Cyber-crime continues to evolve – especially over the last year in terms of ransomware. Ransomware used to be largely a spray-and-pray proposition where attackers used automated tools to spread and encrypt as fast as possible, with immediate ransom demands. Those did enough damage.
However, cybersecurity researchers are reporting a new, more patient and human-driven extortion scheme where criminals infect many networks but only select larger organizations with deeper pockets. In these larger target networks, they may dwell for as long as a year while they stealthily reconnoiter and spread.
Once they identify and compromise the organization’s most critical systems, they pull the trigger, encrypt and demand ransom. The activity appears to be from Russian organized cybercrime and the attacks as a set are identified as TEMP.Mixmaster by some researchers, and is associated with a cyber-crime group identified as GRIM SPIDER by other researchers.
In these attacks, the initial compromise is via TrickBot, usually via the time-honored attached-document-bearing-macros routine. Then using a wide variety of techniques, attackers patiently spread through the network gaining credentials and access as they go – and more importantly – identifying important resources along the way. Tools and techniques used include:
- Obfuscated PowerShell
- PowerShell Empire
- Common commands and utilities like sc, adfind, psexec
- Scheduled Tasks
- Remote Desktop
Ultimately, attackers end up using Ryuk to encrypt and demand ransom. Ryuk is very different than your average spray-and-pray automated ransomware. Ryuk is custom designed for manual control of smaller volume operations, involving the most crucial assets of the organization identified by attackers over the course of months and up to a year in some cases.
If you would like to learn more, check out our on-demand webinar where we take apart TEMP.Mixmaster attacks, including the 2 main pieces of malware TrickBot and Ryuk.
In addition, we share many techniques for detection of this kind of attack – there are plenty of events in the Security Log, Sysmon and Powershell logs if you know what to look for. And we’ll review what you can do to prevent and slow down attackers. Using PowerShell Security features like Constrained Language Mode and much more.
Randy Franklin Smith is an internationally recognized expert on the security and control of Windows and Active Directory security who specializes in Windows and Active Directory security. He performs security reviews for clients ranging from small, privately held firms to Fortune 500 companies, national, and international organizations. His certifications include:
- Certified Information Systems Auditor (CISA)
- Microsoft Security Most Valuable Professional (MVP)
- Systems Security Certified Professional (SSCP)
Related Posts
- Active Directory Permissions – Hiding in the Shadows
- What Active Directory Groups Am I In?
- Back to “The Basics” Blog Series – Part 2: Active Directory
- What Is Kerberos?
- Ready for Microsoft’s LDAP Changes? What You Need to Know
- Microsoft LDAP Channel Binding and Signing Patch
- Cleaning Up Unused Service Accounts Series – Part 1: Overview of the Process
- What is Azure Active Directory?
- Fun with Active Directory’s AdminCount Attribute
- Five Challenges with Monitoring Active Directory Security Using Event Logs: Part 5
Leave a Reply