Professional Documents
Culture Documents
threat of human-operated
ransomware attacks
PwC Cyber Security
Contents
Human-operated ransomware attacks are now one Given these attackers have now started stealing
of the top priority cyber threats faced by most and threatening to leak sensitive data, the majority
organisations. In this type of attack, cyber criminals of improvement efforts should be focused on
gain access to internal corporate networks and deploy preventing these attacks. Focusing solely on backup and
ransomware to encrypt data – often to devastating effect recovery strategies is no longer a viable option, as these
– before attempting to extort organisations into paying do not prevent the attacker from stealing data in the first
seven or eight figure ransoms to recover access and place, or help with the resulting regulatory implications.
restore systems. Attackers also steal and threaten to Even when backup and recovery strategies are in place,
leak sensitive data, to provide additional leverage when for large organisations an enterprise-wide recovery
extorting their victims. from backups can take weeks and in some cases be
practically unfeasible.
These attacks represent a more challenging threat
than previous well-known ransomware attacks, Organisations who have not already taken steps to
such as NotPetya and WannaCry. This results from understand and reduce their vulnerability to these
skilled and adaptable financially-motivated people attacks should act now. This is especially important
behind the attacks, who can identify and overcome as organisations across a wide-range of sectors have
defences, as well as evolve their tactics to maximise recently been affected, and the frequency of these attacks
their chances of getting organisations to successfully is highly likely to continue to rise over the coming months.
pay out. This is unlike previous high profile attacks which The improvements required to reduce the risk of these
relied on wormlike functionality to spread ransomware. attacks are not anything surprising to cyber security
teams, likely already forming part of organisations’ existing
improvement plans. However, the escalation in the threat
should cause organisations to re-prioritise ongoing
and planned activities, as well as consider what actions
they can take to immediately reduce their vulnerability to
these attacks.
Ransomware attackers often work with other criminal Typical path of a human-operated
groups who use automated and mass-scale techniques ransomware attack
to gain access to company networks, for example
by distributing banking trojans via phishing emails.
In many cases investigated by PwC’s incident response Gain initial access and
deploy using automated
practice, these relatively simple techniques are effective and opportunistic methods
at compromising organisations as they have yet to
solve challenging business problems like how to restrict
Microsoft Office macros.
Phish employees
Once initial access has been gained into a target and deploy malware
organisation, attackers compromise privileged accounts to workstations
and further systems, using a combination of legitimate
administration tools and security testing tools
(e.g. Cobalt Strike, PowerShell Empire, and BloodHound).
Exploit
We have seen these tools as sufficient to gain privileged vulnerabilities
access in internal corporate networks due to widespread in Internet-facing
IT and Active Directory hygiene issues, and detection services
capabilities that fail to detect the techniques used in
these attacks.
Compromise
When attackers have gained privileged and widespread privileged accounts
access to the target’s network, sensitive data is extracted by exploiting common
IT/AD hygiene issues
and ransomware deployed as widely as possible, in most
cases causing significant and long-term disruption to
business operations.
Move laterally and
establish footholds
using common
offensive security tools
‘Human-operated’
The rapid growth in human-operated ransomware attacks has been driven by several factors, including the:
Growing number of actors attracted by perceived Emergence of leak sites, placing additional pressure on
easy revenue. victims to pay ransom demands.
The number of ransomware actors has grown steadily The growing use of leak sites, where victim data is released
throughout 2020, encouraged by the profits derived from if a ransom is not paid, further increases the pressure on
high-profile attacks. For example, the NetWalker affiliate organisations to meet demands, and in turn the profitability
programme was launched in March 2020 and claimed to of these attacks. After the Maze Group hosted a leak site in
have amassed $4.5 million in its first six weeks. After four January 2020, a further 18 actors have followed suit. By the
months of operation, this revenue had reportedly increased end of September, over 750 organisations have had data
to $25 million. exposed, with 80% of leaks occurring since late April 2020.
Popularity of affiliate programmes, lowering the Arrival of new attackers, some of which are
barrier to entry for newcomers. highly aggressive.
Twelve well-known schemes are run as affiliate Despite their recent arrival on the ransomware scene,
programmes where ransomware developers lease operations like Suncrypt have released data more
access to their malware in exchange for a share of profits. frequently and in larger numbers than some of their more
This trend significantly lowers the barrier to entry, as established rivals. Conti, which we assess to be the
malware development is no longer a requirement; allowing replacement for the notorious Ryuk ransomware, launched
them to specialise in spreading through organisations’ IT its leak site in August and released data on over 100
environments and deploying ransomware at scale. victims in its first eight weeks of activity.
800
700
600
500
400
300
200
100
0
11/2019 12/2019 01/2020 02/2020 03/2020 04/2020 05/2020 06/2020 07/2020 08/2020 09/2020
Legacy IT creates security weaknesses attackers Ineffective detection and response capabilities give
can exploit. attackers freedom to operate.
