Ransomware has definitely grown up from its infant stages where it simply infected one computer. From spreading through lateral movement, to the use of a victim's email to spread the infection, to extorting the ransom by also exfiltrating data, to infecting literally thousands of endpoints in a single attack, ransomware is no longer the same minor inconvenience it once was.
But a new attack tactic caught my attention – the hacking of Active Directory to increase the number of infected machines. Last week, Clint Bodungen, founder and CEO of incident response vendor ThreatGen spoke at the S4x20 conference in Miami. There he outlined an incident involving Ryuk ransomware and some of ThreatGen’s old and gas customers where AD was leveraged as part of the attack.
According to Bodungen, the attackers:
- Sat dormant within the victim networks for months before launching the ransomware
- Used RDP to move laterally within the network (which implies compromised credentials)
- Gained elevated access to AD
- Edited a logon script for roaming users to include installing Ryuk
This is the definition of seeing traditionally data theft-related attack tactics merge with a ransomware attack.
According to Bodungen, the initial attack vectors were spear phishing and water hole attacks. Both of these attack types require the interaction of a user. Users that undergo continual Security Awareness Training are taught to be leery of any suspicious email or web content. Given that these Ryuk attacks were successful, it stands to reason that protective security solutions alone didn’t do the trick. By including users as part of the security strategy, organizations have a better chance of avoiding a successful attack.