Label

Ransomware and
Active Directory

For several years, at least since the days of the SamSam ransomware, Active Directory and its associated services have played an important role in ransomware attacks.
Home » How To Prevent Ransomware? » Threat Hunting » Ransomware and Active Directory

In This Section

Active Directory and
Ransomware

For several years, at least since the days of the SamSam ransomware , Active Directory and its associated services have played an important role in ransomware attacks. Whether ransomware groups are taking advantage of Active Directory’s structure to steal passwords, exploiting services running on Active Directory servers, or using Active Directory servers to directly push ransomware to the network, Active Directory has become a critical part of ransomware actors’ attack strategy.
Knowing that Active Directory services are critical to ransomware operations, it would make sense for organizations to take strong measures to protect their Active Directory servers and services. Unfortunately, that’s not the case. Active Directory is surprisingly hard to configure in a secure manner and, while no one has exact numbers, it appears that there are a lot Active Directory installations with misconfigurations. This page offers an overview of how to avoid such problems in your organization.

Network Segmentation and 
Domain Controllers (DCs)

One of the best ways to limit the damage from a ransomware attack is to implement network segmentation. 

Network segmentation isolates the different parts of the network by function or role, ensuring that systems without a reason to communicate cannot do so easily. Despite the well-known role network segmentation plays in limiting ransomware attacks, one study found that only one in five organizations have actually implemented any network segmentation. Even among healthcare providers—one of the sectors most heavily targeted by ransomware groups—almost 25% haven’t implemented network segmentation .
Network segmentation offers a number of security benefits when it comes to ransomware attacks:
Offers a smaller attack surface in each segment
Makes it easier to isolate a ransomware attack in progress
Fits into a zero trust protection model
Helps protect sensitive data from being encrypted during an attack
Limits access to disaster recovery (DR) networks and cloud infrastructure
Can make it easier to spot attempts at lateral movement by ransomware groups

There are generally four technologies used to segment networks:

1. Virtual LANs (VLANs)
2. Firewalls
3. Software-defined network (SDN) segmentation
4. Microsegmentation
An example of network segmentation using a combination of segmentation types

Most organizations that use network...

... segmentation employ a combination of network segmentation types to address different security needs. The diagram above hows a network design that uses a combination of VLANs running over wireless networks for the different departments and an internal firewall to segment off the server network. Each server network group is tagged into the departmental VLAN and segmented from the other server network groups.
The diagram also shows how network segmentation can limit the damage from a ransomware attack. If someone in the engineering group opens a phishing email message that launches a ransomware attack, the damage should be contained to the engineering network and possibly the engineering servers. Furthermore, if the firewall is properly configured to block potentially malicious traffic, such as attempted connections over TCP port 135 (RPC, the port used by WMI and PSEexec) or TCP port 3389 (RDP), the ransomware might not even be able to spread to the servers. Segmentation certainly doesn’t stop a ransomware attack, but anything that can minimize the impact of an attack and help speed up the recovery process provides a lot of value.
However, there is a major flaw with the network in this diagram. All endpoints in the network are able to communicate with the Active Directory Domain Controller (DC) and vice versa. If a ransomware actor can access the DC using the tools discussed in this chapter, they gain the ability to distribute the ransomware to all VLANs on the network. How can organizations segment their networks while still making use of Active Directory?
school house

The Importance of Network Segmentation

In March 2018, the city of Atlanta suffered a devastating ransomware attack. Courts were shut down, police services were disrupted, constituents couldn’t pay bills online, and the city had to temporarily shut down Wi-Fi services at Hartsfield-Jackson Airport.
One of the reasons the attack was so devastating was the lack of segmentation between the networks that housed the different parts of the city’s government. There’s no good reason that the network for the court system should have the ability to reach the network that controls the airport Wi-Fi hubs.
Proper network segmentation can help limit the damage that a ransomware attack can cause.
In March 2021 the city of Azusa Police Department also suffered a ransomware attack. There were a lot of things that went wrong, including the exfiltration of sensitive data by the DoppelPaymer ransomware group. However, because the networks were properly segmented, not only from the rest of the city, but even with the police department itself, the attack surface for the ransomware actor was greatly reduced.
This meant that services like 911, emergency systems, and public safety services remained operational and untouched by the ransomware actor.

Segmenting Networks with DCs

The best way to segment networks while using Active Directory is to create a different DC for each network, referred to by Microsoft as an Active Directory tree. An Active Directory tree is a series of domains belonging to a single root. In the diagram below, each of the departmental DCs is a separate tree that is a child of the root DC (not shown in the diagram). The chart underneath the diagram shows a typical Active Directory tree structure.
An example of network segmentation with Active Directory trees and a separate administrative segment
The Active Directory tree of the network in the diagram above 

In addition to unique DCs for each ...

... network segment, the diagram above adds an administrative network segment. This is a separate VLAN for administrators of the network. The administrators can access all the VLANs, but the other VLANs can’t access the administrative VLAN. By moving all the administrators into a single VLAN, security teams can put additional security controls in place.
For example, if console access to the DCs is restricted to the administrative VLAN, a ransomware attacker who can access network administrator credentials won’t be able to access the DC to spread the ransomware. Of course, there are other ways to spread the ransomware with administrator credentials, but this precaution limits this type of network segmentation to the attack surface.
Combining network segmentation with a more secure and structured Active Directory deployment can limit the ability of a ransomware actor to conduct reconnaissance on the entire network and significantly improves the security of the organization against a ransomware attack overall.
Pay attention

Not a Single Panacea!

Even with all these precautions, if a ransomware actor manages to gain administrative credentials and access to the administrative network segment, they can do just as much damage as before. What these restrictions do is make both types of access less easy to obtain. As with the other security steps outlined in this site, this protection should be used as part of an overall defensive strategy, not a single panacea.

