What is Ransomware?
Ransomware is a type of malware that holds network data “hostage.”
Ransomware attacks typically target vulnerabilities on endpoints. Ransomware is a growing problem for organizations of every size, with the number of attacks and the money spent to clean up the damage on the rise.
Ransomware now regularly steals the headlines because it has a fear factor, we can all understand it may cost millions to get access to your data back.
How is Active Directory a threat?
Ransomware attacks typically target vulnerabilities on endpoints, preying on organizations that may not be entirely up to date in their “security hygiene,” specifically active directory azure ad groups and users. Whether on premise or hybrid identity environment, poor user and group attestation or lifecycle policies means that over time these access points are out of date and vulnerable.
For example, the employee has left the company, or the group with in active directory has outlived its purpose. Hackers use these blind entry points to get in, assess the environment, elevate permissions…then put your company in the headlines for all the wrong reasons.
Although, security hygiene of active directory and azure AD groups can be time-consuming and difficult to maintain manually, GroupID automates the process and saves IT hours of work. It simplifies user provisioning and deprovisioning. By simplifying and securing this critical focus area, enterprise organizations can prevent ransomware attacks.
Ransomware has been around for years, but creators have stepped up their game in that they have more financial and technological resources to fuel their attacks. This permits bad actors to infect systems and avoid detection for months (and maybe longer).
Following are most common infection vectors, used by ransomware creators:
- Remote Desktop Protocol
We’ll dig down into each of these infection vectors and explain how they can act as a vulnerable endpoint.
Unused email addresses, for example, employees who left the company, are a popular cyber weapon because it’s an open door into an organization’s systems and resources within their on-premises or hybrid identity environments. It’s not surprising that it continues to be the most common infection vector for attacks. For active email addresses, with attachments disguised as innocuous files or links to a software download, one click leads to the ransomware infection.
The ransomware infection is caused by visiting a compromised website, usually with an old browser, software plug-in or unpatched third-party application. The infected website runs an exploit kit that looks for unpatched vulnerabilities.
Remote Desktop Protocol (RDP)
Internet-exposed RDP sessions are common means of infecting computers. Ideally, such sessions are used to remotely log in to Windows’ computers and allow the user to securely control the computer. Unfortunately, hackers have become skilled in initiating a brute force attack on these exposed computers. In exploiting RDP vulnerabilities, hackers use brute force attacks and credentials purchased on Dark Web marketplaces.
Common Targets of Ransomware Attacks
In 2018, enterprises accounted for 81% of ransomware attack as the shift from consumer to business targets accelerated. The chief infiltration vector was email campaigns (Symantec ISTR19). There was also a pivot to targeted ransomware attack and big game hunting, where attackers break in, survey a network, move laterally, and delete backups before encryption.
In 2019, cybercriminals increasingly targeted ransomware towards government agencies, municipalities, schools, hospitals and healthcare providers, either directly or through managed service providers (MSPs). Ransomware operators furthered their strong-arm schemes by compromising mission-critical systems, intimidating organizations, and demanding hefty ransom payments. Not paying ransom often means replacing equipment and starting over, leaving leadership faced with difficult business decisions. Targeted organizations often believe that paying the ransom is the most cost-effective way to get their data back. This may be the reality, but it directly funds the development of the next generation of ransomware.
Ransomware as a Service (RaaS)
Ransomware is marketed openly as a service on the Dark Web. More than 230,000 new sites and over 350,000 new malicious malware programs and potentially unwanted applications are produced every day — and this is predicted to only keep growing.
Advertising is also involved. RaaS developers run ads on the Dark Web and sell their ransomware technology as a kit — eliminating many of the risks and hard work of distribution while still allowing them to collect a cut of the proceeds.
Cryptocurrency as a Preferred Mode of Ransom Payments
Payment methods were limited in the early days of ransomware attack. The odd hacker could deliver a message to send money via Western Union or to a bank account, but the transfer was traceable once the authorities became involved. Then came Bitcoin.
Bitcoin offers a secure and untraceable method of making and receiving payments. It is more flexible than traditional payment methods, which require specific financial or login details to use. By operating as a decentralized currency, in which people anywhere in the world pay each other without a middleman, oversight or regulation, it provides an acceptable level of anonymity.
