Getty Images/iStockphoto
Microsoft: COVID-19 Fueling Human-Operated Ransomware Deployments
In the last two weeks, Microsoft has seen a surge in the volume of ransomware attacks against healthcare; but the human-operated attacks likely began months before deploying the malware.
In the last two weeks, ransomware hacking groups have deployed the decrypting payload, after several months of gathering access to and maintaining persistence on victim networks, according to the latest Microsoft research on ransomware targeting healthcare and critical services during the COVID-19 pandemic.
This is the second alert from the Microsoft Threat Protection Intelligence Team this month. The first report shed light on the spike in human-operated ransomware hacking groups leveraging the Coronavirus crisis to target hospitals.
The latest research provides an update on those attacks over the course of April, including successful attacks on medical billing companies, manufacturing, government institutions, educational software providers, transport, and other organizations.
For one, the Parkview Medical Center is recovering from a ransomware attack that infected its IT network. The Colorado provider is maintaining EHR downtime procedures amid the pandemic.
“These ransomware groups give little regard to the critical services they impact, global crisis notwithstanding,” researchers wrote. “These attacks, however, are not limited to critical services, so organizations should be vigilant for signs of compromise.”
But while these recent attacks make it seem as if there’s been an uptick in ransomware, it’s not the case. Rather, many of these compromises began several months earlier, with hackers lying in wait on victim networks before deploying the decrypting malware to increase the likelihood of financial gain.
The report mirrors similar findings from Check Point, which shows a drastic increase in double extortion attempts. In these attacks, hackers quietly hide on victim networks, steal valuable data, and then deploy the ransomware payload. The stolen data is used as leverage to pressure victims into paying the ransom.
In the attack detected by Microsoft, the threat actors are exploiting vulnerable internet-facing network devices, as well as brute-force attacks on remote desktop protocol (RDP) servers.
The ransomware payloads range from the notorious Maze and REvil variants, to NetWalker and RobbinHood, “but they all used the same techniques observed in human-operated ransomware campaigns: credential theft and lateral movement, culminating in the deployment of a ransomware payload of the attacker’s choice.”
“Because the ransomware infections are at the tail end of protracted attacks, defenders should focus on hunting for signs of adversaries performing credential theft and lateral movement activities to prevent the deployment of ransomware,” researchers explained.
“In stark contrast to attacks that deliver ransomware via email — which tend to unfold much faster, with ransomware deployed within an hour of initial entry — the attacks we saw in April are similar to the Doppelpaymer ransomware campaigns from 2019, where attackers gained access to affected networks months in advance,” they added. “They then remained relatively dormant within environments until they identified an opportune time to deploy ransomware.”
In addition to RDP servers, hackers are breaching networks through legacy Windows platforms like Server 2003 and Server 2008 that are no longer serviced by Microsoft. The vulnerabilities are “exacerbated by the use of weak passwords.”
The threat actors are also exploiting misconfigured web servers, the widely known Citrix vulnerability, and unpatched Pulse Secure Virtual Private Network (VPN) systems. Organizations must apply the software updates to prevent exploits, or at the least, segment these vulnerable platforms from the main network.
These attacks are also using other traditional hacking methods, such as credential theft, lateral movement capabilities via common tools, network reconnaissance, and data exfiltration. The latest campaign specifically targets highly privileged admin credentials, where the actors “were ready to take potentially more destructive action if disturbed."
Notably, the hackers are maintaining their presence on the victims’ networks after deploying the ransomware to later restart their malicious activity after the organization pays the ransom or rebuilds their network.
“While only a few of these groups gained notoriety for selling data, almost all of them were observed viewing and exfiltrating data during these attacks, even if they have not advertised or sold yet,” Microsoft warned.
“As with all human-operated ransomware campaigns, these recent attacks spread throughout an environment affecting email identities, endpoints, inboxes, applications, and more,” they added.
Microsoft is urging organizations to immediately look for indicators of compromise for these ransomware attacks, including malicious “PowerShell, Cobalt Strike, and other penetration-testing tools that can allow attacks to blend in as benign red team activities,” credential theft activities, or any potential tampering with security event logs, security agents, or forensic artifacts.
These methods are used by attackers to evade detection and eliminate a victim’s change of recovering data. Organizations should also investigate the endpoints used by these attackers, then isolate compromised endpoints. Internet-facing weaknesses must also be addressed using a public scanning interface like shodan.io.
Further, organizations must employ strong cyber hygiene, which includes measure such as, randomizing local administrator passwords, applying account lockout policies, frequent patching, implementing multifactor authentication, and leveraging host firewalls to limit lateral attacks, among other security measures.
“Human-operated ransomware attacks represent a different level of threat because adversaries are adept at systems administration and security misconfigurations and can therefore adapt to any path of least resistance they find in a compromised network,” researchers wrote.
“If they run into a wall, they try to break through. And if they can’t break through a wall, they’ve shown that they can skillfully find other ways to move forward with their attack,” they concluded. “As a result, human-operated ransomware attacks are complex and wide-reaching. No two attacks are exactly the same.”