Microsoft Threat Protection Intelligence Team Releases Guidance On Blocking Ransomware Attacks
Microsoft announced on a blog post that Cyber-criminals are targeting healthcare, critical services, and shared tips on how to block new breaches by patching vulnerable internet-facing systems.
Multiple ransomware groups that have been accumulating access and maintaining persistence on target networks for several months activated dozens of ransomware deployments in the first two weeks of April 2020. So far the attacks have affected aid organizations, medical billing companies, manufacturing, transport, government institutions, and educational software providers, showing that these ransomware groups give little regard to the critical services they impact, global crisis notwithstanding. These attacks, however, are not limited to critical services, so organizations should be vigilant for signs of compromise.
In stark contrast to attacks that deliver ransomware via email—which tend to unfold much faster, with ransomware deployed within an hour of initial entry—the attacks Microsoft saw in April are similar to the Doppelpaymer ransomware campaigns from 2019, where attackers gained access to affected networks months in advance. They then remained relatively dormant within environments until they identified an opportune time to deploy ransomware.
To gain access to target networks, the recent ransomware campaigns exploited internet-facing systems with the following weaknesses:
- Remote Desktop Protocol (RDP) or Virtual Desktop endpoints without multi-factor authentication (MFA)
- Older platforms that have reached end of support and are no longer getting security updates, such as Windows Server 2003 and Windows Server 2008, exacerbated by the use of weak passwords
- Misconfigured web servers, including IIS, electronic health record (EHR) software, backup servers, or systems management servers
- Citrix Application Delivery Controller (ADC) systems affected by CVE-2019-19781
- Pulse Secure VPN systems affected by CVE-2019-11510
Microsoft says that, “Applying security patches for internet-facing systems is critical in preventing these attacks. It’s also important to note that, although Microsoft security researchers have not observed the recent attacks exploiting the following vulnerabilities, historical signals indicate that these campaigns may eventually exploit them to gain access, so they are worth reviewing: CVE-2019-0604, CVE-2020-0688, CVE-2020-10189.”
While individual campaigns and ransomware families exhibited distinct attributes as described in the sections below, these human-operated ransomware campaigns tended to be variations on a common attack pattern. They unfolded in similar ways and employed generally the same attack techniques. Ultimately, the specific ransomware payload at the end of each attack chain was almost solely a stylistic choice made by the attackers.
As ransomware operators continue to compromise new targets, defenders should proactively assess risk using all available tools. You should continue to enforce proven preventive solutions—credential hygiene, minimal privileges, and host firewalls—to stymie these attacks, which have been consistently observed taking advantage of security hygiene issues and over-privileged credentials.
Apply these measures to make your network more resilient against new breaches, reactivation of dormant implants, or lateral movement:
- Randomize local administrator passwords using a tool such as LAPS.
- Apply Account Lockout Policy.
- Ensure good perimeter security by patching exposed systems. Apply mitigating factors, such as MFA or vendor-supplied mitigation guidance, for vulnerabilities.
- Utilize host firewalls to limit lateral movement. Preventing endpoints from communicating on TCP port 445 for SMB will have limited negative impact on most networks, but can significantly disrupt adversary activities.
- Turn on cloud-delivered protection for Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.
- Follow standard guidance in the security baselines for Office and Office 365 and the Windows security baselines. Use Microsoft Secure Score assesses to measures security posture and get recommended improvement actions, guidance, and control.
- Turn on tamper protection features to prevent attackers from stopping security services.
During early March, Microsoft shared information on the various entrance vectors and post-exploitation techniques used by the operators behind DoppelPaymer, Dharma, and Ryuk, showing that there’s an overwhelming overlap in the security misconfigurations these threat actors abuse as part of their devastating ransom attacks.
Microsoft is also alerting hospitals regarding vulnerable public-facing VPN devices and gateways located on their networks starting with April 1.