While Bitcoin is the best-known cryptocurrency, industry analysts are taking note of Monero, which is being heavily used on Dark Web marketplaces and is becoming a new payment method of choice for ransomware demands because of its privacy features.
Ransomware creators are getting more sophisticated in how they infect systems, avoid detection and foil decryption efforts. Ransomware trends include:
- Blended campaigns
- Big Game Hunting
- Intelligence Gathering
Nation-state threat actors are blending cryptocurrency mining and ransomware campaigns to generate revenue and/or distract from other threat campaigns.
Big game hunting
Spray and pray methods are being replaced by big game hunting, where one big target, such as a hospital or large corporation, gets hit for a big payout. A recent example is the Colonial Pipeline hack, where ransomware was custom-built for a target to cause the most damage and demand higher ransoms.
Ransomware crime groups gather intelligence on intended victims. In addition to penetrating the network and performing reconnaissance, threat actors study SEC filings for an organization’s financial position and use the information to scale ransom demands.
Strategies attackers use to get below the level of detection include:
- Slowing down the encryption process by spreading it out over a longer period of time
- Randomizing the process instead of encrypting in a linear fashion
- Delaying the attack by laying Easter eggs that lay dormant for a period of time before activating
- Using polymorphic code that changes
- Deploying multi-threaded attacks that launch child processes
Attacks on Managed Service Providers (MSPs)
Managed service providers are a growing target for ransomware attackers. An attack on an MSP has the potential to devastate virtually any business. By exploiting vulnerable security systems typically seen in resource-constrained service providers that manage multiple businesses and municipalities, attackers can get economies of scale and exert pressure for payment.
Attacks on Cloud Services Providers
Ransomware writers are now targeting cloud service providers with network file encryption attacks as a way to hold hostage the maximum number of customers possible. The fallout from ransomware attacks against cloud service providers is devastating because the business systems of every cloud-hosted customer are encrypted.
Ransomware is being used as a foil to cover up serious incidents such as data breaches. Although the attack looks like regular ransomware, typically delivered through phishing emails, the goal is to distract the organization from other security events happening on the network and delete breadcrumbs of the ancillary attack.
Ransomware attacks have taken an unwelcome turn as ransomware attackers have started to leak the victim’s files as a way to exert additional pressure to pay the ransom.
Impact of Ransomware Attack on Businesses
Ransomware shows no signs of slowing down. Beyond the ransom itself, the greatest cost is the financial damage that consists of:
- Lost data
- Tarnished reputations
- System rebuilds
- Recovery costs
- Regulatory fines
Ransoms in excess of $50,000 to $400,000 are no longer uncommon. Depending on the target, ransom demands have reached into the millions. Global ransomware damage is predicted to reach $11.5 billion by year-end 2019 and $20 billion USD by 2021. (Cybersecurity Ventures Ransomware Damage Report)
How to prevent ransomware attacks to Hybrid Cloud Identity Environments?
Installing automated systems that keep Active Directory & Azure AD Groups and Users up to date is a simple method that could save your organization millions. What’s not so simple is how many suppliers offer stitched-together solutions that are incomplete out of the box.
GroupID has kept hundreds of companies safe, and unlike competitors in the Identity and Access Management space (IAM), GroupID is an out of the box solution with minimum set-up. Moveover, Gartner named GroupID as a top provider in their current Voice of the Customer study based on anonymous customer feedback. GroupID technical support also received a 90% satisfaction rating among customers. Don’t fight this fight alone, contact GroupID today for a FREE TRIAL.
About GroupID by Imanami
GroupID, a Microsoft Gold Partner, is rated by Gartner as a top tool for managing hybrid cloud environments. GroupID puts an end to the chain of manual processes by automating the creation and management of active directory & azure ad Groups and Users. GroupID is depended upon by customers including McAfee, Splunk, Riverbed Technology, Palo Alto Networks, Nvidia, Samsung, Toshiba, Disney and others, because GroupID solves real-world use cases while keeping their systems secure.