Microsoft has detailed the tactics and techniques of some of the most costly ransomware in recent years, which aren't automated but rather are manually controlled by human hands at a keyboard.
It warned that some ransomware groups are now using the same skills as nation-state-backed hackers, and show an "extensive knowledge of systems administration and common network security misconfigurations", perform thorough reconnaissance, and then deliver "devastating" ransomware payloads.
"Based on our investigations, these campaigns appear unconcerned with stealth and have shown that they could operate unfettered in networks," Microsoft said.
The ransomware variants included in Microsoft's survey are REvil, Samas or SamSam, Doppelpaymer, Bitpaymer, and Ryuk. The average ransom demand for REvil is $260,000, making it a 'big game' ransomware because of the targets selected and amounts demanded. US Fortune 500 engineer and industrial construction company EMCOR Group this week reported Ryuk impacted its Q4 2019 revenues because of the IT downtime it caused.
Microsoft has been monitoring another malware group it calls Parinacota (Microsoft is using volcanoes to name digital crime actors) for 18 months. They've historically hacked machines to install cryptocurrency miners and send spam, but recently started deploying Wadhrama ransomware on corporate networks in "smash and grab" attacks with ransom demands made within an hour of infiltration. If given the opportunity, the group also conducts reconnaissance and moves within the network, too.
Parinacota mostly uses RDP brute force attacks to enter, scanning the internet for vulnerable devices and they trying a list of popular passwords.
Microsoft has identified one unique tactic the group employs. After gaining access to a network, the attackers test the compromised machine for internet connectivity and processing capacity, according to the Microsoft Threat Protection Intelligence Team.
"They determine if the machine meets certain requirements before using it to conduct subsequent RDP brute force attacks against other targets. This tactic, which has not been observed being used by similar ransomware operators, gives them access to additional infrastructure that is less likely to be blocked. In fact, the group has been observed leaving their tools running on compromised machines for months on end," says the team in a blog post.
Using stolen credentials in the attack, the group also uses admin privileges to kill security services that could detect its actions and then often downloads a ZIP archive stuffed with attacker tools like Mimikatz and the Sysinternals tool ProcDump for the next stages of attack, which focuses on dumping credentials from the LSASS process memory and then using an RDP session to exfiltrate the credentials.
Because of all this background work, organizations that manage to clean up a Wadhrama infection often can't fully remove the persistence mechanisms, leaving the target vulnerable to reinfection.
The group charges between 0.5 to 2 Bitcoins ($4,500 to $18,268) per compromised machine. The attackers adjust the demand to how critical the machine is perceived to be.
Part of the point of Microsoft's post is to illustrate why security teams should be enabling features available in Windows Defender ATP, such as tamper protection and even standard safeguards, like security updates and Microsoft's cloud-delivered antivirus.
Ryuk is another example of human-operated ransomware that often enters networks via the banking trojan Trickbot.
"In our investigations, we found that this activation occurs on Trickbot implants of varying ages, indicating that the human operators behind Ryuk likely have some sort of list of check-ins and targets for deployment of the ransomware," the team writes.
Microsoft notes that Trickbot is often seen as a low-priority threat and therefore doesn't get isolated immediately.
"This works in favor of attackers, allowing them to have long-running persistence on a wide variety of networks. Trickbot, and the Ryuk operators, also take advantage of users running as local administrators in environments and use these permissions to disable security tools that would otherwise impede their actions," they noted.
Some companies have made these attacks easier by weakening their own internal security. Microsoft said some successful human-operated ransomware campaigns have been against servers that have antivirus software and other security intentionally disabled, which admins may have done to improve performance. "The same servers also often lack firewall protection and MFA, have weak domain credentials, and use non-randomized local admin passwords," it said.