logo

Active Directory Ransomware Attacks

Organizations worldwide use Active Directory (AD) as their primary identity service, which makes it a top target for ransomware attacks. This article explains how adversaries exploit Active Directory during ransomware attacks and provides strategies and tools for defending against this modern menace.

The two phases of a ransomware attack

A common misconception about ransomware attacks is that they are quick: Someone opens an infected email attachment or inserts an infected USB device, and within minutes data across the network is encrypted and a ransom demand is displayed on every screen.

The reality is quite different. Ransomware attacks today tend to be quite sophisticated and methodical. To encrypt as much sensitive information as possible and therefore maximize the chances of receiving a high payout, attackers proceed in two phases:

  1. Find an entry point — The first step is to gain a foothold in the victim organization’s network. One common strategy is to compromise a user’s Active Directory credentials using tactics like phishing or password guessing.
  2. Extend their reach — With just an ordinary business user account, an adversary has limited access to critical systems and data. Accordingly, they look for vulnerabilities in Active Directory that they can exploit to expand their rights. One tactic is to add the account they already control to security groups that have more extensive permissions; empty groups are a common target because they are likely not being managed carefully and the additional of a new member may go unnoticed. Another option is to compromise other users accounts that already have privileged access permissions, for example, by obtaining cached admin credentials on the endpoint they already control.

Once the adversaries have the access they want, they run the ransomware to encrypt all the data they can reach, which can include content stored in the cloud. In many cases, they copy it before encryption so they can threaten to release it as additional leverage to get paid. They often also try to encrypt or delete backup data so that victims are more likely to comply with the ransom demand.

Ransomware attack methods that exploit Active Directory

Here are some ways that cybercriminals have exploited Active Directory to carry out ransomware attacks:

Breaching a network using a disabled AD account

In the 2021 attack on Colonial Pipeline, a gang known as DarkSide gained access to the network through a disabled Active Directory account. They compromised the account using either an list of common passwords or dumps of breached passwords available on the dark web. Disabled accounts are low-hanging fruit for threat actors because their takeover is less likely to be noticed than compromise of an active account.

Spreading ransomware using Active Directory Group Policy

Group Policy is a powerful feature of Active Directory that administrators use to maintain security and user productivity. Ransomware actors can misuse Group Policy to spread their payloads.

For example, Ryuk ransomware is often distributed through Group Policy objects (GPOs) that the adversaries modify or create. Specifically, they insert Ryuk into the Active Directory logon script, which infects anyone who logs on to the Active Directory server.

Spreading ransomware via Active Directory’s SYSVOL share

Another way that ransomware gangs exploit Active Directory is to use the SYSVOL share. SYSVOL stores domain public files and is readable for all authenticated users. Once adversaries have privileged access rights, they alter SYSVOL to schedule tasks to infect devices and monitor them.

Gaining access by exploiting a SharePoint vulnerability

Ransomware actors and other adversaries can also gain a foothold in an AD environment by exploiting unpatched vulnerabilities. For instance, in 2019, hackers exploited a vulnerability in Microsoft SharePoint at the United Nations; even though Microsoft had released the patch for the vulnerability, UN had failed to update the software in a timely manner. While this attack did not involve the release of ransomware, the personal data of almost 4,000 UN staff members was compromised.

How to defend against ransomware attacks on Active Directory

Planning to simply pay the ransom is not a viable ransomware strategy. There’s no guarantee you will actually get the decryption key, and you may be more likely to be targeted again. However, there are effective strategies to reduce your risk of suffering a ransomware infection and minimizing the damage if one does occur. Here are the top best practices.

Clean up AD accounts and groups

Ensure that each user has only the permissions necessary to perform their job functions. Remove any AD accounts and security groups that are no longer needed, and ensure that each remaining group has a designated owner (or owners) who must regularly review the group’s permissions and membership.

Minimize privileged accounts

Malicious actors, including ransomware gangs, can do the most damage when they compromise a highly privileged account. Accordingly, it is essential to strictly limit membership in all privileged groups, especially highly powerful ones like Enterprise Admins, Domain Admins and Schema Admins.

Even better, adopt a modern privileged access management (PAM) that enables you to replace standing privileged accounts with just-in-time, just-enough access.

Update software promptly

Software companies frequently release patches to address vulnerabilities in their solutions, and regularly provide updated versions that improve security. Ensure that your Windows Server operating system and other software systems are kept patched, and never run software that has reached end of life and is no longer receiving security updates.

Implement Zero Trust and multifactor authentication (MFA)

A Zero Trust security model coupled with MFA helps thwart adversaries, both when they are trying to enter your network and when they attempt to move laterally and elevate their permissions. MFA renders stolen passwords useless, and Zero Trust means that even after a user has authenticated, suspicious or risky activity will be met with additional authentication demands.

Invest in advanced threat detection and response

As explained above, ransomware actors typically spend time moving through the network in search of more powerful credentials and valuable assets. It’s essential to constantly monitor the environment for any suspicious activity. In addition, modern misdirection technology lead attackers into revealing themselves using techniques like honeypots.

Educate all users

One of the most effective approaches for protecting Active Directory is to educate all users in the organization about the tactics adversaries use to plant ransomware, such as phishing emails with malicious links or attachments. Conduct frequent training sessions and assess their effectiveness with tests such as phishing-like emails.

Prepare for a ransomware event

Having playbooks for responding to ransomware attacks will help ensure a rapid and effective response. Some solutions can even automatically take specific actions when a known threat is detected. In addition, be sure to back up Active Directory, store the data beyond the reach of ransomware, and practice the recovery process on a regular basis.

Securing Active Directory with Netwrix GroupID

Implementing best practices for Active Directory security is a complex and time-consuming task. Netwrix GroupID is a comprehensive identity and access management solution that simplifies and automates the work. For example, with Netwrix GroupID, you can:

  • Keep AD security group membership up to date automatically  
  • Ensure that each group has an owner, and even assign multiple owners
  • Enable users to securely reset their own passwords and unlock their accounts
  • Implement multifactor authentication
  • Implement password complexity requirements
  • Report on directory health

FAQ

Does ransomware encrypt Active Directory?

Yes, ransomware can encrypt Active Directory files.

Why do hackers attack Active Directory?

Active Directory plays a central role in managing identities and their access to network resources, which makes it a lucrative entry point.

What are Active Directory attacks?

Active Directory attacks include compromising user credentials, manipulating security group membership and permissions, and altering Group Policy objects.

Is Active Directory vulnerable?

Yes. Active Directory is a complex system that often has overprivileged accounts, misconfigured security policies and other vulnerabilities that adversaries can exploit.

Since 2012, Jonathan Blackwell, an engineer and innovator, has provided engineering leadership that has put Netwrix GroupID at the forefront of group and user management for Active Directory and Azure AD environments. His experience in development, marketing, and sales allows Jonathan to fully understand the Identity market and how buyers think.