Ransomware Preparedness: A Call to Action

Hardly a day passes without news of another company, hospital, school district, or municipal government temporarily brought to a halt by ransomware. Ransomware attacks are now so common that they barely make the news anymore.

Ransomware is no longer the most popular ransomware, but security professionals continue to obsess about it. Ransomware is still the most lucrative way for cybercriminals to monetize unauthorized access to business networks. The ransom demands can range from $1 million to USD 10 million. Ransomware can be a very costly attack on any organization. It can cause disruptions in operations or even data theft.

Ransomware readiness has become a critical requirement for all organizations. Even chief executives and boards are now acknowledging it as part of their responsibility to foster good governance. Ransomware is not a game. As defenses improve, ransomware agents continue to invent new ways to compromise and extort victims.

The CrowdStrike(r) Services team routinely assists organizations both in preparing for and responding to ransomware attacks. These are the most common practices that we recommend.

Increase the resilience of internet-facing applications

CrowdStrike has observed eCrime threat actors exploiting single-factor authentication and unpatched internet-facing applications. BOSS SPIDER was one of the first big game hunting (BGH), ransomware threat actors. It targeted systems using Remote Desktop Protocol (RDP), which is accessible via the internet. Dharma, Phobos, and GlobeImposter are all less sophisticated ransomware attackers who often gain access via brute-force RDP attacks.

CrowdStrike strongly discourages RDP from being exposed directly via the internet. CrowdStrike Falcon(r), which is used by organizations, can be quickly and efficiently identified as active brute-forced using RDP. This query can be found in the Falcon Event Activity Monitor. ent of Maze ransomware, exploit CVEs (common vulnerabilities and exposures) associated with Pulse VPN to gain access into victim organizations. CrowdStrike recommends using a VPN that has multifactor authentication and ensures that all CVEs related to the VPN platform and the underlying authentication software are patched first. This principle should be applied to all remote methods, including Citrix Gateway and Azure Active Directory (AD). CrowdStrike has observed that the latter is being used by threat actors like TRAVELING SPDER, the criminal developer of Nemty ransomware. CrowdStrike has seen this technique used to gain access through Citrix Gateway to the victim organizations and to send extortion-related emails using the victim’s Microsoft Office 365 instance.

Improve and Implement Email Security

Gaining an initial foothold into a victim organization through a phishing email is the most common tactic for BGH ransomware groups. These phishing emails typically contain a malicious URL or link that delivers a payload directly to the victim’s computer.

CrowdStrike recommends that you implement an email security system that performs URL filtering as well as attachment sandboxing. An automated response capability is a great option to speed up these processes. It allows retroactive quarantining of emails delivered before users interact with them. Organizations may also want to limit access to password-protected zip, executables, and javascript files. This is only necessary if there is a business reason. To remind recipients to be careful when handling emails from outside the organization, you can add an “[External]” tag to the emails and a warning message to the email’s body.

Users must have a process in place to report any email they don’t understand. If possible, businesses should restrict users’ access to their personal email accounts.

Organizations should have a strong security awareness program. This program should include reminders, user training, and “phish me” campaigns. Your employees will learn how to avoid being fooled by phishing emails by creating their own “phish me” campaign. CrowdStrike uses this best practice internally.

Harden Endpoints

Threat actors often use a variety of endpoint exploit techniques throughout an attack cycle that eventually leads to a ransomware release. These techniques can be used to exploit poor AD configurations or exploit publicly available exploits against unpatched applications and systems.

Endpoint hardening strategies will ensure that threat actors must defeat multiple defense layers before they can attack. Every layer of defense that a threat actor encounters offers an opportunity for the defense teams to detect and contain the activity before it leads to ransomware.

Below is a list of key system-hardening steps that defenders can implement. This is not an exhaustive list. System hardening should be an iterative process.

Endpoint security products should be available to all endpoints in your network.?e.g. for the EDR platform. Endpoint security platforms should include strict anti-tampering safeguards and alerts for any sensor that goes offline or is removed.
Create patch management and vulnerability management program. This will ensure that all operating systems and endpoint applications are up-to-date. Ransomware attackers leverage endpoint vulnerabilities for many purposes, including privilege escalationLateral movement. CrowdStrike Falcon Spotlight(TM), vulnerability management, is available to existing Falcon customers. This allows them to see the vulnerability in real-time and to assess the impact on the environment.
Use Active Directory security best practices. These are the top AD mistakesCrowdStrike Services observed ransomware engagements these are our recommendations:
- Avoid simple-to-guess passwords using weak authentication methods.
- Avoid creating regular domain users with local administrator privileges and local administrator accounts that have the same passwords throughout the entire enterprise, or large parts of it.
- Limit workstation-to-workstation communication. This can be done using group policy objects (GPOs), but it can also be achieved by using a variety of micro-segmentation options.
- Don’t share privileged credentials. Bad security practices include sharing administrative accounts and using an administrator account for personal or daily business activities that do not require administrator privileges.
- The first two points can be achieved using AD without additional cost. Privileged access management (PAM), which can be scalable and more robust, is available at an additional cost. This topic will be discussed later in this blog.

With the recent acquisition of Preempt, CrowdStrike is continuously adding capabilities to its Zero Trust framework. This blog’s “Implement an Identity and Access Management” section explains how Falcon Zero Trust could help you to further secure your endpoints and improve the IAM program.

Ransomware-proof Data With Offline Backups

Ransomware has emerged as a popular method for monetizing attacks. Malicious code developers have been able to make it difficult for security researchers and victims to decrypt the data. It is important to remember that ransomware attackers have used online backups to inflict ransomware on the environment before.

