Ransomware damages from cybercrime are expected to hit $6 trillion by the end of 2021, up from $20 billion in 2020 and $11.5 billion in 2019. The number of ransomware attacks will not only increase but we will see new forms of it with more sophistication and disruption than ever.
Hackers are constantly evolving their methods rather than just encrypt the data on infected devices, ransomware authors have started to target resources beyond the devices themselves. For example, files on servers might be encrypted if an infected PC, or the ransomware, has access. Ransomware can enumerate mapped drives and the availability of file shares on the network. Some hackers go even further by selling sensitive data. There have also been cases of hackers wiping data but still demanding a ransom.
Ransomware Spreads via Active Directory
The last couple of years have seen ransomware like LockerGoga and Samas omitting a spreader. Malware usually includes a means of propagating itself from an initial infected device to other devices on the same network. But instead of writing and testing the extra code, which may be prone to failure, hackers are leveraging a mechanism that is already present in most organisations: Active Directory.
Windows Server Active Directory (AD) is Microsoft’s on-prem identity management product. It allows organizations to centralise management of user login credentials, configure settings on servers and workstations, and manage other aspects of an organisation’s security like its Public Key Infrastructure (PKI) and Role-Based Access Control (RBAC).
If a hacker gains privileged access to AD, it is easy to own an organisation’s entire IT infrastructure. On-prem and cloud solutions are both vulnerable. AD contains information about all users, endpoints, applications, and servers. Standard administration tools can be used to query the directory without being detected by security software. Hackers can then use AD to propagate ransomware to every device in the organisation.
Even in businesses where IT has taken extra steps to secure domain controllers—the servers that run AD Directory Services—AD can still be easily compromised via end-user devices joined to AD if security best practices are not followed.
How to Prevent Ransomware Spreading via Active Directory
Ransomware attacks that use Active Directory to propagate or to perform reconnaissance require privileged access to the directory. Most organisations do not properly restrict or manage the use of privileged AD accounts, leaving IT systems exposed to ransomware and other kinds of attack. Here are six ways that you can protect access to privileged AD accounts and make it difficult for attackers to weaponise Active Directory:
Reduce privileged AD group membership Restrict the use of privileged AD accounts Establish a Break Glass Account Manage end-user devices using a local account Protect privileged AD accounts with multi-factor authentication Monitor Active Directory for unusual activity Implement a tiered administration model for Active Directory
1. Reduce Privileged AD Group Membership
Microsoft recommends reducing the use of privileged accounts in an Active Directory domain to a bare minimum. While it is important to limit membership of the Domain Admins and Enterprise Admins groups, they are not the only privileged groups in AD. Schema Admins is an example of another privileged group.
Tip: You can start by auditing the membership of privileged AD groups and by working to reduce their membership.
2. Restrict the Use of Privileged AD Accounts
There are technologies in Windows that can help reduce the exposure of privileged AD credentials, like the Protected Users group and Windows Defender Credential Guard. But you should follow Microsoft’s best practices and limit the use of privileged AD accounts to devices that are specially secured for the purposes of administering Active Directory.
Tip: Create a set of Privileged Access Workstations (PAW) used exclusively for performing administrative tasks that require privileged access to Active Directory.
3. Break Glass Account
Establishing an emergency or break glass account ensures that the Active Directory system provides access in unforeseen circumstances such as network failures, breach or other reasons for administrative access loss. Verify and update this account as necessary and only use the event of an emergency.
4 Manage End-User Devices Using a Local Account
Microsoft recently changed its advice on accessing client devices remotely using a local administrator account. Organisations generally grant remote access to clients using a domain user account. If you have a system in place to randomise and periodically change the local administrator password on each device, like Microsoft’s Local Administrator Password Solution (LAPS) tool, then you can avoid a domain account for remote support. Using a local account for supporting end user devices makes it harder for hackers to compromise Active Directory.
Tip: Audit local administrator account passwords. Make sure that each device has a unique local administrator account password. Then stop using domain accounts for remote support.
5. Protect Privileged AD Accounts with Multifactor Authentication
Passwords are insecure because they can be easily abused if obtained by a hacker. But many organisations rely on passwords alone to protect privileged AD accounts. According to Microsoft, multifactor authentication is proven to block 99.9% of automated attacks. MFA requires users to provide something in addition to their password, like a biometric gesture or one-time passcode generated by an authenticator app.
Tip: Add multifactor authentication to Windows Server Active Directory. Azure MFA and other products can be used to add MFA to AD.
6. Monitor Active Directory for Unusual Activity
Just as antimalware software scans Windows for unusual files and processes, it is important to monitor Active Directory for unusual activity. The Windows Event Log contains a lot of information that could reveal misuse of privileged accounts and other malicious behaviour. With the right data, organisations can proactively stop ransomware attacks spreading via AD. Security Information and Event Management (SIEM) products can be used to collect information forwarded from the Windows Server Event Log and other systems. Up-to-date threat intelligence can provide an automated way for organisations to identify threats in the data collected from security events. That said, neither Windows Logs nor SIEM products are enough on their own. You need to ensure you have a team in place managing and monitoring your systems 24/7.
Tip: Deploy SIEM with threat intelligence to proactively block ransomware and other types of malware before they infect your entire network.
7.Implement a Tiered Administration Model for Active Directory
We recommend organising resources in Active Directory to manage them using a more secure tiered model. The model defines three tiers that act as buffers to separate the administration of high-risk devices, like end-user PCs, from valuable servers, like domain controllers. Tier 0 includes resources like privileged AD accounts, domain controllers, and Privileged Access Workstations. Tier 1 is used for member services and applications. And Tier 2 is for end-user PCs and the objects in AD used to manage PCs, like helpdesk user accounts. Find out more