The Weaponization of Active Directory: An Inside Look at Ransomware Attacks Ryuk, Maze, and SaveTheQueen

By Thomas Leduc October 02, 2020 | Active Directory

Like never before, Active Directory (AD) is in the attackers’ crosshairs. In this blog, we’ll examine how ransomware attacks are abusing AD and how enterprises can evolve their defensive strategies to stay ahead of attackers.  

First, a quick note about the recent privilege escalation vulnerability dubbed Zerologon, which allows an unauthenticated attacker with network access to a domain controller to fully compromise Active Directory identity services. Rated 10 out of 10 for severity by the Common Vulnerability Scoring System (CVSS), Zerologon has raised serious concerns about AD security. To that, I say it’s about time. Zerologon is just the latest of many new threats targeting AD. It’s high time to re-examine the security of your AD. 

Ransomware Attacks Exploiting Active Directory

The ransomware business is booming.

In the past year, targeted ransomware attacks against government agencies, educational establishments, and healthcare providers have raised the stakes for those charged with protecting organizations. Ransomware attacks not only damage business, but also put health, safety, and lives at risk. And, victims that facilitate negotiations with ransomware extortionists could face steep fines from the U.S. federal government.

In the not-so-distant past, ransomware was primarily a consumer threat. But today, ransomware threat actors launch sophisticated campaigns reminiscent of APT-style attacks, where the goals of maintaining persistence, data theft, and extortion exist alongside efforts to encrypt files.

Rather than the indiscriminate, automated attacks historically associated with ransomware, modern attackers carry out human-operated ransomware campaigns that utilize tools like BloodHound, Mimikatz, and PowerSploit to gather useful information about the Active Directory environment, perform reconnaissance, steal credentials, and move deeper into the network.

Take, for example, the Ryuk ransomware, which the security community has linked to multiple attack campaigns in the past year. In many of these targeted attacks, Ryuk was the final payload, but the attack began with TrickBot or Emotet. Those pieces of malware would, in turn, download tools like Cobalt Strike and PowerShell Empire. The threat actors would then begin to conduct reconnaissance and steal credentials, using the component in BloodHound called SharpHound to collect information about the Active Directory environment and map possible attack paths. Ryuk is an attack with a disturbing twist for AD: the ransomware would get pushed to unsuspecting users via AD Group Policy Objects (GPO). In one incident, reported by the security publication Dark Reading, the attackers hacked into AD servers using the Remote Desktop Protocol (RDP) and inserted Ryuk into the AD logon script, infecting everyone who logged into that AD server.

Unfortunately, this type of abuse of Active Directory is not unique to Ryuk. Malicious actors using the Maze ransomware follow a similar pattern by deploying the ransomware post-compromise and perpetrating data theft. Recently, the ransomware was linked to an attack on the Fairfax County public school system in Virginia. In an analysis of Maze from May 2020, researchers at FireEye noted that malicious emails and RDP were observed among the initial methods of compromise, and the attackers sought to gain access to multiple domain and local system accounts. To escalate privileges and identify attack paths, the attackers frequently leveraged the previously mentioned open-source hacking tools to break into Active Directory. After data exfiltration, the ransomware was deployed in various ways, including an incident where the attacker used a domain administrator account to login and infect multiple systems.

In another example of how Active Directory is being targeted, security researchers recently spotlighted a strain of ransomware dubbed SaveTheQueen that has been observed using the SYSVOL share on AD domain controllers to propagate throughout the environment. Accessing the SYSVOL share—which is used to deliver policy and logon scripts to domain members—typically requires elevated privileges and indicates a serious AD compromise.

Mitigating Risk to Active Directory

The elevated risk ransomware poses to Active Directory means that organizations need to elevate their focus on AD security and recovery. Post compromise, Zerologon is exactly the type of vulnerability attackers could use to compromise AD and leverage it to spread malware. The immediate step is to reduce the attack surface. Implementing effective network segmentation, admin tiering, and the principle of least privilege to constrain access raises the difficulty for intruders. By adopting best practices and remediating unpatched systems, enterprises can push otherwise low-hanging fruit out of the reach of attackers.

Examining the attacks above, there are some additional steps organizations can take. The change in tactics by ransomware operators is a reminder of the importance of defense in depth. Anti-malware capabilities on endpoints are still vital for stopping infections. Additionally, the unauthorized presence of otherwise legitimate pen-testing tools like BloodHound should trigger an alert that something is amiss, as should a substantial number of failed login attempts involving Remote Desktop.

Tightening defenses also means making it more difficult to abuse Active Directory, which requires monitoring AD for unauthorized changes. At Semperis, our solutions provide continuous monitoring and vulnerability assessment for AD, as well as the ability to roll-back any unauthorized changes without administrator involvement. For example, if a user is suspiciously added to a privileged group, this change will be detected and automatically undone to prevent potential damage. This kind of continuous monitoring must extend to event logs because many attackers will clear the Security Event log to remove traces of their activity.

From the standpoint of Active Directory recovery, organizations need to adjust their response plans to include preparations for ransomware attacks. In that scenario, any network-connected system may be affected. To prepare, backups should be saved on a non-domain joined server and offsite. Surprisingly, many organizations have not even tested their AD cyber disaster recovery plans. In fact, according to our 2020 survey of identity-centric security leaders, 21% of responders said they had no plan at all. This discovery is alarming given the rise of fast-moving ransomware attacks and the widespread impact of an AD outage. Poor preparation will increase the downtime and costs associated with a ransomware attack.

It’s impossible to stop every attack, especially as remote workforces rapidly expand the attack surface. But you can control how resilient you are. Your business depends on it.

About the author
Thomas Leduc
Unlock cyber resilience. Get a demo