Darren Mar-Elia

The latest ransomware-as-a-service attack leaves the well-known retailer, Kmart, with service outages and a compromised Active Directory.  

In the wake of Maze ransomware “retiring” last month, many of its affiliates have moved to the new kid on the ransomware block, Egregor. Named after an occult term meaning the collective energy or force of a group of individuals (appropriate, given the ransomware’s affiliate model), Egregor follows in Maze’s footsteps using both encryption, data theft, and extortion as means of ensuring the successful payment of the ransom. 

According to the attack report at Bleeping Computer, the ransom note verifies that Kmart’s Active Directory domain was compromised as part of the attack. While no specific details have been provided, we can make some educated guesses based on prior similar attacks where Maze, Ryuk, and Save the Queen ransomware strains each compromised and leveraged Active Directory to propagate the ransomware payload to as many systems as possible. Each of these strains gained elevated access to Active Directory and made specific malicious changes, which means that somewhere along the way, at least one account with administrative rights to some or all of Active Directory has been compromised, and some portion of Active Directory ends up being in a threat actor-controlled, insecure state. 

This is troubling from a few perspectives: 

1. Active Directory Shouldn’t Have Been Vulnerable – We all know Active Directory still serves as the primary central identity store for a material portion of organizations today – even those running a hybrid identity strategy. Given the detail that the “domain” was compromised also implies Active Directory remains a key element of Kmart’s network. Active Directory is often the lynchpin in ransomware attacks spreading quickly around the network. Unfortunately, once Active Directory is compromised, it’s pretty much a clear path to every connected system in the environment. Because Active Directory is so heavily exploited and, at the same time, the backbone of the organization, it requires extra protection. At a minimum, we’re talking about the monitoring of and alerting to changes. Ideally, there should also be a means by which changes to specific elevated accounts, groups, and other objects are protected, invoking workflow approvals and/or automated rollbacks.

2. Kmart Got Lucky – From all the reports, it appears that not all of Kmart’s operations were taken down. This probably means that Active Directory was compromised but not unavailable, allowing all domain-dependent services throughout the forest to continue to function. But there have been instances where organizations weren’t so lucky, such as the NotPetya attack in 2018 on Maersk that left literally every single domain controller inoperable except for one offline server they found in a remote office in Ghana. It’s negligent to assume that a cyberattack will never take down Active Directory; having an ability to easily – and more importantly, quickly – recover it is critical.

3. Returning Active Directory to a Known-Secure State Probably Wasn’t Easy – In many organizations, malicious changes to Active Directory go perhaps not unnoticed, but certainly are allowed for a long enough duration for the malicious impact to be felt. If you don’t know what was modified in Active Directory, how can you know what needs to be restored or rolled back to remediate any malicious changes? Were there new bogus user accounts created? Changes to membership in the Domain Admins group? How about modifications to Group Policies to grant “Act as the Operating System” rights to domain controllers or every workstation? The list goes on and on. In short, without protecting Active Directory, you can’t easily rectify changes made, requiring a recovery effort that likely isn’t going to be as simple as “recover the domain to yesterday at noon.” 

Egregor is a relatively new player on the scene, and we expect to see the name in more headlines in the months to come. You already know if Active Directory falls, so can the rest of your network. So, the latest Egregor ransomware attack on Kmart should be a reminder that Active Directory requires some special attention within your cybersecurity strategy. Protect it fiercely, keeping threat actors out. Second, assume that even if you put a defense in depth strategy in place just for Active Directory, there will still be an attack someday that will get past the defenses, requiring you to be able to recover Active directory to its pre-attack state – whether a single modification, the entire forest, or something in between.