Microsoft: Ransomware gangs that don't threaten to leak your data steal it anyway

And these human-operated ransomware gangs have stepped up attacks amid the pandemic to maximize profits.
Written by Liam Tung, Contributing Writer

Just because ransomware attackers haven't threatened to leak your company's data, it doesn't mean they haven't stolen it, Microsoft warns.  

And human-operated ransomware gangs – typically associated with multi-million dollar ransom demands – haven't halted activity during the global coronavirus pandemic.

In fact, they launched more of the file-encrypting malware on target networks in the first two weeks of April than in earlier periods, causing chaos at aid organizations, medical billing companies, manufacturing, transport, government institutions, and educational software providers, according to Microsoft. 

SEE: 10 tips for new cybersecurity pros (free PDF)

Microsoft says there was a "slight uptick" in the volume of ransomware attacks in the first two weeks of April, usually from ransomware groups that had already gained access to networks several months earlier. 

"Attackers have compromised target networks for several months beginning earlier this year and have been waiting to monetize their attacks by deploying ransomware when they would see the most financial gain," Microsoft's Threat Protection Intelligence Team said

The attacks demonstrate that these groups really don't care that they're impacting critical services during a global crisis, according to Microsoft.  

That observation runs counter to reports that ransomware gangs vowed not to attack hospitals during the COVID-19 coronavirus pandemic. The early-April attacks also coincide with Microsoft issuing its first-ever warning directly to hospitals to patch vulnerable VPN appliances, after it saw a ransomware gang targeting them. 

"Many of these attacks started with the exploitation of vulnerable internet-facing network devices; others used brute force to compromise RDP servers," Microsoft said. 

"In these specific campaigns, the operators gained access to highly privileged administrator credentials and were ready to take potentially more destructive action if disturbed." 

Microsoft said the long lag between compromise and ransomware deployment means defenders should look for signature activity preceding the deployment, which includes credential theft and lateral movement activities, using tools like Mimikatz and Cobalt Strike. 

Key internet-facing systems that have been targeted in recent campaigns include RDP and Virtual Desktop endpoints without multi-factor authentication; unsupported platforms, such as Windows Server 2003 and 2008; misconfigured web servers, including IIS, electronic health record (EHR) software, backup servers, or systems management servers; vulnerable Citrix (Netscaler) ADC systems; and vulnerable Pulse Secure VPNs.    

Admins who haven't patched vulnerabilities in these systems are asking for trouble, given that attackers are continuously scanning the internet for these unpatched systems.

SEE: Six suspected drug dealers went free after police lost evidence in ransomware attack

Microsoft also noted a concerning trend among ransomware key groups. Over the past few months, multiple ransomware gangs have taken to stealing data before encrypting it and then threatening to leak it online if a ransom isn't paid. 

ZDNet has published a list of the main gangs using this tactic, which include Maze, Doppelpaymer, and Revil (Sodinokibi).   

Microsoft says these attackers often maintain control over some endpoints after deploying ransomware for the purpose of launching future attacks after a ransom has been paid. And while some groups have gained a reputation for selling victims' data, even gangs that didn't advertise they would go down this path still viewed and stole data anyway.

Microsoft's list of top ransomware payloads deployed in April include RobbinHood, Maze, PonyFinal, Valet loader, and REvil. Others include Paradise, RagnarLocker, MedusaLocker, and LockBit. 

Microsoft advised defenders to scour networks for malicious PowerShell, Cobalt Strike and other penetration-testing tools that may look like red team activities. They should also look for suspicious access to Local Security Authority Subsystem Service (LSASS) and suspicious registry modification, as well as evidence of tampering with security event logs. 

Key systems and vulnerabilities defenders should check for include: 

  • RDP or Virtual Desktop endpoints without MFA
  • Citrix ADC systems affected by CVE-2019-19781
  • Pulse Secure VPN systems affected by CVE-2019-11510
  • Microsoft SharePoint servers affected by CVE-2019-0604
  • Microsoft Exchange servers affected by CVE-2020-0688
  • Zoho ManageEngine systems affected by CVE-2020-10189
Editorial standards