Microsoft Warns Almost All Ransomware Attackers Steal Data

Almost all of ransomware attackers, even those that don’t threaten to leak data, steal data anyway, Microsoft Threat Protection Intelligence Team warned.

In the blog post “Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk“, Microsoft Threat Protection Intelligence Team said that “while only a few of these groups gained notoriety for selling data, almost all of them were observed viewing and exfiltrating data during these attacks, even if they have not advertised or sold yet.”

Ransomware and Data Exfiltration

Ransomware is a type of malicious software (malware) that encrypts computer or the files within, locking out legitimate users and demanding from victims ransom payment in exchange for the decryption keys. Many ransomware victims who were forced to pay ransom in exchange for the decryption keys assumed that their data had been left untouched by attackers.

The group behind the ransomware called “Maze” brings to light the reality that ransomware attackers, other than encrypting data, they also exfiltrate or steal data. Maze ransomware is the first of its kind that shames victims who refuse to pay ransom by publishing the names of these victims online and further threatening these victims that continued failure to pay the ransom will result in the publication of their data – the ones that were exfiltrated prior to data encryption.

This threat to publish stolen data was actualized, forcing one of the victims to file a case against the group behind Maze ransomware. Following Maze ransomware, other ransomware operators are also threatening victims who don’t pay ransom that stolen data will be exposed online.

The latest acknowledgment from Microsoft Threat Protection Intelligence Team further cement the reality that in ransomware cases, in addition to data encryption, attackers also steal data. According to the team, ransomware attackers use common tools, including Mimikatz and Cobalt Strike.

Mimikatz is a free tool that’s known to extract plaintexts passwords, hash, PIN code and kerberos tickets from Windows memory. Cobalt Strike, meanwhile, is a commercial tool that markets itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. According to MITRE, Cobalt Strike’s post-exploit capabilities cover the full range of ATT&CK tactics and all executed within a single, integrated system. MITRE’s ATT&CK refers to a knowledge base of adversary tactics and techniques based on cyberattacks observed in the wild.

In addition to data encryption and data exfiltration, Microsoft Threat Protection Intelligence Team said, “On networks where attackers deployed ransomware, they deliberately maintained their presence on some endpoints, intending to reinitiate malicious activity after ransom is paid or systems are rebuilt.”

Vulnerabilities Exploited by Ransomware Attackers

At a time when remote work is becoming universal, Microsoft Threat Protection Intelligence Team said that ransomware actors are continuing their normal malicious operations. The team reported that in the first two weeks of April 2020, multiple ransomware groups that have existing access to victims’ networks activated dozens of ransomware deployments.

The Microsoft Threat Protection Intelligence Team reported that ransomware attackers exploited the following security vulnerabilities in order to gain access to victims’ networks:

1. Remote Desktop Protocol (RDP) without Multi-Factor Authentication (MFA)

Absence of MFA, that is, the reliance of simply using username and password combination allows ransomware attackers to launch brute force attacks on RDP – a proprietary protocol developed by Microsoft that allows a computer user to connect to another computer over a network connection. In brute force attacks, malicious actors use a trial-and-error method in guessing the correct username and password combination.

2. Outdated Operating Systems

According to the Microsoft Threat Protection Intelligence Team, ransomware attackers were able to gain access to victims’ networks as victims used outdated operating systems, specifically Windows Server 2003 and Windows Server 2008 – server operating systems that no longer receive security updates from Microsoft. 

3. Misconfiguration

Misconfiguration of web servers, including IIS, electronic health record (EHR) software, backup servers, or systems management servers, according to Microsoft Threat Protection Intelligence Team, is another gateway used by ransomware attackers to gain access to victims’ networks.

The misconfiguration or the failure to put in place secure configuration, for instance, configuring a web server to allow access to the web accessible directory enables attackers to deploy on the web server a web shell malware.

Australia’s national security agency, the Australian Signals Directorate (ASD), in a statement said that throughout 2019 – prior to the COVID-19 crisis, attackers continued to target organizations in Australia and abroad using web shell malware. “Web shell malware can facilitate cyber attackers’ access to a network where they are able to execute arbitrary system commands, enumerate system information, steal data, install additional malicious software or use the infected server to pivot further into the network,” ASD said.

4. Unpatched Systems

According to Microsoft Threat Protection Intelligence Team, ransomware attackers were also able to gain access to victims’ networks via unpatched systems. The team said that attackers specifically targeted unpatched Citrix Application Delivery Controller (ADC) systems affected by CVE-2019-19781, and Pulse Secure VPN systems affected by CVE-2019-11510. 

CVE-2019-19781 is a security vulnerability in Citrix Application Delivery Controller systems that allows an unauthenticated attacker to perform arbitrary code execution. CVE-2019-11510, meanwhile, refers to a security vulnerability in Pulse Secure VPN systems that allows unauthenticated remote attacker to send a specially crafted URI to perform an arbitrary file reading. Citrix and Pulse Secure both released their respective patch for the above-mentioned vulnerabilities.

Preventing and mitigating ransomware attacks is what we do best. In fact, we have recently helped a large Canadian non-profit recover from a ransomware attack and implemented process to mitigate future attacks in just 72-hours.

Businesses around the globe are struggling due to COVID-19 and cybercriminals use your vulnerabilities to extort money from your business.

Call us today and don’t fall victim. A team of expert is ready to assist you. Call now (416) 920-3000 or email 

Leave a Reply

Your email address will not be published. Required fields are marked *