BlackCat, the latest ransomware threat going after the Active Directory is spreading globally, attacking companies in sectors such as banking, construction and engineering, retail, transportation, business services, telecommunications and some others, in locations such as North America, Europe, etc.
ALPHV, as this strain of ransomware is also known, has proven to be highly effective since its emergence in November 2021, as it is estimated to have demanded ransoms of more than $10 million dollars and has compromised a considerable number of entities worldwide, unfortunately including Mexico. Not only does it steal or encrypt data, which it threatens to expose on the dark web if the demanded amount is not paid, but it also applies the "triple extortion" method by threatening affected entities with launching denial-of-service attacks. BlackCat is a human-operated ransomware and is command-line based, making it difficult for traditional detection tools to alert to its presence on a system. In fact, it is known to use a wide range of encryption methods, allowing it to move from multiple fronts and have administrative privileges to spread to other computers, encrypt other devices and completely erase information that cannot be recovered, including backups and virtual machines.
In the end, the attacker takes complete control of the domain and even implements the "final payoff" through a group policy to the organizations' computers. It is important to consider that AD is the identity platform most commonly used by enterprises and, if compromised, gives attackers the control they seek to gain privileges, disable security tools and move laterally within the organization.
Cybersecurity professionals are opting for a comprehensive model that includes detection and prevention of reconnaissance activities by attackers, as well as other parameters that may indicate that domains are being compromised. One option that is gaining attention is the approach recently dubbed by Gartner as "Identity Detection and Response," which provides visibility into existing security solutions, such as the endpoint, and the ability to detect and defend against critical events such as credential theft and misuse, as well as attempts to affect Active Directory. Because of the speed with which this method is spreading, IDR tools are becoming critical components of enterprises' security portfolios. And it's for good reason: they can protect user credentials and AD objects, while reducing the attack surface with the use of visibility tools for on-premises and cloud exposures. These solutions can help cybersecurity managers resolve exposures that a cybercriminal could exploit and identify attacks such as account changes, brute force attacks, dangerous delegation or domain replication activities.
Through proper identity assurance it is possible to prevent attackers from moving through the network undetected, no matter what code or techniques they are using. Regarding the measures they plan to implement to strengthen their systems to prevent future attacks, a large percentage of them mentioned educating employees to protect endpoints; more than 60% said changing passwords; and less than half said they would add AD to their monitoring program. While allocating more resources to combat ransomware is great news, more attention to AD is critical.
In the face of ransomware attacks, the recommendation is to implement security solutions that are capable of detecting lateral movement and other potential attacks within the network to identify early signs of an intrusion.
Comments