Attackers will take any opportunity that’s presented to them, and the current pandemic is proving to be no exception, as researchers have seen many threat actors ramping up phishing campaigns and other operations in the last few weeks. Recently, Microsoft researchers have observed ransomware operators taking advantage of network access they’ve had for some time to deploy ransomware in many organizations, including government agencies, aid organizations, and service providers.
Like most categories of malicious activity, ransomware attacks are not all of a piece. The ransomware campaigns that most people are familiar with involve large spam runs with malicious attachments containing the ransomware. Those are the most widespread and make up most of the landscape, but there are also highly targeted spear-phishing campaigns that go after a specific organization. Those operations often hit targets such as hospitals, municipalities, critical infrastructure providers, or other organizations that can not afford any significant downtime, increasing the likelihood that they will pay the ransom.
But there’s a third category that doesn’t necessarily get as much attention because it’s somewhat quieter and less flashy. Some threat actors will compromise a target organization through a method such as exploiting a known vulnerability in a server or brute forcing an Internet-facing RDP instance, move laterally inside the network and then wait patiently for several weeks or months before deploying a ransomware strain. In the first half of April, Microsoft researchers saw several separate ransomware operators exploit their footholds inside enterprises and other organizations to deploy several separate types of ransomware. This type of activity is typical of ransomware operated by humans, as opposed to the automated variants that are more prevalent.
“Many of these attacks started with the exploitation of vulnerable internet-facing network devices; others used brute force to compromise RDP servers. The attacks delivered a wide range of payloads, but they all used the same techniques observed in human-operated ransomware campaigns: credential theft and lateral movement, culminating in the deployment of a ransomware payload of the attacker’s choice,” Microsoft’s Threat Protection Intelligence Team said.
“In stark contrast to attacks that deliver ransomware via email—which tend to unfold much faster, with ransomware deployed within an hour of initial entry—the attacks we saw in April are similar to the Doppelpaymer ransomware campaigns from 2019, where attackers gained access to affected networks months in advance. They then remained relatively dormant within environments until they identified an opportune time to deploy ransomware.”
"While only a few of these groups gained notoriety for selling data, almost all of them were observed viewing and exfiltrating data."
In addition to going after exposed RDP servers, the attackers that Microsoft observed have targeted widely publicized vulnerabilities in the Pulse Secure VPN and the Citrix Application Delivery Controller (ADC), as well as misconfigured web servers. Once inside the target organization, the attackers use a variety of tools to gather credentials and move around, including Cobalt Strike and Mimikatz. When they got to their desired destinations, they sat and waited for what looked like the best time to deploy the ransomware.
“In these specific campaigns, the operators gained access to highly privileged administrator credentials and were ready to take potentially more destructive action if disturbed. On networks where attackers deployed ransomware, they deliberately maintained their presence on some endpoints, intending to reinitiate malicious activity after ransom is paid or systems are rebuilt. In addition, while only a few of these groups gained notoriety for selling data, almost all of them were observed viewing and exfiltrating data during these attacks, even if they have not advertised or sold yet,” Microsoft said.
The groups running these operations have employed several different varieties of ransomware, including RobbinHood, Ryuk, Maze, and REvil, among others. The Maze deployments might be the most worrisome, as that group is known to use their network access not just for ransom demands but also to steal sensitive data and sell it.
“In a recent campaign, Microsoft security researchers tracked Maze operators establishing access through an internet-facing system by performing RDP brute force against the local administrator account. Using the brute-forced password, campaign operators were able to move laterally because built-in administrator accounts on other endpoints used the same passwords,” Microsoft said.