The Ryuk ransomware gang is hiring ... and that's bad news. In a conversation with Natalia Godyla of Microsoft in January, Jake Williams, the founder of Rendition Infosec, noted that his team spotted job advertisements in Dark Web forums from accounts associated with Ryuk's operators.
"They're looking for experienced ransomware operators, and they have a whole set of criteria, including that they want to see a history that you're getting an average $400,000 payout," Williams said. "They haven't asked for help in the past. They have more work than they can handle."
Good times for the Ryuk gang mean bad times for everyone else. The Ryuk ransomware, which appeared in 2018, has become one of the most potent threats to organizations — especially in healthcare, where research suggests it is responsible for three-quarters of ransomware attacks on healthcare organizations. It is also among the most costly ransomware families, with average ransom demands over $100,000, according to CheckPoint.
Targeting Enterprise Weak Points
The Ryuk malware is a variant of an existing ransomware strain known as Hermes 2.1 and is often distributed by commodity malware tools such as TrickBot. But Ryuk's operators invented new ways to deploy their malware, which targets weaknesses common to even the most sophisticated firms.
Ryuk's operators used highly tailored phishing emails to gain footholds within their targets. Its operators "live off the land," using standard tools such as net view and Ping to surveil and map networks. Next, standard Windows administrative applications such as PowerShell and Windows Management Instrumentation (WMI) are used to move laterally within victim environments. Purpose-built attack tools such as Cobalt Strike, PowerShell Empire, and Mimikatz harvest credentials and hashes from high-value Windows domain controllers. After that, Ryuk operators use offline techniques, such as Kerberoasting, to crack passwords and elevate permissions.
Ryuk was among the first high-touch "human-operated" ransomware campaigns that have become prevalent in recent years, affecting both public and private sector organizations with crippling attacks. The ability of malicious actors to compromise critical control infrastructure (CCI) such as Active Directory turns what might otherwise be minor disruptions into major disasters.
Ryuk is hardly the only ransomware family to use this approach. Human-directed ransomware campaigns are becoming the norm because they work so well. But, unlike other ransomware groups, the Ryuk operators don't have a public "dox" website where they publish stolen data. Ryuk infections that cause large disruptions may get noticed and become part of the public record. But many other Ryuk infections go unreported, which makes it difficult to gauge the malware's true impact or damages.
Organizations can reduce the likelihood of a ransomware-related compromise through preventative measures. The usual advice applies: patch vulnerable systems; harden configurations; compartmentalize networks to limit potential spread; and claw back excessive Windows privileges.
These measures are necessary but not sufficient. Organizations can also make it harder for attackers to achieve their most important intermediate goal: elevating access. For an attacker, becoming a domain administrator is far more important than generic "lateral movement." Gaining elevated access by forging or stealing credentials allows operators to spread ransomware throughout the organization. Elevated access is what gives attackers their ultimate leverage and ensures maximum payouts.
By spotting attacks on authentication and related CCI earlier, organizations stand a much better chance of recovering gracefully and can minimize damage to corporate reputations or bottom lines. Here are a few recommendations for improving the integrity of authentication.
1. Retire NTLM
One of the most important steps organizations can take to shore up the security of Active Directory is to discontinue reliance on the NT LAN Manager (NTLM) protocol. NTLM is a legacy Windows protocol that is more than two decades old but still common within enterprises. That's because Windows NT 4 and Windows 98/ME and older still rely on NTLM for local authentication. NTLM is also embedded within many legacy applications.
These factors make it hard to retire NTLM. But we must. The gangs distributing Ryuk and ransomware like Maze, RobbinHood, and REvil use tools like Mimikatz (such as Rubeus) to extract NTLM credentials from memory. They also use well-known attack techniques such as Pass-the-Hash, Pass-the-Ticket, or Kerberoasting to gain access to network resources using stolen system credentials. One of the best ways to foil ransomware gangs is to retire NTLM by hunting down and terminating all old Windows machines, with extreme prejudice. Then, turn off NTLM for good.
2. Validate Kerberos
Getting rid of NTLM is necessary. But its replacement, the more cryptographically secure Kerberos protocol, is likewise being exploited in ransomware attacks. That's because Kerberos is stateless by design. It is a distributed protocol, and its transactions are not retained throughout authentication sessions. This means Kerberos can be abused using Pass-the-Ticket, Golden Ticket, Silver Ticket, and other techniques that allow attackers to reuse stolen credentials (or issue their own) to access domain controllers and elevate access. These kinds of attacks are a key reason the Ryuk gang can persist in compromised environments for days or weeks, expanding their reach and implanting crippling ransomware everywhere — even in cloud-based Windows servers.
To stop such activity, organizations need to detect attacks on authentication systems, both on-premises and in cloud-based Active Directory environments. By keeping a validated, stateful ledger of each Kerberos transaction, organizations can quickly detect credential forgeries and attempts to elevate access — and stop lateral movement.
Level Up Your Defenses
It is tempting to dismiss NTLM elimination and Kerberos validation as too much work. Certainly, tasks like patching, closing open ports, enforcing least privilege, and enforcing strong password policies would seem easier to accomplish. But one of the lessons of the ransomware epidemic is that cybercriminal gangs have moved well beyond crude, untargeted drive-by attacks to well-crafted, human-operated campaigns.
Organizations that hope to counter technically sophisticated, well-funded adversaries need to "level up" their defenses. Shoring up critical controls infrastructure like Active Directory is the place to start. As Edison once put it, "Opportunity is missed by most people because it is dressed in overalls and looks like work."