Microsoft warns to stay alert from human-operated ransomware campaigns
During the pandemic crisis, the cybercriminals are still looking for victims. The Microsoft’s Threat Protection Intelligence Team has warned. The ransomware criminals are still looking to attack healthcare and critical service providers. It has also issued a detailed guide in order to reduce the risk of falling victim to them.
Previously, the ransomware attacks were usually automated. But this time Microsoft confirmed that these attacks are not done in an automated fashion. Instead, they are conducted by criminal gangs that work by compromising internet-facing network devices. In order to establish a presence on vulnerable systems months before they strike and steal and encrypt victims’ data.
The attackers have a range of vulnerabilities. Which they can use to access victims’ networks and work. Their way to capture credentials and prepare for the final ransomware activation, Microsoft noted.
The most recent ransomware attacks that were observed by the Microsoft security teams highlighted Remote Desktop Protocol or Virtual Desktop systems that aren’t secured with multi-factor authentication.
Older, unsupported and unpatched operating systems. For instance: Microsoft Windows Server 2003 with weak passwords and 2008, misconfigured web servers including Internet Information Services, back up servers, electronic health record software and systems management servers are all being attacked currently. Vulnerable Citrix Application Delivery Controller and Pulse Secure are also in ransomware criminals’ sights and should be patched as soon as possible.
Once the cybercriminals have access to the victims’ device. They attempt to steal admin login credentials and move laterally within networks with common tools. For instance: Mimikatz and Cobalt Strike, Microsoft said.
After gaining access, the attackers usually create new accounts, modify Group Policy Objects in Windows. We add scheduled tasks and register operating system services, and deploy backdoors and remote access tools for persistence. CSPRO wait for an opportune moment to activate the ransomware to blackmail victims.
Several human-operated ransomware payloads are actively being used presently.These include RobbinHood, REvil/Sodinokibi, the Java-based PonyFinal and Maze, the operators of which were one of the first to sell stolen data from technology providers and public services it has attacked, Microsoft said.
One particular campaign, NetWalker, targets hospitals and healthcare providers through bogus COVID-19 subject emails with the ransomware delivered as a malicious Visual Basic script file.
Apart from actively patching systems, Microsoft said to watch out for malicious behaviors such as tampering with security events logs and other techniques used to evade detection, suspicious access to Local Security Authority Subsystem Service (LSASS), and Windows Registry database modifications which could indicate that credentials theft is taking place.
Investigating the Windows Event Log during the earliest part of a suspected breach. They looking for event ID 4624 and logon type 2 or 10 could indicate post-compromise access, Microsoft said.
Later on, searching WEL for type 4 or 5 logons could also indicate suspected breach activity.
Ransomware criminals show no compunction as to the impact their attacks have on health care providers, Microsoft warned.
They have also recently caused extensive damage to organizations such as forex giant Travelex which had to shut down its systems over the New Year, and global logistics company Toll Group.
If you’re concerned your personal details have been compromised, you can reach us at 1300 660 368 and one of our team members can help you in staying safe from the ransomware attack.
Article courtesy: www.itnews.com.au