Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/6/2021
01:00 PM
Andrew Jaquith
Andrew Jaquith
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Ryuk's Rampage Has Lessons for the Enterprise

The Ryuk ransomware epidemic is no accident. The cybercriminals responsible for its spread have systematically exploited weaknesses in enterprise defenses that must be addressed.

The Ryuk ransomware gang is hiring ... and that's bad news. In a conversation with Natalia Godyla of Microsoft in January, Jake Williams, the founder of Rendition Infosec, noted that his team spotted job advertisements in Dark Web forums from accounts associated with Ryuk's operators.

"They're looking for experienced ransomware operators, and they have a whole set of criteria, including that they want to see a history that you're getting an average $400,000 payout," Williams said. "They haven't asked for help in the past. They have more work than they can handle."

Related Content:

Cybercrime 'Help Wanted': Job Hunting on the Dark Web

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: A Day in the Life of a DevSecOps Manager

Good times for the Ryuk gang mean bad times for everyone else. The Ryuk ransomware, which appeared in 2018, has become one of the most potent threats to organizations — especially in healthcare, where research suggests it is responsible for three-quarters of ransomware attacks on healthcare organizations. It is also among the most costly ransomware families, with average ransom demands over $100,000, according to CheckPoint.

Targeting Enterprise Weak Points
The Ryuk malware is a variant of an existing ransomware strain known as Hermes 2.1 and is often distributed by commodity malware tools such as TrickBot. But Ryuk's operators invented new ways to deploy their malware, which targets weaknesses common to even the most sophisticated firms.

Ryuk's operators used highly tailored phishing emails to gain footholds within their targets. Its operators "live off the land," using standard tools such as net view and Ping to surveil and map networks. Next, standard Windows administrative applications such as PowerShell and Windows Management Instrumentation (WMI) are used to move laterally within victim environments. Purpose-built attack tools such as Cobalt Strike, PowerShell Empire, and Mimikatz harvest credentials and hashes from high-value Windows domain controllers. After that, Ryuk operators use offline techniques, such as Kerberoasting, to crack passwords and elevate permissions.

Ryuk was among the first high-touch "human-operated" ransomware campaigns that have become prevalent in recent years, affecting both public and private sector organizations with crippling attacks. The ability of malicious actors to compromise critical control infrastructure (CCI) such as Active Directory turns what might otherwise be minor disruptions into major disasters.

Ryuk is hardly the only ransomware family to use this approach. Human-directed ransomware campaigns are becoming the norm because they work so well. But, unlike other ransomware groups, the Ryuk operators don't have a public "dox" website where they publish stolen data. Ryuk infections that cause large disruptions may get noticed and become part of the public record. But many other Ryuk infections go unreported, which makes it difficult to gauge the malware's true impact or damages.

Ryuk's Lessons
Organizations can reduce the likelihood of a ransomware-related compromise through preventative measures. The usual advice applies: patch vulnerable systems; harden configurations; compartmentalize networks to limit potential spread; and claw back excessive Windows privileges.

These measures are necessary but not sufficient. Organizations can also make it harder for attackers to achieve their most important intermediate goal: elevating access. For an attacker, becoming a domain administrator is far more important than generic "lateral movement." Gaining elevated access by forging or stealing credentials allows operators to spread ransomware throughout the organization. Elevated access is what gives attackers their ultimate leverage and ensures maximum payouts.

By spotting attacks on authentication and related CCI earlier, organizations stand a much better chance of recovering gracefully and can minimize damage to corporate reputations or bottom lines. Here are a few recommendations for improving the integrity of authentication.

1. Retire NTLM
One of the most important steps organizations can take to shore up the security of Active Directory is to discontinue reliance on the NT LAN Manager (NTLM) protocol. NTLM is a legacy Windows protocol that is more than two decades old but still common within enterprises. That's because Windows NT 4 and Windows 98/ME and older still rely on NTLM for local authentication. NTLM is also embedded within many legacy applications.

These factors make it hard to retire NTLM. But we must. The gangs distributing Ryuk and ransomware like Maze, RobbinHood, and REvil use tools like Mimikatz (such as Rubeus) to extract NTLM credentials from memory. They also use well-known attack techniques such as Pass-the-Hash, Pass-the-Ticket, or Kerberoasting to gain access to network resources using stolen system credentials. One of the best ways to foil ransomware gangs is to retire NTLM by hunting down and terminating all old Windows machines, with extreme prejudice. Then, turn off NTLM for good.

2. Validate Kerberos
Getting rid of NTLM is necessary. But its replacement, the more cryptographically secure Kerberos protocol, is likewise being exploited in ransomware attacks. That's because Kerberos is stateless by design. It is a distributed protocol, and its transactions are not retained throughout authentication sessions. This means Kerberos can be abused using Pass-the-Ticket, Golden Ticket, Silver Ticket, and other techniques that allow attackers to reuse stolen credentials (or issue their own) to access domain controllers and elevate access. These kinds of attacks are a key reason the Ryuk gang can persist in compromised environments for days or weeks, expanding their reach and implanting crippling ransomware everywhere — even in cloud-based Windows servers.

To stop such activity, organizations need to detect attacks on authentication systems, both on-premises and in cloud-based Active Directory environments. By keeping a validated, stateful ledger of each Kerberos transaction, organizations can quickly detect credential forgeries and attempts to elevate access — and stop lateral movement.

Level Up Your Defenses
It is tempting to dismiss NTLM elimination and Kerberos validation as too much work. Certainly, tasks like patching, closing open ports, enforcing least privilege, and enforcing strong password policies would seem easier to accomplish. But one of the lessons of the ransomware epidemic is that cybercriminal gangs have moved well beyond crude, untargeted drive-by attacks to well-crafted, human-operated campaigns.

Organizations that hope to counter technically sophisticated, well-funded adversaries need to "level up" their defenses. Shoring up critical controls infrastructure like Active Directory is the place to start. As Edison once put it, "Opportunity is missed by most people because it is dressed in overalls and looks like work."

As the Chief Information Security Officer of QOMPLX, Mr. Jaquith is responsible for protecting company information assets, safeguarding customer data, managing enterprise risks, and ensuring compliance. As General Manager of the Cyber Business Unit, Mr. Jaquith directs the ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: "Elon, I think our cover's been blown."
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31597
PUBLISHED: 2021-04-23
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
CVE-2021-2296
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
CVE-2021-2297
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
CVE-2021-2298
PUBLISHED: 2021-04-22
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attac...
CVE-2021-2299
PUBLISHED: 2021-04-22
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful atta...