Ransomware-proof backups are the only way to save data from ransomware attacks. In an emergency, it is easier to recover data from offline backups. When creating a ransomware-proof offline backup system, the following should be taken into consideration:

Offline backups and indexes (describing which volumes contain what data) should be kept separate from the rest.
These networks should be restricted by strict access control lists (ACLs), and all authentications should use multifactor authentication (MFA).
Administrators who have access to both online and offline infrastructures should not reuse account passwords. Instead, they should use a jump box when accessing offline backup infrastructure.
With strict ACLs, cloud storage services can also be used as an offline backup infrastructure.
Only emergencies, such as ransomware attacks, should allow offline infrastructure to connect to the live network.

Restriction of Virtualization Management Infrastructure Access

As we mentioned, the threat actors involved in large-game hunting ransomware campaigns continue to innovate to increase their effectiveness. This latest development allows for a direct attack on virtualized infrastructure. This allows hypervisors to target virtual machines (VMDK) that are stored and deployed. The endpoint security products installed onto virtualized machines are therefore immune to malicious actions by the hypervisor.

We will be using VMware’s naming convention to help us understand the attack. It is the most commonly used virtualizing product in today’s enterprise environments.

Many ESXi (VMware hypervisors), do not have Secure Shell (SSH), and these systems are managed through vCenter. If SSH is disabled previously stolen administrative credentials can be used to enable SSH for all ESXi systems. Once this is done, a valid account can be used to access each ESXi target system. VMDKs on the ESXi is disabled to allow the ransomware to access encrypted files. This deployment method will cause systems to be offline and inaccessible for users if they are impacted.

Recently, CrowdStrike Intelligence has observed this method being used by CARBON SPIDER and SPRITE SPIDER, and CrowdStrike expects this trend to continue to be used and adopted by eCrime operators. The following items will help organizations to strengthen their virtualized environments as this tactic is more widely adopted.

Limit access to ESXi hosts only to a few systems. Also, ensure that these systems are properly patched and have endpoint monitoring.
ESXi systems can be managed using LDAP-bonded Active Directory account accounts. These accounts are often privileged accounts that were targeted earlier by the threat actor. This could reduce the possibility that an administrative account already compromised by ransomware is used to attack the ESXi system.
SSH access should be disabled or secured with MFA.
Passwords should be unique for each ESXi host and the web client. They should also be strong/complex and contain a mixture of special characters, numbers, and letters. Avoid using “1337” and dictionary words.
To further restrict access, enable Normal Lockdown Mode. See reference here.

Implement an Identity and Access Management Program (IAM).

An IAM program can help organizations improve their security. It tracks all activity for all privilege and service accounts. This allows for immediate identification of suspicious traffic or unusual resource requests.

CrowdStrike provides two Identity Protection modules to help organizations implement an IAM program: Falcon Zero Trust or Falcon Identity Threat Detection. These modules can be added to existing Falcon instances to provide real-time protection against identity-based attacks or anomalies that could target an organization. This platform’s adaptive capabilities allow enterprises to automatically respond to threats by determining the appropriate type of enforcement or notification. For example, service accounts attempting to connect via RDP, or RDP connecting to an unusual destination, could be challenged via multifactor authentication or blocked by Falcon Zero Trust in real-time.

To steal credentials and increase their presence in the environment, almost all BGH ransomware organizations will use off-the-shelf credential-dumping tools like Mimikatz or SPRITE SPIDER’s PyXie or LaZagne modules. Attackers then use the output of these tools to move laterally within a network, using techniques like Pass-the-Hash and Pass-the-Ticket as well as Kerberoasting.

Falcon Identity Protection, an IAM platform that can detect credential exploitation and suspicious protocols as well as abnormal behavior in the AD environment, can detect it. These detections will identify compromised devices and accounts and determine if they should be blocked or challenged via MFA/2FA to stop the attack from progressing. This will severely limit the ability of BGH ransomware organizations to achieve their goals.

Create and pressure-test an Incident Response plan

Sometimes organizations become aware that there is threat actor activity in their environment but lack the visibility or intelligence to identify the root cause. It is possible to recognize the threat and respond quickly and effectively, which can make the difference between a serious incident and a near miss.

Incident response plans and playbooks help facilitate that speedy decision-making. All parts of the response effort should be covered across the organization. They should also provide support for decision-making to ensure that first-line responders don’t miss important details when triaging alerts. If a ransomware attack is imminent, they should outline the authority of the security team to take decisive action (e.g. shutting down business-essential services)

Plans should outline who and what their roles are for the crisis management team. The plan should include important decisions such as when to activate an incident responder retainer, how to notify insurance carriers, how to involve outside counsel and how to talk with executives about ransom demands.

Regular tabletop exercises can be used to validate the incident response plan. Simulated exercises, such as “purple-team” engagements, may be beneficial for some organizations. These red teamers imitate ransomware operators’ actions regarding objectives. CrowdStrike recommends that you exercise your incident response plan regularly, both planned as well as unplanned. CrowdStrike suggests using a red team to conduct mock attacks.

An attack should not be unexpected or unplanned for organizations.

Get started now

Ransomware attacks can strike any organization with ransom demands of up to seven digits. However, there are ways to prevent these threat actors from launching a massive ransomware campaign. By reducing common entry points, implementing multifactor authentication, hardening both the endpoint and Active Directory infrastructure, organizations can improve their resilience to ransomware threat agents.

It’s impossible to stop all network intrusions. However, security-in-depth principles and the “1-10-60” benchmark (one minute to detect an issue, 10 minutes to investigate, and one hour to resolve) can help to ensure that threat actors are stopped before they reach their goals of ransomware and data theft.