Ransomware attacks continue to rock organizations across the globe. Of particular concern is that many of them are leveraging Active Directory (AD), a critical technology that forms the very basis of most computing environments today.
Access to an organization’s AD is invaluable to attackers for two main reasons. First, AD is used to store a plethora of identity-related information, including user permissions, passwords, and devices on the network. Second, it provides central management for various network entities, including servers, workstations, and applications.
Take for example LockBit ransomware 2.0, which is an enhanced version of the LockBit ransomware that was first discovered in 2019. The LockBit ransomware gang distributes the malware using the Ransomware as a Service model, where attackers pack malware with all the necessary tools needed. to carry out an attack and sell it to the affiliates who carry out the attack. Security researchers have found that the new variant, active since June, is marketed by its developers as the fastest ransomware available on the market because it can automatically encrypt domain-joined systems in the network by taking advantage of the AD group policy.
Group Policy is a feature of AD that allows administrators to centrally manage domain joined users and computers. Administrators can prevent users from installing any third-party software, configure scripts that run when the device starts or shuts down, block access to the command prompt, and more. Simply put, with Group Policy, administrators can control the operation of devices on the network. But without it, administrators will have to individually log in to each computer to make changes.
In the case of LockBit 2.0, researchers found that once the ransomware reaches the domain controller (DC), it creates group policies that can turn off Windows Defender and run the ransomware module on each machine.
Likewise, other strains of ransomware such as Conti also rely on taking control of the DC and spreading to devices on the network.
Bad AD configurations such as weak passwords for user accounts including domain administrator accounts, presence of inactive accounts with non-expiring passwords, unverified user privileges are all factors that attackers exploit to gain control of the DC. To avoid falling prey to ransomware attacks, organizations must step up efforts to strengthen AD security.
Download our ransomware guide to learn more about:
Real examples of ransomware attacks that exploited AD.
Common stages of a ransomware attack involving the exploitation of AD.
Five defenses that can stop ransomware from taking hold of AD.
The Ransomware post: How attackers arm Active Directory and what defenses can stop them [Free e-book] first appeared on ManageEngine Blog.
*** This is a Syndicated Security Bloggers Network blog from ManageEngine Blog written by Aangeeras. Read the original post at: https://blogs.manageengine.com/active-directory/ad360/2021/10/28/ransomware-how-attackers-weaponize-active-directory-and-what-defense-measures-can- stop-them-free-e-book.html