According to the World Economic Forum, ransomware activity rose 50% year-on-year during the first half of 2023 and cybercriminals using artificial intelligence (AI) to automate attacks may lead to a spike in future incidents.
Two core trends are fueling the rise in ransomware. The first is economic: Cryptocurrencies reduce risk, allowing criminals to receive funds. The second is technological: Ransomware-as-a-Service (RaaS) and automation in general enable criminals to mass-execute attacks targeting ever larger sets of organizations. Given these trends, another issue must be addressed: business leaders not taking Active Directory (AD) forest recovery seriously, mistakenly believing their company is protected. AD serves as the fundamental means of access to and authorized use of an organization’s core systems. With AD outages, critical monetary and operational consequences are immediate. Businesses that focus on securing certain "branches" of their systems while overlooking the protection of their "roots" – the Active Directory – are vulnerable to a ransomware attack.
Fortunately, more executives now realize that their company must change how they manage AD. This change showed up in a survey we commissioned at the end of last year, with 72% of organizations reporting they now use third-party tools for AD recovery. This is an improvement from our 2021 survey, in which just 49% indicated they have these kinds of tools.
Why Do Cybercriminals Target Active Directory?
Since 90% of the Global 1000 use AD today, its ubiquity and standardization make it attractive to cybercriminals. Moreover, AD’s central position in the management of user identities, authentication, and access to network resources makes it an ideal target for ransomware attacks.
Another reason? Criminals can learn one set of skills and break into the AD of countless organizations. Once criminals access AD, they can use it to spread their attack laterally. In this way, AD enables cybercriminals to steal the keys to the kingdom and lock the company out.
How Cybercriminals Use Active Directory in Ransomware Attacks
Gain Entry: Cybercriminals gain initial access to the network by compromising user credentials through phishing, password guessing, and purchasing the credentials from the dark web or other sources. Armed with a user account, cybercriminals take steps by moving laterally and escalating privileges.
Move Laterally: Cybercriminals increase their network access by using AD to authenticate to additional systems and servers and take over other accounts. In this way, AD offers cybercriminals a convenient system to spread and deploy a ransomware attack.
Escalate Privileges: Cybercriminals take advantage of AD vulnerabilities to expand their access rights, such as by adding themselves to the domain admin group. They can disable various security controls to gain additional privileges and make it harder to track their activities.
The Effect of a Ransomware Attack: Encrypt, Lock out, and Hold for Ransom
Once cybercriminals possess administrative control over AD, they can encrypt data on connected hosts and domain-joined systems, plus any backup repositories that are accessible through AD, thereby negating any protection and restoration ability those backups once had.
Cybercriminals can also prevent employees from logging into PCs and productivity tools and suppliers from seeing inventory levels. And given that the three most used AD-enabled applications are for accounting, marketing, and development, locking companies out of these applications affects their business and customers. All of this maximizes the cybercriminal’s impact and pressures their victims to pay the ransom.
The recent Change Healthcare attack likely stemmed from an Active Directory compromise, which allowed the cybercriminals to lock out the company and download patient data. The total costs of the attack – including the reported $22 million ransom payment made to ALPHV/BlackCat – are expected to exceed $1 billion this year. This is just one high-profile example.
How to Configure Active Directory To Reduce the Likelihood of a Ransomware Attack
User governance enables organizations to set up roles, rules, and automation that help prevent attacks from occurring, while monitoring enables organizations to rapidly detect whether an attack has occurred or is occurring. Companies that understand this typically establish protective measures and implement a daily routine that includes:
- Removing standing privileges and enabling just-in-time task-based scoped administrative workflows.
- Establishing rules, roles, and automation for repeatable processes, heightened security, and minimized manual administrative tasks.
- Enacting rules that automatically detect and roll back dangerous changes – for example, automatically and immediately undoing any additions to an administrative group outside of an approved secure process.
- Implementing multifactor authentication for all accounts, particularly those with privileges.
- Developing and testing an incident response plan for AD ransomware attacks, including containment and recovery.
- Administering robust backup and recovery strategies for AD data that include offline backup systems isolated from the network.
- Conducting automated daily, proactive security assessments to identify and address AD and Entra ID vulnerabilities, as well as daily automated recovery testing.
- Continuously monitoring for vulnerabilities, indicators of risk, indicators of compromise, and indicators of attack, and pushing alerts if detected.
If this practice fails and a ransomware attack occurs, the first step is to bring back AD as quickly as possible. This is best accomplished by using an isolated standby copy, scanned and cleared for vulnerabilities. If vulnerabilities are detected, mitigate them or test earlier versions until a clean one is found. Bringing back AD in this manner allows an organization to avoid paying a ransom.
While the monetary and reputational aspects of a ransomware attack are often brutal, its effect on customers can be devastating. This is why organizations must harden Active Directory to reduce their risk of a ransomware attack. Fortunately, companies can apply these strategies and advanced technologies to secure their Active Directory. Don't be an easy target – make your company's AD difficult to access and quick to recover, ensuring that the keys to your kingdom remain safely within your hands.
Dmitry Sotnikov is Chief Product Officer at Cayosoft, which offers a unified solution enabling organizations to securely manage, continuously monitor for threats or suspect changes, and instantly recover their Microsoft platforms, including on-premises Active Directory, hybrid AD, Entra ID, Office 365, and more.