Most organisations have legacy IT of some form; many still Attackers often remain in internal corporate networks for
rely on this heavily, however this has significant security days or weeks, escalating privileges and expanding their
implications. The risk of out-of-support operating systems footholds, before deploying destructive ransomware.
increases over time as vulnerabilities are identified and During this time, there are usually many detection and
remain unpatched. In addition, legacy operating systems are response opportunities that organisations fail to identify and
nearly always incompatible with modern security tooling and take advantage of. This is most often because, traditional
lack the security features required to defend against these signature-based security tooling is ineffective at detecting
types of attacks. In many instances legacy systems host the techniques used in these attacks, alerts are often lost in
some of an organisation’s most critical applications; those the noise as security operations teams are overwhelmed by
typically targeted in human-operated ransomware attacks. false positives, and containment processes are not effective.
Also, the use of commodity trojans such as Emotet, Dridex
Technology is not securely configured to prevent or Qakbot as an initial infection vector is often highly
common cyber attack techniques. effective, as detecting and remediating these ‘commodity
malware’ infections is not prioritised by security teams.
In most cases, initial access in human-operated
ransomware attacks stems from the compromise of
Organisations have retained on-premise infrastructure
workstations with phishing emails or servers by exploiting
and struggled to adopt the SaaS cloud.
unpatched vulnerabilities in internet-facing services.
Attackers exploit the poor configuration of these systems, Cloud “software-as-a-service” business applications
with security controls either absent or not effectively (such as email, file storage, and CRM) can significantly
configured. These issues often remain unfixed due to a reduce the impact of a human-operated ransomware
lack of awareness around security good practice, a lack attack, yet many organisations continue to rely on and
of prioritisation by IT teams when delivering security invest in on-premise infrastructure and applications.
fixes, and the unknown or perceived business impact This type of environment was rarely architected with
of delivering the fixes. security in mind (or indeed to prevent modern security
threats), meaning attackers can easily use now widely
Poor protection of privileged accounts allows attackers available offensive security tooling to exploit the
to compromise credentials. resulting weaknesses. There are no quick-fixes, as
effectively retrofitting modern cyber security controls on
We have seen skilled ransomware operators obtain Domain
IT infrastructure can be costly and complex, requiring IT
Administrator privileges within 72 hours, as organisations
to be modernised before it can become securable.
have not adequately protected privileged accounts.
The most common problems are large numbers of overly
privileged accounts, risky operating practices by domain
administrators, and the use of insecure passwords and
authentication mechanisms. The root cause of this is
often that Active Directory (and other identity and access
management systems) is seen as an IT tool, rather than a
security tool that is essential to preventing attackers from
gaining privileged access; and is therefore not configured
with security in mind.
Management teams should question their security teams to determine how susceptible they are to
ransomware attacks, including:
How are we using technical How quickly and comprehensively How confident are we that we can
security controls to limit the risk of are we detecting and remediating detect common attacker tools being
a workstation being compromised ‘commodity malware’ infections used within our network, for example
by phishing attacks? on workstations? Cobalt Strike or BloodHound?
How are we using secure administration How confident are we that we can How are we mitigating the risk of
practices and restricting the use of detect the compromise and abuse of legacy IT to ensure this does not
domain administrator accounts to limit privileged accounts by an attacker? provide a point of weakness that
the risk of credential-theft attacks? allows an attacker to compromise
How do we restrict the connectivity our entire environment?
How could we still access our email and Active Directory trust relationships
and messaging if a ransomware between different areas of the What have we done to validate that
attack impacted our on-premise business to slow down and limit the any network security controls are
IT infrastructure? spread of ransomware attacks? still effective with an increasingly
remote workforce?
Use security testing to Targeted improvements should Where the root cause of security
assess whether the techniques be delivered to prevent and vulnerabilities and weaknesses
used in human-operated detect the techniques used in has not been remediated in
ransomware attacks can be human-operated ransomware the previous steps, strategic
prevented and detected by attacks, and address the initiatives should be designed
defences in place, and to identified vulnerabilities and to deliver sustainable cyber
identify the vulnerabilities weaknesses. We have seen risk reduction. For example
and weaknesses that could customers successfully moving away from legacy IT
be exploited by ransomware achieve this by bringing or reworking how privileged
attackers. Security teams together IT and security teams access is managed within
should provide ongoing to collaborate on developing the organisation.
reporting to management actionable fixes appropriate
on risk, using the results for the environment. Security
of this threat-focused testing should then be used
testing approach. to validate that improvements
have been correctly
implemented to address
risks identified.
Using this approach we recommend six priority For each, we have listed several targeted improvements
areas of focus to reduce the risk of human-operated that, with the right delivery approaches and prioritisation,
ransomware attacks. can be delivered within three months. While many
of these improvements may seem obvious at first
1. P
revent workstations being compromised glance, their value (or the challenge in their delivery)
by phishing attacks should not be underestimated – it is the “hard basics”
of security that still represent the greatest challenge,
2. R
emediate internet-facing vulnerabilities
and corresponding benefit.
and reduce the attack surface
3. P
rotect privileged accounts from As the “devil is in the detail” when reducing the risk
being compromised posed by ransomware, we recommend that organisations
that have already implemented these improvements still
4. R
emediate common hygiene issues used
take steps to validate that they are effectively preventing
by attackers to escalate privileges
and detecting the techniques used in these attacks.
