Monday, June 15, 2020

How Attackers Could Unleash Ransomware on Thousands of Computers in an Organization using Active Directory


Hello. Today's post is on ransomware - specifically how a perpetrator could instantly unleash ransomware on thousands of organizational computers, in minutes using Active Directory, instantly encrypting vast amounts of an organization's data.

Ransomware (; needs no introduction.)

Today ransomware undoubtedly poses a clear and present cyber security danger to thousands of organizations worldwide.

Examples of ransomware include CryptoLocker, CryptoWall, WannaCry, Petya, NotPetya, Bad Rabbit, Sodinokibi etc. etc.

According to the New York Times, in 2019 alone, over 200,000 organizations had submitted files that had been hacked in a ransomware attack, and the average payment to release files was over $80,000. This amount doubled in December of 2019, and several organizations have faced ransom demands in the millions of dollars.

Of course, one the most famous and high-profile cases of ransomware involves the multi-billion $ Danish shipping giant Maersk, which fell victim to the Petya ransomware in 2018, and ended up incurring a staggering loss of US $ 250 Million.

Since then so many critical organizations including hospitals, police departments, city governments, law firms, automotive companies etc. etc. have been falling victim to ransomware and so many more are struggling to protect themselves.

For instance, just yesterday, the city of Knoxville became the latest American city to suffer a ransomware attack. Days ago, Honda announced that it had to halt operations due to a ransomware attack. Earlier this year, amongst numerous others, the Miami Beach Police Department suffered a ransomware attack, as did Parkview Medical Center in Colorado. Recently an FBI official said that "We certainly view it as one of the most serious cybercriminal problems we face right now."

In essence, today most do organizations understand the risk posed by ransomware and the need to protect themselves. However, what they may not know is that someone could unleash ransomware on thousands of computers in minutes.

How Much Damage Could Be Inflicted?

In a cyber attack involving an organization becoming a victim of ransomware, generally the extent of damage inflicted is a function of the amount of data that was encrypted (and possibly exfiltrated) and the value of that data to the organization.

That said, almost always, the extent of damage inflicted in a situation wherein ransomware is able to encrypt (/exfiltrate) data on (/from) thousands of computers would be exponentially more than that in a situation involving a few computers.

This begs a question - how easy is it for someone to unleash ransomware on thousands of organizational computers?

Well, lets take a look, shall we, and
the answer lies in what follows...

How Ransomware is Usually Unleashed

In most cases, the avenue for unleashing ransomware in an organization involves simple attack vectors such as phishing an employee, compromising an unpatched machine etc. and it usually begins with a SINGLE machine being victimized.

Subsequently, the mal payload attempts to compromise additional machines on the network, and the degree to which it is successful in spreading within an organization is usually a function of the number of vulnerable machines it can find/infect.

In short, barring the case wherein an Active Directory privileged user's account is compromised, traditional avenues used to unleash malware in an organization cannot usually easily infect THOUSANDS of an organization's computers.

Now, Consider THIS

Consider that an organization is situated in a single centrally air-conditioned building, and that the building's central air-conditioning unit is in a room at the top of the building. In such a scenario, air from the building's central air-conditioning unit has a clear, direct and uninterrupted channel into every room in the building.

Now, consider a situation wherein there is a dangerous virus that threatens humans and that can be spread if airborne.

In such a situation, if someone, such as a perpetrator, could get into the room that houses the central air-conditioning unit, he/she could easily unleash/spray the virus into the central air-conditioning unit, and within minutes of doing so, the virus would effortlessly have found its way into every room in the building, and instantly threaten every person in every room.

Instantly Unleashing Ransomware Using Active Directory

From the United States Government to the Fortune 100, at 85% of all business and government organizations worldwide, at the very foundation of these organizations' cyber security and IT lie their foundational Active Directory deployments.

There exists a direct secure channel between Active Directory and every computer in an organization that is joined to its Active Directory, and via a management feature called Group Policy, organizational IT personnel can easily and instantly control the security of every domain-joined machine, and that includes pushing out logon scripts onto these machines.

If someone, such as a perpetrator, could link a single malicious GPO (Group Policy Object) to an organizational unit (OU) or the domain root in an organization's foundational Active Directory, he/she could almost instantly and effortlessly deploy ransomware to thousands of organizational machines, thereby inflicting colossal damage in a matter of minutes.

