Ransomware is one insidious menace that continues to haunt businesses worldwide in the ever-evolving landscape of cyber threats, with 493.33 million attacks detected globally in 2022, according to Statista. Typically, these attacks have relied on compromising endpoints, such as desktop computers or servers, to infiltrate systems and hold valuable data hostage.
However, a recent alarming trend has emerged, revealing that ransomware can penetrate systems without touching an endpoint. This shift in tactics presents a significant challenge for organizations and calls for safeguarding their critical information and infrastructure as well as collaborating with expert IT services that are up-to-date with emerging attacks and solutions.
Many ransomware attacks are now bypassing the conventional route and leveraging compromised administrative accounts to infiltrate systems. This article explains in detail the new channels of ransomware attacks and how to protect yourself against them.
Ransomware is a malicious software program designed to block access to a computer system’s structure, information, or documents till a ransom is paid to the attacker. It is a form of cyber extortion that has grown to be increasingly popular and sophisticated.
When a device or network becomes infected with ransomware, the malware encrypts files or locks users out of their systems, rendering them inaccessible. The attacker then demands a ransom payment, often in cryptocurrency, to provide the decryption key or restore access to the compromised data or systems.
Ransomware can be delivered via phishing emails, malicious downloads, exploit kits, or compromised websites. Once the initial infection occurs, the ransomware spreads throughout the network, encrypting files and impacting the entire infrastructure.
The consequences of a successful ransomware attack may be excessive, leading to enormous financial losses, reputational harm, and operational disruption for people and organizations.
Traditionally, ransomware attacks have targeted endpoints, such as desktop computers or servers, as the primary entry point. However, a recent attack highlights a shift in tactics, where ransomware can infiltrate systems without going through an endpoint.
Here are the explicit details on how this can occur:
In the observed attack, the ransomware entered the system by compromising a Microsoft Global SaaS admin account.
These administrative accounts have elevated privileges and provide extensive control over various aspects of the system, including user management, data access, and application configuration. The attacker bypasses the need to compromise individual endpoints by gaining unauthorized access to such an account.
Once inside the system, the attacker exploits the compromised administrative account to escalate their privileges.
In the case of an observed attack, the attacker created a new user account with multiple elevated privileges, including Global Administrator, SharePoint Administrator, Exchange Administrator, and Teams Administrator. These elevated privileges gave the attacker significant control and access to critical systems and data.
Another critical aspect of this attack is the focus on cloud services. Sharepoint Online, a part of Microsoft 365, was targeted in the attack. By gaining administrative control over Sharepoint, the attacker could access and manipulate sensitive data stored within the platform.
This approach allows the attacker to operate in a centralized environment, potentially affecting multiple users and organizations.
Unlike traditional ransomware attacks that immediately encrypt files, this attack focused on data theft. The attacker exfiltrated hundreds of files from the compromised system. Instead of locking the victim out of their data, the attacker utilized the stolen information as leverage for ransom negotiations.
This strategy avoids the risks associated with failed decryption and puts additional pressure on the victim to pay the ransom to prevent the exposure of sensitive information.
Preventing ransomware attacks requires a multi-layered technique combining technical measures, user awareness, and proactive safety practices. Here are essential steps you can take to enhance your organization’s resilience against these evolving threats:
Enable MFA for all accounts, especially highly privileged ones. While it may not eliminate the risk, it significantly raises the bar for attackers attempting to exploit stolen credentials.
Consolidate and analyze SaaS audit and activity logs to identify patterns consistent with breaches, insider threats, or compromised third-party integrations. Proactive monitoring can help detect unauthorized access and suspicious activities.
Implementing alerts is a crucial preventive measure. Admins should set up and monitor alerts for changes in AD users, AD groups, Sharepoint Files, service accounts, and User-Agent. These alerts help track newcomers and verify their authenticity.
Review and adjust user privileges to ensure that users only have the permissions necessary for their roles. Regularly audit and revoke unnecessary or high-risk privileges to minimize the attack surface.
Utilize security features provided by your SaaS provider, consisting of data loss prevention (DLP) rules, encryption, and entry controls. Regularly update and patch software to protect against known vulnerabilities.
Raise awareness about phishing attacks, social engineering, and safe online practices. Regularly train employees to recognize suspicious emails, links, or attachments and emphasize the importance of promptly reporting potential security incidents.
Protecting your business is crucial in dealing with the emerging forms of ransomware attacks. The best way to do this is to partner with an IT service with cybersecurity expertise that can protect your organization’s interest.
Let Haxxess protect your network from attacks. Contact us at (705) 222 8324.