Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/6/2021
01:00 PM
Andrew Jaquith
Andrew Jaquith
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Ryuk's Rampage Has Lessons for the Enterprise

The Ryuk ransomware epidemic is no accident. The cybercriminals responsible for its spread have systematically exploited weaknesses in enterprise defenses that must be addressed.

The Ryuk ransomware gang is hiring ... and that's bad news. In a conversation with Natalia Godyla of Microsoft in January, Jake Williams, the founder of Rendition Infosec, noted that his team spotted job advertisements in Dark Web forums from accounts associated with Ryuk's operators.

"They're looking for experienced ransomware operators, and they have a whole set of criteria, including that they want to see a history that you're getting an average $400,000 payout," Williams said. "They haven't asked for help in the past. They have more work than they can handle."

Related Content:

Cybercrime 'Help Wanted': Job Hunting on the Dark Web

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: A Day in the Life of a DevSecOps Manager

Good times for the Ryuk gang mean bad times for everyone else. The Ryuk ransomware, which appeared in 2018, has become one of the most potent threats to organizations — especially in healthcare, where research suggests it is responsible for three-quarters of ransomware attacks on healthcare organizations. It is also among the most costly ransomware families, with average ransom demands over $100,000, according to CheckPoint.

Targeting Enterprise Weak Points
The Ryuk malware is a variant of an existing ransomware strain known as Hermes 2.1 and is often distributed by commodity malware tools such as TrickBot. But Ryuk's operators invented new ways to deploy their malware, which targets weaknesses common to even the most sophisticated firms.

Ryuk's operators used highly tailored phishing emails to gain footholds within their targets. Its operators "live off the land," using standard tools such as net view and Ping to surveil and map networks. Next, standard Windows administrative applications such as PowerShell and Windows Management Instrumentation (WMI) are used to move laterally within victim environments. Purpose-built attack tools such as Cobalt Strike, PowerShell Empire, and Mimikatz harvest credentials and hashes from high-value Windows domain controllers. After that, Ryuk operators use offline techniques, such as Kerberoasting, to crack passwords and elevate permissions.

Ryuk was among the first high-touch "human-operated" ransomware campaigns that have become prevalent in recent years, affecting both public and private sector organizations with crippling attacks. The ability of malicious actors to compromise critical control infrastructure (CCI) such as Active Directory turns what might otherwise be minor disruptions into major disasters.

Ryuk is hardly the only ransomware family to use this approach. Human-directed ransomware campaigns are becoming the norm because they work so well. But, unlike other ransomware groups, the Ryuk operators don't have a public "dox" website where they publish stolen data. Ryuk infections that cause large disruptions may get noticed and become part of the public record. But many other Ryuk infections go unreported, which makes it difficult to gauge the malware's true impact or damages.

Ryuk's Lessons
Organizations can reduce the likelihood of a ransomware-related compromise through preventative measures. The usual advice applies: patch vulnerable systems; harden configurations; compartmentalize networks to limit potential spread; and claw back excessive Windows privileges.

These measures are necessary but not sufficient. Organizations can also make it harder for attackers to achieve their most important intermediate goal: elevating access. For an attacker, becoming a domain administrator is far more important than generic "lateral movement." Gaining elevated access by forging or stealing credentials allows operators to spread ransomware throughout the organization. Elevated access is what gives attackers their ultimate leverage and ensures maximum payouts.

By spotting attacks on authentication and related CCI earlier, organizations stand a much better chance of recovering gracefully and can minimize damage to corporate reputations or bottom lines. Here are a few recommendations for improving the integrity of authentication.

1. Retire NTLM
One of the most important steps organizations can take to shore up the security of Active Directory is to discontinue reliance on the NT LAN Manager (NTLM) protocol. NTLM is a legacy Windows protocol that is more than two decades old but still common within enterprises. That's because Windows NT 4 and Windows 98/ME and older still rely on NTLM for local authentication. NTLM is also embedded within many legacy applications.

