Attivo Networks Blogs

A black cat on the prowl: new ransomware making its rounds globally

CYBERSECasia-logo

Attacking the Active Directory and human-operated, the double-extortion ransomware group has already been spotted in the Philippines.

A new sophisticated ransomware campaign is on the rise, claiming victims in the US, Europe and the Philippines.

The ALPHV BlackCat ransomware is human-operated and command-line driven, which makes it hard for traditional detection tools to accurately alert on these incursions. Its operators attack the Active Directory (AD), use a variety of encryption modes, move laterally, and gain administrative privileges to spread between computers. They encrypt other devices in the network, and wipe out information to prevent recovery.

This group is also known to steal data before encrypting devices and publishing it on data leak sites for triple-extortion.

An attack on AD begins with attackers discovering privileged accounts and then stealing credentials like passwords, hashes, and Kerberos tickets; or by performing brute force attacks like ‘password spray’. Once an attacker compromises higher privileges or finds a vulnerability in AD, techniques like Golden Ticket attack, Silver Ticket attack, and Domain Replication are used to take over the AD. Attackers can thereby easily compromise the systems it manages, install backdoors, change security policies, and rapidly deploy the ransomware.

According to Jeremy Ho, Vice President (APAC), Attivo Networks: “Active Directory is the most commonly used identity platform by businesses; if compromised, it grants attackers complete control to escalate privileges, disable security tools, move laterally in the organization, and steal valuable data. AD protection is a security gap that is not currently addressed by EDR solutions or identity access management solutions focused on providing access instead of denying it.”

Ho said organizations need to employ a multi-pronged approach, which includes hardening, detecting reconnaissance, and preventing domain compromise, to defend against AD attacks. “Newer Identity Detection and Response (IDR) tools have become must-have security stack staples for delivering visibility and detection for credential theft and misuse and attempts to enumerate Active Directory,” Ho said.

Read the original article on Cybersec Asia.

Share on:

Free Active Directory Assessment

Get Visibility Into Privilege And Service Account Exposure

For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.

Try Our Endpoint Detection Net (EDN) for Free

FAST AND EASY

Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.

Newsletter Signup

    Yes, please opt me in to receive your quarterly newsletter, event invitations, and product updates.

    I understand that I can opt out at any time, and can refer to Attivo Networks Privacy Policy for more information.
  • This field is for validation purposes and should be left unchanged.

ADSecure 90-Day Free Trial

GET PROTECTION AGAINST UNAUTHORIZED ACCESS TO ACTIVE DIRECTORY

  • Hide and deny access to AD objects
  • Get alerted on unauthorized queries
  • Attack details easily viewable in dashboard
  • Your data remains on-premise

RSS

Leave a Comment

Your email address will not be published.

6 + 2 =

Ready to find out what’s lurking in your network?

Scroll to Top