In short, in the simple air-conditioned building scenario shared above, a room in the building represents a computer in the organization, and the central air-conditioning unit in the building represents the organization's foundational Active Directory.

All that someone needs to do is link the ransomware to a new/existing group policy and then link that group policy to an OU or domain, and he/she would basically have instantaneously and effortlessly unleashed ransomware onto thousands of organizational computers, because AD has a clear, direct and uninterrupted channel to every domain-joined computer.

In short, in just a few mouse clicks, anyone who had sufficient access in Active Directory to basically be able to link a GPO to an OU/domain, could effortlessly unleash ransomware across the entire organization, by (mis-)using Active Directory.

(This incidentally begs the question - "Do we know exactly who can link GPOs to OUs in our Active Directory today?!")

Sounds Theoretical ( ; Any Proof?)

Most IT and cyber security professionals would likely agree that in theory it sounds doable (because it isn't rocket science.)

At the same time, most of them, including most CISOs, will question whether there's any evidence at all of this simple yet highly potent attack vector in reality/practice. In other words, is this merely theory, or can someone show it in action today?

After all, there's no dearth of theoretical attack vectors in cyber security, so unless this is possible today, why worry :-) ?!

Time to Worry (; Here's Proof.)

I don't know whether or not there exists ransomware that has been shown to leverage Active Directory yet (IMO primarily because the bad guys aren't that smart/capable yet,) and I most definitely do not have the time to research it, BUT/AND... PROVE that this is ABSOLUTELY possible today, last week, I sat down to code, and within a few hours, I had personally written production-level RANSOMWARE that can be easily deployed using Active Directory (via GPOs).

In fact, I wrote TWO of them, and I'll share the FIRST one with the world TOMORROW morning, right here on this blog.

NOW, before you jump to conclusions, let me clearly state that the sole purpose of doing so was to show the world that if I can personally create them in just a few hours, imagine what a professional/state-sponsored adversary/APT could create.

Make no mistake about it - each one of them is simple yet professional-grade*. The first one is very simple and solely for illustrative purposes ; once deployed, it will encrypt one specific file. The second one, which too is deployment-ready, once deployed, will encrypt (and with the right password, decrypt) entire directories on thousands of domain-joined computers.

* I'm not a script kiddie. I don't do .NET, PowerShell, VBScript etc. I write professional-grade code in C & Assembly.

As always, you do not need to take my word for it. Tomorrow, I'll share the link right here on this blog, and everyone will be able to freely download and instantly deploy it in any test/production Active Directory, and see it in action for themselves.


Ransomware clearly poses a serious cyber risk to thousands of organizations worldwide ; thus far it has been spread using traditional attack vectors, but/and since thousands of organizations operate on Active Directory, it is only a matter of time before perpetrators realize that they can leverage AD to easily unleash it on thousands of computers within organizations.

As an example, consider Mimikatz and Mimikatz DCSync. For years, it has been no secret that theoretically speaking, one could extract credentials from memory, and of course, replicate secrets from Active Directory, and that if materialized, these could be highly potent attack vectors, and sure enough, one day Benjamin Delpy made this trivial for everyone.

Thus, I felt the need to make organizations aware of this highly potent yet unmitigated attack vector as well, well before perpetrators weaponize it, and to demonstrate its feasibility, I've written two harmless pieces of illustrative ransomware.

In short, if you can click a few mouse buttons, you can now see for yourself how someone could leverage Active Directory to unleash ransomware on thousands of computers. It is no longer merely theoretical ; it is completely possible, today.

I'm also not about to wait for perpetrators to start misusing Active Directory to unleash ransomware and wreak havoc at organizations worldwide. In days to come, I'm going to teach and empower organizations to prevent this from happening.

Prevention is always better than cure/recovery, and as we have seen, timely preventive action can be extremely valuable.

Alright then (; until tomorrow.)


PS2: Pardon the delay in getting to Day 3 of Active Directory Security for Cyber Security Experts ; it'll be out on June 18.

No comments:

Post a Comment

Paramount Defenses Logo

© 2006 - 2024 Paramount Defenses.
All Rights Reserved.

Your Privacy

We use cookies to give you the best online experience. Please let us know if you accept these cookies.