These factors make it hard to retire NTLM. But we must. The gangs distributing Ryuk and ransomware like Maze, RobbinHood, and REvil use tools like Mimikatz (such as Rubeus) to extract NTLM credentials from memory. They also use well-known attack techniques such as Pass-the-Hash, Pass-the-Ticket, or Kerberoasting to gain access to network resources using stolen system credentials. One of the best ways to foil ransomware gangs is to retire NTLM by hunting down and terminating all old Windows machines, with extreme prejudice. Then, turn off NTLM for good.

2. Validate Kerberos
Getting rid of NTLM is necessary. But its replacement, the more cryptographically secure Kerberos protocol, is likewise being exploited in ransomware attacks. That's because Kerberos is stateless by design. It is a distributed protocol, and its transactions are not retained throughout authentication sessions. This means Kerberos can be abused using Pass-the-Ticket, Golden Ticket, Silver Ticket, and other techniques that allow attackers to reuse stolen credentials (or issue their own) to access domain controllers and elevate access. These kinds of attacks are a key reason the Ryuk gang can persist in compromised environments for days or weeks, expanding their reach and implanting crippling ransomware everywhere — even in cloud-based Windows servers.

To stop such activity, organizations need to detect attacks on authentication systems, both on-premises and in cloud-based Active Directory environments. By keeping a validated, stateful ledger of each Kerberos transaction, organizations can quickly detect credential forgeries and attempts to elevate access — and stop lateral movement.

Level Up Your Defenses
It is tempting to dismiss NTLM elimination and Kerberos validation as too much work. Certainly, tasks like patching, closing open ports, enforcing least privilege, and enforcing strong password policies would seem easier to accomplish. But one of the lessons of the ransomware epidemic is that cybercriminal gangs have moved well beyond crude, untargeted drive-by attacks to well-crafted, human-operated campaigns.

Organizations that hope to counter technically sophisticated, well-funded adversaries need to "level up" their defenses. Shoring up critical controls infrastructure like Active Directory is the place to start. As Edison once put it, "Opportunity is missed by most people because it is dressed in overalls and looks like work."

As the Chief Information Security Officer of QOMPLX, Mr. Jaquith is responsible for protecting company information assets, safeguarding customer data, managing enterprise risks, and ensuring compliance. As General Manager of the Cyber Business Unit, Mr. Jaquith directs the ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Data Breaches Affect the Enterprise
Data breaches continue to cause negative outcomes for companies worldwide. However, many organizations report that major impacts have declined significantly compared with a year ago, suggesting that many have gotten better at containing breach fallout. Download Dark Reading's Report "How Data Breaches Affect the Enterprise" to delve more into this timely topic.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3802
PUBLISHED: 2021-11-29
A vulnerability found in udisks2. This flaw allows an attacker to input a specially crafted image file/USB leading to kernel panic. The highest threat from this vulnerability is to system availability.
CVE-2021-39995
PUBLISHED: 2021-11-29
Some Huawei products use the OpenHpi software for hardware management. A function that parses data returned by OpenHpi contains an out-of-bounds read vulnerability that could lead to a denial of service. Affected product versions include: eCNS280_TD V100R005C10; eSE620X vESS V100R001C10SPC200, V100R...
CVE-2021-43691
PUBLISHED: 2021-11-29
An unspecified version of tripexpress is affected by a path manipulation vulnerability in file system/helpers/dompdf/load_font.php. The variable src is coming from $_SERVER["argv"] then there is a path manipulation vulnerability.
CVE-2021-43692
PUBLISHED: 2021-11-29
An unspecified version of youtube-php-mirroring is affected by a Cross Site Scripting (XSS) vulnerability in file ytproxy/index.php.
CVE-2021-43693
PUBLISHED: 2021-11-29
vesta 0.9.8-24 is affected by a file inclusion vulnerability in file web/add/user/index.php.