Skip to content

Enterprise Mobility + Security


This post is authored by Arbel Zinger, Program Manager, Advanced Threat Analytics Product Team

Companies across the globe were affected by an increased amount of ransomware attacks that caused an estimated damage of $1 billion.

Ransomware attacks are becoming more powerful and crafty to force victims to pay their ransoms. Ransomware is now looking for new ways to cause the maximum damage possible to victims’ assets.

One of the shifts we are seeing is that instead of using the well-known method of encrypting the first machine breached using phishing attacks or random downloads, some attackers are using the initial computer for reconnaissance on the network, and then spreading to any accessible machine.

After the lateral movement phase, once the attacker hits multiple targets, they drop the ransomware that encrypts files. At this point, the attackers present a ransom note demanding an anonymous Bitcoin transfer.

In this post we will demonstrate the different ways Microsoft Advanced Threat Analytics (ATA) can help you detect this modus operando. We will break it down in three different phases: getting in the network, reconnaissance, and lateral movement.

Getting in the network

Our story begins with a compromised user. Even when the most sophisticated security products are installed, networks can be breached by using watering hole attacks and spear phishing campaigns.
In Microsoft’s Security Intelligence Report Volume 21, two different actor groups were discussed that use these strategies to breach their targets. Though these attacks are not directly related to ransomware, they can use the same techniques to get a foothold in the network.

Reconnaissance (looking around)

Once the attackers establish an initial foothold in the victim’s network, they will start reconnaissance of the network. At this phase, the malicious software spends time researching the environment and finding other resources the ransomware can spread to. We see the use of some legitimate IT tools built on Windows used in this phase.

Two main examples are DNS reconnaissance (using NsLookup) and SAMR (Security Account Manager Remote) protocol reconnaissance, to harvest network information.

Advanced Threat Analytics can detect both methods and alert the security team that, something or someone is looking around their network.

Here is an example of such an alert, detected by ATA:

Reconnaissance using directory services

Getting around (lateral movement)

After the malicious software recognizes accessible systems, it copies encryption public keys to the different machines, and runs the encryption process.

ATA is able to detect lateral movement by using machine learning, analyzing the behavior of users across all their devices, and making use of deterministic detections to catch threats within the corporate network. These unique capabilities can detect new and not-yet-known attack methods and techniques, playing a pivotal role to fight ransomware as malicious attackers are constantly developing different ways to move in the network.

Suspicion of identity theft based on abnormal behavior

Another way ATA might help, is by detecting attempts of remote execution (usually PsExec, a built-in Windows tool). Note that currently, ATA can only detect remote executions attempts against the domain controller.