Microsoft has analyzed the tactics and techniques of some very expensive ransomware that have been released in recent years, which are not automated but manually controlled.
He warns that some ransomware groups are taking advantage of state-sponsored hackers with "extensive knowledge of systems management and security techniques" and then providing "destructive" ransomware payloads.
"Based on our research, these campaigns have shown that they could work seamlessly on networks," Microsoft said.
The ransomware variants included in Microsoft's research are REvil, Samas or SamSam, Doppelpaymer, Bitpaymer and Ryuk. The average ransomware demand for REvil ransomware is $ 260.000, making ransomware a "big game" because of the selected objectives and the large sums it requires. The American EMCOR Group announced this week that Ryuk ransomware affected Q4 2019 revenue due to its downtime.
Microsoft has been tracking another group of malware called Parinacota for 18 months (Microsoft uses volcanic names to name cybercriminals). They have hacked systems to install cryptocurrency miners and send spam, but have recently begun developing Wadhrama ransomware on corporate networks in smash and grab attacks, demanding ransom.
Parinacota is mostly used RDP brute force attacks to get in, scanning the internet for vulnerable devices and trying out a list of popular passwords.
Microsoft has identified a unique tactic used by the team. After accessing a network, the attackers test the compromised machine for internet connectivity and processing capabilities, according to the Microsoft Threat Protection Intelligence Team.
"They determine if the machine meets specific requirements before using it to perform brute force RDP attacks relative to other targets. This tactic, which has not been observed to be used by similar ransomware operators, gives them access to additional infrastructure less likely to be blocked. "In fact, the group has been observed letting their tools run on compromised machines for months on end," the group said in a post.
Using stolen credentials in the attack, the team also uses admin rights to prevent security services from tracking its actions and then downloads a ZIP file full of hacker tools like Mimikatz and Sysinternals ProcDump tool for the next stages of the attack by hiding credentials.
Because of all this work, organizations that manage to clean up a Wadhrama injection often cannot completely remove the persistent mechanisms, leaving the target vulnerable to reinfection.
The team charges between 0,5 and 2 Bitcoins ($ 4,500 to $ 18,268) per damaged machine. Attackers are adjusting demand to how critical the machine is.
Part of the point of Microsoft's post is to explain why security groups should enable the features available in Windows Defender ATP.
Ryuk is another example of human ransomware frequently accessing networks through the Trickbot trojan.
Microsoft notes that Trickbot is often seen as a low priority threat and therefore not immediately isolated.
The Trickbot "Ryuk administrators also benefit from users who act as local administrators in environments and use these rights to disable security tools that would interfere with their actions."
Some companies have made these attacks easier by weakening their internal security. Microsoft says some successful manually run ransomware campaigns have encountered servers that have antivirus software and other intentionally disabled fuses that administrators may have made to improve performance. "The servers themselves often do not have firewall protection and MFA"They have weak domain credentials and use non-random local admin passwords," he said.