It is important to remember that most ransomware threat actors are incentivized by money and greed. While some state-sponsored attacks may be implemented for non-monetary reasons, ransomware for the most part is a business, albeit a highly unreputable one. It is also a game of analytics–ransomware organizations know from experience that they can expect a payout for x percentage of their attacks. That means they must conduct their attacks as efficiently as possible and, and move on when it becomes evident that an attack isn’t going to pan out. Successful ransomware organizations know how to target systems that maximize their attack plain. That’s why good ransomware business means targeting Active Directory (AD).
Active Directory is an on-premises directory service developed by Microsoft for the Windows domain, and it has been around for more than 20 years.
Traditional on-prem AD shouldn’t be confused with Azure AD, which resides in the cloud. Although they perform similar roles, their architectures are completely different. While many new business startups are choosing to be cloud-first organizations, the vast majority of companies still utilize local AD.
A Windows server that hosts AD is referred to as a domain controller (DC). These domain controllers collectively serve as centralized controllers when it comes to authenticating domain objects such as users and computers. Domain admins utilize the tools hosted on these DCs to manage the domain.
Here are four reasons why AD is highly targeted in ransomware attacks.
Active Directory serves a central repository for domain user and computer accounts. Want to obtain an inventory of all domain-joined computers in the network? AD has that list. It also contains the membership lists of all domain groups.
In addition, AD contains information outlining the organization’s domain architecture. DCs host other information-rich services such as DNS and DHCP that provide additional insights of the enterprise. Why scan the network when all the information resides on a single server?
Cybercriminals use leverage to maximize their attack efficiency. Supply chain attacks are a good example of this. Why attack 50 separate companies when you can attack a single vendor connected to those same 50 companies?
Threat actors use AD to leverage their attacks as well. Every DC hosts the crucial SYSVOL folder used to deliver group policy objects (GPOs), logon scripts, and executables to domain joined computers. The SYSVOL also replicates to its DC peers throughout the domain AD architecture.
Because the SYSVOL folder is connected to nearly everything, it makes it the perfect “super spreader” for malicious code. One example of a ransomware strain uses the SYSVOL folder as its delivery method is called "SavetheQueen”. The strain gets its name from the fact that it appends every file with a ‘SaveTheQueen’ name extension.
You can’t infect a network domain with ransomware using an account that only has Read rights to everything–ransomware requires higher-level access to get things done. AD contains the high privilege user accounts and groups that threat actors need to sufficiently implement their attacks. Gaining access to a user account that has membership in the Enterprise Admins group or Domain Admins group is a high priority.
For instance, users with high-level admin rights can take ownership of any object across the domain and change its attributes and settings. Ransomware strains such as LockBit 2.0 use admin rights to create GPOs to deploy itself to AD client computers. It also uses its acquired privileges to alter the configuration settings of Windows Defender to avoid detection, stop designated services, and execute PowerShell scripts.
To increase the odds of getting paid, ransomware attackers must inflict the greatest amount of damage possible on the operations of an organization. They also need to stifle remediation efforts to thwart recovery efforts. Is there anything more destructive to a domain enterprise than losing access to its entire AD?
Organizations have learned about the value of a good backup in combating ransomware. As long as backups remain untouched during an attack, a company can fully recover from a ransomware attack once it is contained.
But while companies are proving more vigilant in their data backup efforts, too many organizations fail to back up their AD infrastructure. They rely on replication as a decentralized backup to create resiliency so that if one DC goes down, another is still operational. The problem is that replication can also spread the virus, infecting all the DCs across the domain in minutes.
Backing up AD is more complex than backing up data only, as a DC requires a system state backup. Too often, system state backups are not performed frequently enough, which means that the latest AD modifications can’t be restored.
A great example of this was the NotPetya attack several years ago, which hit the logistics company Maersk. The malware targeted the company’s 150 DCs. Unfortunately, the IT department had never accounted for such a scenario and had failed to perform a system state backup. Fortunately, a stroke of luck saved them in that a remote office had experienced a power outage just prior to the attack, thus disconnecting its local DC from the network.
When AD is down, your company is down. You obviously can’t count on a power outage to protect your AD structure from ransomware. Infiltrating your AD is like hitting the mother lode for ransomware attackers, so don’t ignore the importance of a well-designed security strategy to protect your AD environment.