Microsoft Provides Detailed Guidelines for Countering Ransomware Operated by Humans

Microsoft provided in-depth advice for IT professionals earlier this month and included security products when describing the human-operated ransomware market.

Using a keyboard and network access, an attacker using human-operated ransomware makes decisions. These criminals take use of the “ransomware as a service” market, which is similar to the “gig economy” for services, which was heavily promoted by the software sector. Partners who conduct the attack phases and split the profits are given the attack tools.

It can be challenging to discern threat actors who may be cooperating with different affiliates due to the gig economy situation in the criminal ransomware sector. Additionally, the attack software that is employed by ransomware criminals is frequently changed.

Microsoft employs the “DEV”-plus-number strategy to identify unknown attackers. As soon as those groupings become well-known, it shifts to employing volcanic names. Names of chemical elements are used to identify nation-state attackers.

The “most prolific ransomware gang” currently operating is Trickbot LLC, also known as “DEV-0193” by Microsoft. Typically, this organization recruits new members through the “cybercriminal gig economy.” Microsoft also identified six other threat actors as being important players in the ransomware-as-a-service market.

Attacks Using Admin Tools

In order to access a network, ransomware attackers essentially require admin credentials. They often use unpatched software vulnerabilities to achieve this, according to Microsoft.
Different attack tools are employed once network access has been established. One of the more popular command-and-control tools that is introduced into a victim’s network is Cobalt Strike. But “common enterprise tools” are also employed.

Microsoft provided the IT professionals with the following list of typical tools it observes being used in ransomware attacks:

  • AnyDesk
  • Remote Management with Atera
  • Remote Manipulator
  • System
  • Splashtop
  • TeamViewer

If these tools are not used in a computer environment, Microsoft recommends preventing their use via “perimeter firewall rules.” Microsoft advised using multifactor authentication (an additional identity verification method beyond a password) with them as a safety measure if they were to be used.

The Mimikatz tool, created by “ethical hacker” Benjamin Delpy to find holes in the Microsoft authentication protocol, was singled out by Microsoft for fast combining Active Directory weaknesses used by ransomware attackers.

Authentication vulnerabilities like ZeroLogon and PetitPotam are also quickly adopted by ransomware activity groups, especially when they are a part of toolkits like Mimikatz. These flaws, if left unpatched, might give attackers the ability to quickly go from an entry point like email to Domain Admin level credentials.

Kevin Beaumont, a security researcher and former Microsoft employee, stated on May 9 on Twitter that Delpy shouldn’t be held responsible for Microsoft’s software bugs. The blog entirely ignores that for defenders, he continued, so “you need to make a whole bunch of adjustments to out of the box AD as it arrives with unsafe defaults.”

Microsoft advised using the free and open source BloodHound tool, which displays the number of administrators in a computing system, to deal with potential credential exposures. According to Microsoft, “It can also be a strong tool in evaluating your credential vulnerability and decreasing access related to administrative account.”

Andy Robbins, the product architect for BloodHound, noted the remark in a tweet he made on May 9. This “BloodHound versus Ransomware” guide is where Robbins directed interested parties.
However, Microsoft claims that BloodHound is yet another instrument that ransomware criminals may misuse:

Microsoft has noted that BloodHound is also a tool used by ransomware attackers. When used maliciously, BloodHound gives attackers access to highly privileged credentials like domain admin accounts and global administrator accounts in Azure, allowing them to see the route that presents the least amount of difficulty from the systems to which they have access.

Azure 365 Defender

There was a lot of defense against ransomware advice in Microsoft’s presentation on Monday, more than could be effectively condensed. It’s fantastic information in a lengthy blog post.

It may be argued that employing the Microsoft 365 Defender service as a means of managing the complexity is the best course of action because Microsoft’s advise was sufficiently detailed and loaded up with duties for IT professionals to perform.

Here is Microsoft’s core sales message:

“Ransomware is a multifaceted threat, thus security must be approached holistically. The actions we discussed above will help to greatly reduce the likelihood of ransomware attacks by defending against frequent attack patterns. Many of these security policies can be easily implemented by enterprises thanks to Microsoft 365 Defender.”

During its May 12 online Microsoft Security Summit event, which will include CEO Satya Nadella and Vasu Jakkal, corporate vice president for security, compliance, identity, and management at Microsoft, Microsoft aims to discuss these kinds of solutions in more detail.

Microsoft recently unveiled new security service options for businesses, such as its Microsoft Security Experts offering, which aims to take over security management for businesses.

Many of Microsoft’s security services solutions effectively use the ransomware topic as a sales channel. According to Microsoft, the term “human-operated ransomware” was first used. Such conversations and marketing are expected to continue, particularly in light of the fact that ransomware has affected the majority of businesses.

In a previous talk given back in December by Microsoft security specialists, Microsoft provided advice on how to deal with human-operated ransomware. Along with recommendations on Microsoft security solutions, it also gave businesses advise on how to deal with ransomware threats.