The featured image for this article.

Worried about Human Operated Ransomware? Stop using NTLM, start validating Kerberos

Missing in Microsoft's (excellent) write up of human-operated ransomware: poor Active Directory and user account hygiene and the persistence of NTLM, which is a factor in many successful ransomware outbreaks.


Microsoft's recent write-up of human-led ransomware attacks provided a wealth of useful information about the "how" of these attacks. Less talked about was the "why" of successful attacks, the role that poor user account hygiene, and the persistence of legacy platforms and protocols plays in many successful ransomware attacks.

A Ransomware Defense Must-Read

But first: if you haven't yet, point your browser over to Microsoft's Security Blog, where the company's Threat Protection Intelligence Team has an excellent write up of its observations in what it terms "Human-operated ransomware attacks."

"Human-operated" is the term Microsoft has chosen to distinguish targeted and tailored ransomware infections from purely opportunistic and automated attacks such as WannaCry and NotPetya. By contrast with those attacks, which use(d) automated crawlers to find and infect hosts on vulnerable networks, human-operated ransomware attacks are "hands on the keyboard" affairs. The attackers behind them don't rely on blind scanning, but "exhibit extensive knowledge of systems administration and common network security misconfigurations, perform thorough reconnaissance, and adapt to what they discover in a compromised network." Among the samples associated with these dangerous, "human-operated ransomware" are REvil, Samas, Bitpaymer/Dopplepaymer, and Ryuk.

Some Key Observations from Microsoft

Among the take-aways in Microsoft's report:

+ Human-operated ransomware campaigns often start with “commodity malware” such as banking Trojans or other unsophisticated means. While these may get noticed, they are often triaged as unimportant, commodity attacks, and not a targeted operation. The result: the initial flags are not thoroughly investigated and remediated, allowing the attackers to expand their presence.

+ Credential theft and credential dumping are a critical element of all of these human-operated ransomware campaigns, the success of which almost always requires an attacker to gain domain administrator access within the target environment. Tools such as Mimikatz, LaZagne and ProcDump are used to harvest credentials and compromise accounts with high privileges. (Check out our new "ManyKatz" report on the links between tools like Mimikatz and credential theft attacks.)

+ Human-operated attacks are typically preventable and detectable but require a shift in mindset by security teams.

NTLM Inertia: The Secret Sauce of Successful Ransomware Attacks

That last point is an important one to digest. These damaging ransomware attacks are both detectable and preventable—providing organizations take the threat seriously and change their approach to defense. Microsoft advises defenders to "consistently and aggressively apply security best practices to their network."

One piece of advice we have for our clients is to move quickly to abandon legacy technology platforms, protocols, and applications that are insecure and often un-securable. Chief among them: NTLM. In fact, we don't think it's going too far to call Microsoft's aged but still active authentication protocol the "secret sauce" of many successful ransomware attacks at firms we have advised.

That shouldn't be a surprise. NTLM is more than 25 years old. It has long been known to be vulnerable to so-called "Pass the Hash" attacks in which attackers with a username and a hash of that user's password can authenticate to Windows networks. In fact, even without "Pass the Hash," advances in computing power and the relatively weak protections offered by NTLM's hashing algorithm now put the cleartext of seemingly secure NTLM passwords within reach of attackers. One recent benchmark: the hash for an 8-character NTLM password was cracked in just 2.5 hours.

NTLML: Down, but not Out

Microsoft long ago supplemented NTLM with its version of the more secure Kerberos authentication protocol making "Pass the Hash" attacks impossible. The company has been urging customers to reduce their use of, or abandon, NTLM for Kerberos ever since. Paradoxically, though, the company hasn't abandoned NTLM allowing its use to continue within Windows environments.

These days, attacks such as "pass the hash" are easier than ever: built into hacking tools MimiKatz and accessible to even novice hackers with the click of a button. This has made attacks on NTLM environments more or less "push-button" for attackers. The NotPetya ransomware, for example, embedded and automated a version of MimiKatz, which it used to vacuum up credentials and infect otherwise secure Windows systems in environments it compromised.

Our Advice: Turn NTLM Off

What Microsoft should have said—but didn't—is that the biggest single step organizations can take to limit the spread of ransomware within their environments is to turn off NTLM authentication. Full. Stop.

That's strong medicine. NTLM is still used for local authentication on Windows systems and storage of Windows passwords on Active Directory Domain Controllers. Beyond that, NTLM is built into countless applications used within organizations of all sizes, and replacing it with a more secure alternative is no easy task. Still, CISOs and other senior IT leaders need to be held accountable for preventable compromises—and attacks on NTLM are entirely preventable.

Organizations that are worried about the potential of ransomware attacks—human-operated or not—should start migrating toward more secure alternatives such as Kerberos and SAML. Beyond that, technologies such as Kerberos need to be fully instrumented and monitored to prevent a wide range of other popular attacks including Golden- and Silver Ticket attacks. It goes without saying: ransomware isn't going away as a problem.

Other Tips: mind your Active Directory

Use and abuse of NTLM is an important factor in the successful ransomware attacks we have seen. It isn't the only factor.

Poor Active Directory hygiene is another element that we see in organizations that fall victim to human-operated ransomware attacks. The fact that Active Directory is a "set it and forget it" technology doesn't mean you actually should "set it and forget it." Specifically: organizations need to do a much better job auditing user permissions and applying "least privilege" policies that limit the number of users with elevated or administrative privileges. Simply put: the more network accounts with elevated privileges, the easier time attackers will have moving laterally in your environment.  

Mind the Messy Relationships

Poorly conceived privilege groupings in Active Directory are a major source of exposure for companies. Active Directory users may simultaneously have privileges over objects but also be members of groups and owners of resources able to delegate permissions to others. Machines (devices) are Active Directory objects and can have active sessions to other machines or belong in groups as well.  

Stated simply: there are a lot of relationships in play.  And the "relationships" between those relationships may be implicit and transitive, but they're real and often counterintuitive from the perspective of security and privilege.  Needless to say: malicious actors have been far more adept at finding and exploiting these lapses, forging attack paths through an environment to gain access to data and services which were meant to be isolated.

Embrace Least Privilege

Finally, organizations need to sniff out and remove stale or abandoned user accounts for former employees, contractors, testing and more. Both of these are low-effort tasks that pay big dividends in slowing or halting lateral movement within your environment.

Paul Roberts

Published 14 days ago