Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

01:00 PM
Andrew Jaquith
Andrew Jaquith
Connect Directly
E-Mail vvv

Ryuk's Rampage Has Lessons for the Enterprise

The Ryuk ransomware epidemic is no accident. The cybercriminals responsible for its spread have systematically exploited weaknesses in enterprise defenses that must be addressed.

The Ryuk ransomware gang is hiring ... and that's bad news. In a conversation with Natalia Godyla of Microsoft in January, Jake Williams, the founder of Rendition Infosec, noted that his team spotted job advertisements in Dark Web forums from accounts associated with Ryuk's operators.

"They're looking for experienced ransomware operators, and they have a whole set of criteria, including that they want to see a history that you're getting an average $400,000 payout," Williams said. "They haven't asked for help in the past. They have more work than they can handle."

Related Content:

Cybercrime 'Help Wanted': Job Hunting on the Dark Web

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: A Day in the Life of a DevSecOps Manager

Good times for the Ryuk gang mean bad times for everyone else. The Ryuk ransomware, which appeared in 2018, has become one of the most potent threats to organizations — especially in healthcare, where research suggests it is responsible for three-quarters of ransomware attacks on healthcare organizations. It is also among the most costly ransomware families, with average ransom demands over $100,000, according to CheckPoint.

Targeting Enterprise Weak Points
The Ryuk malware is a variant of an existing ransomware strain known as Hermes 2.1 and is often distributed by commodity malware tools such as TrickBot. But Ryuk's operators invented new ways to deploy their malware, which targets weaknesses common to even the most sophisticated firms.

Ryuk's operators used highly tailored phishing emails to gain footholds within their targets. Its operators "live off the land," using standard tools such as net view and Ping to surveil and map networks. Next, standard Windows administrative applications such as PowerShell and Windows Management Instrumentation (WMI) are used to move laterally within victim environments. Purpose-built attack tools such as Cobalt Strike, PowerShell Empire, and Mimikatz harvest credentials and hashes from high-value Windows domain controllers. After that, Ryuk operators use offline techniques, such as Kerberoasting, to crack passwords and elevate permissions.

Ryuk was among the first high-touch "human-operated" ransomware campaigns that have become prevalent in recent years, affecting both public and private sector organizations with crippling attacks. The ability of malicious actors to compromise critical control infrastructure (CCI) such as Active Directory turns what might otherwise be minor disruptions into major disasters.

Ryuk is hardly the only ransomware family to use this approach. Human-directed ransomware campaigns are becoming the norm because they work so well. But, unlike other ransomware groups, the Ryuk operators don't have a public "dox" website where they publish stolen data. Ryuk infections that cause large disruptions may get noticed and become part of the public record. But many other Ryuk infections go unreported, which makes it difficult to gauge the malware's true impact or damages.

Ryuk's Lessons
Organizations can reduce the likelihood of a ransomware-related compromise through preventative measures. The usual advice applies: patch vulnerable systems; harden configurations; compartmentalize networks to limit potential spread; and claw back excessive Windows privileges.

These measures are necessary but not sufficient. Organizations can also make it harder for attackers to achieve their most important intermediate goal: elevating access. For an attacker, becoming a domain administrator is far more important than generic "lateral movement." Gaining elevated access by forging or stealing credentials allows operators to spread ransomware throughout the organization. Elevated access is what gives attackers their ultimate leverage and ensures maximum payouts.

By spotting attacks on authentication and related CCI earlier, organizations stand a much better chance of recovering gracefully and can minimize damage to corporate reputations or bottom lines. Here are a few recommendations for improving the integrity of authentication.

1. Retire NTLM
One of the most important steps organizations can take to shore up the security of Active Directory is to discontinue reliance on the NT LAN Manager (NTLM) protocol. NTLM is a legacy Windows protocol that is more than two decades old but still common within enterprises. That's because Windows NT 4 and Windows 98/ME and older still rely on NTLM for local authentication. NTLM is also embedded within many legacy applications.

These factors make it hard to retire NTLM. But we must. The gangs distributing Ryuk and ransomware like Maze, RobbinHood, and REvil use tools like Mimikatz (such as Rubeus) to extract NTLM credentials from memory. They also use well-known attack techniques such as Pass-the-Hash, Pass-the-Ticket, or Kerberoasting to gain access to network resources using stolen system credentials. One of the best ways to foil ransomware gangs is to retire NTLM by hunting down and terminating all old Windows machines, with extreme prejudice. Then, turn off NTLM for good.

2. Validate Kerberos
Getting rid of NTLM is necessary. But its replacement, the more cryptographically secure Kerberos protocol, is likewise being exploited in ransomware attacks. That's because Kerberos is stateless by design. It is a distributed protocol, and its transactions are not retained throughout authentication sessions. This means Kerberos can be abused using Pass-the-Ticket, Golden Ticket, Silver Ticket, and other techniques that allow attackers to reuse stolen credentials (or issue their own) to access domain controllers and elevate access. These kinds of attacks are a key reason the Ryuk gang can persist in compromised environments for days or weeks, expanding their reach and implanting crippling ransomware everywhere — even in cloud-based Windows servers.

To stop such activity, organizations need to detect attacks on authentication systems, both on-premises and in cloud-based Active Directory environments. By keeping a validated, stateful ledger of each Kerberos transaction, organizations can quickly detect credential forgeries and attempts to elevate access — and stop lateral movement.

Level Up Your Defenses
It is tempting to dismiss NTLM elimination and Kerberos validation as too much work. Certainly, tasks like patching, closing open ports, enforcing least privilege, and enforcing strong password policies would seem easier to accomplish. But one of the lessons of the ransomware epidemic is that cybercriminal gangs have moved well beyond crude, untargeted drive-by attacks to well-crafted, human-operated campaigns.

Organizations that hope to counter technically sophisticated, well-funded adversaries need to "level up" their defenses. Shoring up critical controls infrastructure like Active Directory is the place to start. As Edison once put it, "Opportunity is missed by most people because it is dressed in overalls and looks like work."

As the Chief Information Security Officer of QOMPLX, Mr. Jaquith is responsible for protecting company information assets, safeguarding customer data, managing enterprise risks, and ensuring compliance. As General Manager of the Cyber Business Unit, Mr. Jaquith directs the ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
How Data Breaches Affect the Enterprise
Data breaches continue to cause negative outcomes for companies worldwide. However, many organizations report that major impacts have declined significantly compared with a year ago, suggesting that many have gotten better at containing breach fallout. Download Dark Reading's Report "How Data Breaches Affect the Enterprise" to delve more into this timely topic.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-11-29
Zoho ManageEngine ServiceDesk Plus before 11306 is vulnerable to unauthenticated remote code execution. This is related to /RestAPI URLs in a servlet, and ImportTechnicians in the Struts configuration.
PUBLISHED: 2021-11-29
S3Scanner before 2.0.2 allows Directory Traversal via a crafted bucket, as demonstrated by a <Key>../ substring in a ListBucketResult element.
PUBLISHED: 2021-11-28
A Remote Command Execution vulnerability on the background in zrlog 2.2.2, at the upload avatar function, could bypass the original limit, upload the JSP file to get a WebShell
PUBLISHED: 2021-11-28
ZrLog 2.2.2 has a remote command execution vulnerability at plugin download function, it could execute any JAR file
PUBLISHED: 2021-11-27
janus-gateway is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')