hunting to identify accounts that have logged on to affected endpoints. The threat analytics report contains a hunting query for this purpose.
• Otherwise, check the Windows Event Log for post-compromise logons—those that occur after or during the earliest suspected breach activity—with event ID 4624 and logon type 2 or 10. For any other timeframe, check for logon type 4 or 5.

Isolate compromised endpoints

Isolate endpoints that have command-and-control beacons or have been lateral movement targets. Locate these endpoints using advanced hunting queries or other methods of directly searching for related IOCs. Isolate machines using Microsoft Defender ATP, or use other data sources, such as NetFlow, and search through your SIEM or other centralized event management solutions. Look for lateral movement from known affected endpoints.

Address internet-facing weaknesses

Identify perimeter systems that attackers might have utilized to access your network. You can use a public scanning interface, such as shodan.io, to augment your own data. Systems that should be considered of interest to attackers include:

• RDP or Virtual Desktop endpoints without MFA
• Citrix ADC systems affected by CVE-2019-19781
• Pulse Secure VPN systems affected by CVE-2019-11510
• Microsoft SharePoint servers affected by CVE-2019-0604
• Microsoft Exchange servers affected by CVE-2020-0688
• Zoho ManageEngine systems affected by CVE-2020-10189

To further reduce organizational exposure, Microsoft Defender ATP customers can use the Threat and Vulnerability Management (TVM) capability to discover, prioritize, and remediate vulnerabilities and misconfigurations. TVM allows security administrators and IT administrators to collaborate seamlessly to remediate issues.

Inspect and rebuild devices with related malware infections

Many ransomware operators enter target networks through existing infections of malware like Emotet and Trickbot. These malware families, traditionally considered to be banking trojans, have been used to deliver all kinds of payloads, including persistent implants. Investigate and remediate any known infections and consider them possible vectors for sophisticated human adversaries. Ensure that you check for exposed credentials, additional payloads, and lateral movement prior to rebuilding affected endpoints or resetting passwords.

Building security hygiene to defend networks against human-operated ransomware

As ransomware operators continue to compromise new targets, defenders should proactively assess risk using all available tools. You should continue to enforce proven preventive solutions—credential hygiene, minimal privileges, and host firewalls—to stymie these attacks, which have been consistently observed taking advantage of security hygiene issues and over-privileged credentials.

Apply these measures to make your network more resilient against new breaches, reactivation of dormant implants, or lateral movement:

• Randomize local administrator passwords using a tool such as LAPS.
• Apply Account Lockout Policy.
• Ensure good perimeter security by patching exposed systems. Apply mitigating factors, such as MFA or vendor-supplied mitigation guidance, for vulnerabilities.
• Utilize host firewalls to limit lateral movement. Preventing endpoints from communicating on TCP port 445 for SMB will have limited negative impact on most networks, but can significantly disrupt adversary activities.
• Turn on cloud-delivered protection for Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.
• Follow standard guidance in the security baselines for Office and Office 365 and the Windows security baselines. Use Microsoft Secure Score assesses to measures security posture and get recommended improvement actions, guidance, and control.
• Turn on tamper protection features to prevent attackers from stopping security services.
• Turn on attack surface reduction rules, including rules that can block ransomware activity:
  • Use advanced protection against ransomware
  • Block process creations originating from PsExec and WMI commands
  • Block credential stealing from the Windows local security authority subsystem (lsass.exe)

For additional guidance on improving defenses against human-operated ransomware and building better security posture against cyberattacks in general, read Human-operated ransomware attacks: A preventable disaster.

Microsoft Threat Protection: Coordinated defense against complex and wide-reaching human-operated ransomware

What we’ve learned from the increase in ransomware deployments in April is that attackers pay no attention to the real-world consequences of disruption in services—in this time of global crisis—that their attacks cause.

Human-operated ransomware attacks represent a different level of threat because adversaries are adept at systems administration and security misconfigurations and can therefore adapt to any path of least resistance they find in a compromised network. If they run into a wall, they try to break through. And if they can’t break through a wall, they’ve shown that they can skillfully find other ways to move forward with their attack. As a result, human-operated ransomware attacks are complex and wide-reaching. No two attacks are exactly the same.

Microsoft Threat Protections (MTP) provides coordinated defenses that uncover the complete attack chain and help block sophisticated attacks like human-operated ransomware. MTP combines the capabilities of multiple Microsoft 365 security services to orchestrate protection, prevention, detection, and response across endpoints, email, identities, and apps.

Through built-in intelligence, automation, and integration, MTP can block attacks, eliminate their persistence, and auto-heal affected assets. It correlates signals and consolidates alerts to help defenders prioritize incidents for investigation and response. MTP also provides a unique cross-domain hunting capability that can further help defenders identify attack sprawl and get org-specific insights for hardening defenses.

Microsoft Threat Protection is also part of a chip-to-cloud security approach that combines threat defense on the silicon, operating system, and cloud. Hardware-backed security features on Windows 10 like address space layout randomization (ASLR), Control Flow Guard (CFG), and others harden the platform against many advanced threats, including ones that take advantage of vulnerable kernel drivers. These platform security features seamlessly integrate with Microsoft Defender ATP, providing end-to-end security that starts from a strong hardware root of trust. On Secured-core PCs these mitigations are enabled by default.

We continue to work with our customers, partners, and the research community to track human-operated ransomware and other sophisticated attacks. For dire cases customers can use available services like the Microsoft Detection and Response (DART) team to help investigate and remediate.

Microsoft Threat Protection Intelligence Team

Appendix: MITRE ATT&CK techniques observed

Human-operated ransomware campaigns employ a broad range of techniques made possible by attacker control over privileged domain accounts. The techniques listed here are techniques commonly used during attacks against healthcare and critical services in April 2020.

Credential access

• T1003 Credential Dumping | Use of LaZagne, Mimikatz, LsaSecretsView, and other credential dumping tools and exploitation of CVE-2019-11510 on vulnerable endpoints

Persistence

• T1084 Windows Management Instrumentation Event Subscription | WMI event subscription
• T1136 Create Account | Creation of new accounts for RDP

Command and control

• T1043 Commonly Used Port | Use of port 443

Discovery

• T1033 System Owner/User Discovery | Various commands
• T1087 Account Discovery | LDAP and AD queries and other commands
• T1018 Remote System Discovery | Pings, qwinsta, and other tools and commands
• T1482 Domain Trust Discovery | Domain trust enumeration using Nltest

Execution

• T1035 Service Execution | Service registered to run CMD (as ComSpec) and PowerShell commands

Lateral movement

• T1076 Remote Desktop Protocol | Use of RDP to reach other machines in the network
• T1105 Remote File Copy | Lateral movement using WMI and PsExec

Defense evasion

• T1070 Indicator Removal on Host | Clearing of event logs using wevutil, removal of USNJournal using fsutil, and deletion of slack space on drive using cipher.exe
• T1089 Disabling Security Tools | Stopping or tampering with antivirus and other security using ProcessHacker and exploitation of vulnerable software drivers

Impact

• T1489 Service Stop | Stopping of services prior to encryption
• T1486 Data Encrypted for Impact | Ransomware encryption

The post Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk appeared first on Microsoft Security Blog.