5. R
estrict the ability of an attacker to In cases investigated by PwC’s incident response practice,
compromise further systems we regularly see a disconnect between the believed
6. R
apidly detect and contain incidents and actual levels of risk reduction brought about by
before they escalate improvements that have been made (for example, the
deployment of tooling without having appropriately
configured it).
Ensure email filtering tooling is appropriately configured Perform vulnerability scanning and monitoring to
to block phishing emails. ensure vulnerabilities are rapidly remediated.
Email filtering tooling should be configured to scan Vulnerability scanning tooling should be configured to
attachments for malicious files and links, block file-types perform regular scans, and alert for any new internet-
commonly used by attackers (e.g. script files such as HTA facing vulnerabilities or exposed services. Security teams
and PS1), and detect techniques used by attackers to fake should also ensure all internet-facing IP address ranges
legitimacy (e.g. the spoofing of internal email addresses, are covered by scanning tools and review any existing
or sending from recently registered domains). This tooling exceptions to ensure they have not been granted for
should also be integrated with up-to-date threat intelligence vulnerabilities that could be exploited by attackers.
(including both atomic and behavioural indicators) to block
suspected likely phishing emails. Disable or restrict access to internet-facing services
to reduce the attack surface.
Deploy and configure web filtering tooling to prevent
users from downloading malicious files. Externally accessible systems should be regularly audited
and organisations should look to disable or restrict access
Web filtering tooling should be configured to block the to any internet-facing services (e.g. RDP, SSH, SMB) that
download of file-types commonly used to deliver malware, are not strictly required; this mitigates the risk of future
and scan all others for malicious content. Sites should be vulnerabilities by reducing the overall attack surface.
assigned a risk rating and blocked accordingly; high risk Where services are required then compensating controls
sites might include those categorised as malicious, should be implemented to mitigate risk (for example,
those using newly registered domains, or commonly IP address whitelisting and strong authentication).
abused top-level domains.
Enforce multi-factor authentication to reduce the
Restrict Microsoft Office macros to prevent attackers impact of compromised credentials.
using these to deliver malicious payloads.
Multi-factor risk-based authentication should be configured
Microsoft Office macros should be disabled where possible on all remote access systems and internet-facing services.
for employees, teams and departments without a suitable Authentication logs should also be collected from these
business case. Where this is not possible, their use should be services, and monitored for use cases that could represent
restricted by: blocking execution in documents downloaded compromised accounts, for example sign-in events indicating
from the internet, only allowing execution for documents in ‘impossible travel’ by the user, or logins from unexpected
trusted locations, or only allowing signed macros to be run. countries and devices.
For organisations with Microsoft 365 E5 licenses, Application
Guard for Office should be enabled where possible.
BloodHound (an offensive security tool) should be used to Remove credentials stored in network shares to prevent
identify, investigate and eliminate attack paths to privileged attackers using these to compromise accounts.
accounts. These are often present due to hidden and In many cases investigated by PwC’s incident response
unintended trust relationships within Active Directory practice, organisations unknowingly have plaintext
environments, for example misconfigured or complex privileged credentials stored in network file shares
inheritance-based permissions. This should also be (or other easily accessible locations) which are accessed
an opportunity for security teams to gain confidence and exploited by attackers. Offensive security tools, e.g.
BloodHound’s use is reliably detected. PowerShell scripts should be used to scan file shares for
credentials, so these can be removed and the exposed
Restrict accounts in local administrator groups to passwords reset. Access to network shares should also be
reduce the identity attack surface of endpoints. restricted as much as possible, as these provide a common
Users and groups in the local administrator group way for attackers to gain access to sensitive data.
on workstations and servers should be reviewed to
ensure accounts are only added where strictly necessary. Use security testing and Microsoft Secure Score to
This reduces the number of accounts that, if compromised, identify IT and Active Directory hygiene issues.
could allow an attacker to gain widespread administrative Security testing should be used to identify weaknesses
access to systems. Local administrator groups should also and vulnerabilities an attacker could exploit by simulating
be monitored to ensure any modifications are detected. cyber attack techniques. For organisations using Microsoft
365, Secure Score should also be used to identify fixes
Monitor Active Directory to detect the insecure use, to improve security posture and reduce attack surface,
compromise and abuse of privileged accounts. for example by enabling Credential Guard to improve
Security teams should deploy tooling, such as Microsoft workstation secure configuration.
Defender for Identity, to monitor and detect anomalies
involving privileged accounts, e.g. logging in from a
new location. Accounts suspected of compromise
should be blocked and investigated thoroughly before
reinstating access.
Contacts
Urs Küderli Yan Borboën
Johannes Dohren
Director, Cybersecurity
+41 58 792 22 20
johannes.dohren@pwc.ch
www.pwc.ch/cybersecurity
@2020 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see
www.pwc.com/structure for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with
professional advisors.
Mitie Design RITM3624127 (10/20).