Local Administrative Access

Along with restricting where ...

... administrators can gain console access to the server farm, it’s also important to remove local administrative access to endpoints. This is one of those recommendations that’s generally acknowledged as a good idea, but that some organizations are hesitant to implement .
An organization’s recalcitrance is understandable, because restricting local administrative access to endpoints is a pain for both employees and administrators. Removing local administrative rights means that employees require help from network administrators to install new software on their systems. Depending on the employee and their role, this restriction could slow down productivity, and makes more work for administrators.

But ransomware groups look for ...

... local administrative accounts during the reconnaissance stage of the ransomware attack. Multiple reports of ransomware attacks include the following command, which shows a list of local accounts that have administrative access:
Net localgroup Administrators
Although removing local administrative access from endpoints might result in more work, the precaution can help stop ransomware attacks when done in conjunction with other steps outlined on this page.

Gaining Access to the DC

Recruitment advertisement for affiliates from LockBit ransomware

A recruitment advertisement for LockBit ransomware ...

... is shown in the screenshot above. The ad promises, with red underlining, that all the affiliate needs to do is gain access to the DC and the LockBit PE will do the rest.
Not every ransomware group requires specific access to the DC, but many ransomware groups and affiliates prefer to launch from the DC because the DC generally has unrestricted access to the entire network. Even ransomware groups that don’t necessarily launch from the DC still rely on administrative credentials and benefit from the Active Directory environment.

Get More Like This

Sign Up To Receive Our 
Monthly Ransomware Newsletter

Don't Worry, We Hate Spam Too!

Mimikatz

One popular way for ransomware actors ...

... to gain the credentials they need to install ransomware is a tool called Mimikatz. Mimikatz was developed in 2007 by French security researcher Benjamin Deply and is widely used by threat actors today. 
Over the years, Mimikatz has been ported to a variety of platforms, including:
Cobalt Strike
Empire Powershell
Metasploit
PowerSploit
Therefore, when Mimikatz is run in a network, it’s often not the original executable but one of these platforms, which are designed to be even more evasive than the original tool. The versatility of Mimikatz, combined with the widespread porting to many different platforms, can make it difficult to detect. And this is a problem, because Mimikatz makes it very easy to dump credentials from a system, as shown in the screenshot below.
Sample output of a Mimikatz password dump
By using Sysmon and filtering on Event ID 10 (Process Accessed), organizations can identify uses of Mimikatz in the network. The image below shows a Sigma rule that does just that. The Sigma rule filters on some of the common commands ransomware actors use when they run the various iterations of Mimikatz. The rule has evolved over the past four years and will continue to do so as ransomware actors (and other attackers) change tactics with Mimikatz.
Sigma rule for detecting Mimikatz

AdFind

AdFind is a command-line tool used ...

... by ransomware actors and other intruders to query Active Directory during the reconnaissance stage of an attack. Ransomware groups and affiliates who’ve been known to use AdFind include:
Conti
REvil
Ryuk
Nefilim
Netwalker
Egregor
Undoubtedly, other groups have used it, as well. Unlike Mimikatz, which is primarily used to collect passwords, AdFind is used to map out the Active Directory network and find other computers and groups that may be of interest to the ransomware actor. For example, the image below shows a list of Distinguished Names (DNs) pulled from the network’s DC. With a default configuration in place, DCs share a surprisingly large amount of information about the Active Directory Domain to anyone who makes the correct queries.
AdFind Query for Distinguished Names on the DC
Unlike a lot of tools discussed throughout this site, AdFind isn’t designed to hide itself or avoid detection. A relatively simple Sigma rule, such as the one in the image below, can detect most uses of AdFind. The rule looks for some of the common command options used by ransomware actors with AdFind. This rule can be added to an organization’s endpoint detection and response (EDR) platform or used in the SIEM to monitor Windows Event logs.
Sigma rule for detecting AdFind use in the network

Deploying Ransomware 
from the DC

Active Directory is important to ransomware actors during more than the reconnaissance stage. As mentioned in a previous section, the DC is sometimes used to deliver ransomware.

LockBit ransomware, for example...

... has several scripts that run once the ransomware actor has gained access to the DC. These scripts set up Group Policies to carry out the following tasks on all endpoints connected to that DC:
Disable security software
Stop services that might prevent files from being decrypted
Clear event logs
Deploy the ransomware

LockBit isn't the only ransomware ...

... group that takes advantage of the access offered by a DC to deliver ransomware; it just has the most advanced tooling to carry out this task (for now). The group behind Ryuk ransomware has also used the DC to deliver ransomware, and there are even more.
Active Directory security, and specifically DC security, is an important layer in ransomware defense. Ransomware groups have figured out how to take advantage of misconfigurations and other security leaks in Active Directory environments. The more an organization can do to shore up its Active Directory defense, the more likely the organization is to detect and stop a ransomware attack.

Dominate Ransomware!
Download The Free 313 Page Book:
Ransomware: Understand. Prevent. Recover

Get the Book 
in Your Inbox

Download The 
"How To Prevent Ransomware"
Cheat Sheet

Grab this free PDF resource on how to prevent Ransomware
DOWNLOAD THE PDF

Share This Resource With Others

Embed The "How To Prevent Ransomware" resource on your site or blog using this code.

Share this Infographic On Your Site

Want More?

This site is adapted from a book on Ransomware. 
If you would like to learn more keep reading ...
READ MORE ABOUT HONEYPOTS AND HONEYFILES
© Future US LLC, Full 7th Floor, 130 West 42nd Street, New York, NY 10036
envelope linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram