Microsoft: Some Ransomware Attacks Take Less Than 45 Minutes

Catalin Cimpanu, writing for ZDNet: For many years, the Microsoft Security Intelligence Report has been the gold standard in terms of providing a yearly overview of all the major events and trends in the cyber-security and threat intelligence landscape. While Microsoft unceremoniously retired the old SIR reports back in 2018, the OS maker appears to have realized its mistake, and has brought it back today, rebranded as the new Microsoft Digital Defense Report. Just like the previous SIR reports, Microsoft has yet again delivered. Taking advantage of its vantage points over vast swaths of the desktop, server, enterprise, and cloud ecosystems, Microsoft has summarized the biggest threats companies deal with today in the face of cybercrime and nation-state attackers. The report is 88 pages long, includes data from July 2019 and June 2020, and some users might not have the time to go through it in its entirety. Below is a summary of the main talking points, Microsoft's main findings, and general threat landscape trends.

[...] But, by far, the most disruptive cybercrime threat of the past year have been ransomware gangs. Microsoft said that ransomware infections had been the most common reason behind the company's incident response (IR) engagements from October 2019 through July 2020. And of all ransomware gangs, it's the groups known as "big game hunters" and "human-operated ransomware" that have given Microsoft the most headaches. These are groups that specifically target select networks belonging to large corporations or government organizations, knowing they stand to receive larger ransom payments. Most of these groups operate either by using malware infrastructure provided by other cybercrime groups or by mass-scanning the internet for newly-disclosed vulnerabilities. In most cases, groups gain access to a system and maintain a foothold until they're ready to launch their attacks. However, Microsoft says that this year, these ransomware gangs have been particularly active and have reduced the time they need to launch attacks, and especially during the COVID-19 pandemic. "Attackers have exploited the COVID-19 crisis to reduce their dwell time within a victim's system â" compromising, exfiltrating data and, in some cases, ransoming quickly â" apparently believing that there would be an increased willingness to pay as a result of the outbreak," Microsoft said today. "In some instances, cybercriminals went from initial entry to ransoming the entire network in under 45 minutes."

Is this really scary or bad? Seems not.

[Mal-2]

Hey they're doing you a favor if they activate 45 minutes after they get into the network. At least yesterday's backup won't be infected.

Re: Is this really scary or bad? Seems not.

[Nidi62]

Except the guy whose job it is to pull those daily backups was one of the first people cut back (or cut out) because we've never needed those backups before and with Covid we have to cut every possible cost we can so the C suite can keep their bonuses.

Re:

[EvilSS]

I'd be happier that it may show they didn't exfiltrate the data, they just encrypted it. Backups (assuming they have them, and they actually work) can bring back encrypted files, they can't bring back stolen files however.

Unless they are push backups

[raymorris]

If the main server writes its backup to a share, the ransomware will typically wipe that out. The bad guys have admin in the server, so they destroy anything admin can.

If the backups are PULLED by the backup server, using a read-only account, and that backup machine is off-domain so the DA can't wreck it, you're pretty safe.

Then you just need to protect against fire, earthquake, lightning, and other physical events by having off-site backup. Plus make sure your backups are encrypted with public key, where

Re:

[sysrammer]

Don't forget to take the Nigtlies home in your trunk.

Re: Unless they are push backups

[darkpixel2k]

Or... don't trust your backups to windows environments. Boot windows from iSCSI targets running from machines with no shitty "I'm too retarded to be a real admin" GUIs or web interfaces. No ports open except iSCSI and maybe SSH. No IPMI/ILO/IDRAC bullshit. Server crashed and needs a reboot so you *NEED* IPMI? Didn't I already imply you shouldn't be running windows?

Re:

[raymorris]

Your backup / storage server could be running GEMSOS or INTEGRITY-178B and it doesn't matter if you give the Windows machines the ability to write their backups, which means they can overwrite their backups.

And yes - Windows is not the best choice for a secure server.

Re:

[antdude]

Assuming their back up is not online during the attacks. ;)

The good old days are now

[AndyKron]

It takes forever with my air gapped DOS machine

Do you want it quick or effective?

[CardboardBox0713]

Because better, effective ransomware should take longer than that.

Vulnerability exists in non-computer network part

[140Mandak262Jamuna]

When we talk about security threat, it is not always loose passwords or misconfigured IT system. Recently some Russian hacker traveled into the country to bribe a Tesla employee for access. At that level, you can imagine bribing employees, blackmailing them, threatening them, to get access. Or bribe janitors, cleaners and building workers to plug in an usb drive on a computer or plug in a laptop into some open ethernet port left open.

At that level of attack there is no way to really protect against it. The only viable solution is to have independent compartments so that one compromised system does not bring down the entire infrastructure, strong backups well tested, switching to a completely different network and computers and keep the operations going abandoning compromised systems completely.

Re:

[nospam007]

"At that level, you can imagine bribing employees, blackmailing them, threatening them, to get access."

Criminals have done that since before the Greek Republic.

Re:

[aaarrrgggh]

In a way, that kind of attack is the baseline you should anticipate today, and solutions should be built around that reality. The challenge as I see it is in maintaining information security— avoiding exfiltration of data. Once you encrypt data for infosec it becoms much harder to have canaries that report on file status (without creating another location for the keys). I’m just afraid that the old samba file server has seen its day and we will need to go with systems that check in/out each f

Funny I read it this way

[oldgraybeard]

Some Ransomware Attacks on Microsoft products take Less Than 45 Minutes

Not too surprising; but depressing.

[fuzzyfuzzyfungus]

Between remotely competent automation(on the part of the attacker) and the tendency toward faster storage systems there really isn't any reason for the ransomware part of a ransomware attack to take all that long.

What's depressing about the 'under 45 minutes' stat is mostly what it says about how readily useful credentials are acquired; either because valuable credentials are left scattered around, common credentials are reused often enough to be valuable, or privilege escalation exploits exist that can be exploited with something that's already off the shelf.

When tricking someone into using the wrong account number on a wire transfer can be worth serious money you can't underestimate even attacks that never even make it to the level of user-level privilege escalation; but falling to ransomware in under 45 minutes means some very damning things about how your environment is designed; either in that something alarmingly high level that never should have been left open was, or in that there isn't sufficient segmentation to keep an unfortunate, but hard to 100% avoid, low-privilege endpoint breach being privilege escalated into enough access to trash stuff that matters.