Securing Active Directory to Reduce Ransomware Attacks: A Quick Primer
Shweta Khare
Ransomware attacks are increasing in size and complexity, putting organizations across all industries at risk for account lockouts, extortion attempts, and data loss. In fact, the latest research indicates ransomware attacks are up by 80% year-over-year.
Most ransomware families are now using powerful ransomware as-a-service tools
In large part, this is because most ransomware families—the code signatures and malicious commands that carry out ransomware attacks—are now using powerful ransomware-as-a-service tools, which make it much easier to facilitate attacks.
In an alarming development, cybercriminals are increasingly targeting Microsoft—Active Directory—a serious threat that could grant network ownership rights to an intruder.
Read on to learn more about the link between ransomware and Active Directory, as well as some actionable tips that you can use to harden your environment from Active Directory ransomware attacks.
Why cybercriminals target Active Directory for ransomware attacks
The main reason cybercriminals target Active Directory is that it serves as a gateway to the rest of the network as a service for managing, networking, grouping, authenticating, and securing users across corporate domain networks.
Users and computers rely on Active Directory to access various network resources. As such, cybercriminals understand that ransomware attacks on Active Directory can wreak havoc on any organization, making it an excellent extortion mechanism.
6-in-1 Toolkit for Ransomware Defense
Does ransomware encrypt Active Directory?
Ransomware doesn’t encrypt Active Directory itself. Rather, it uses Active Directory to access and encrypt connected hosts and domain-joined systems. Two popular ransomware families that target AD include Lock Bit 2.0 and BlackMatter.
In a typical Active Directory ransomware attack, bad actors attempt to gain network access by fishing for user credentials, escalating privileges, and moving vertically into the server network. The end goal is to obtain administrative access rights and compromise a domain controller.
If an attacker is successful, they essentially own the network and gain access to all its various servers and data. Domain controllers host a copy of the Active Directory Domain Services (AD DS), which is a schema with all the objects Active Directory stores and delivers authorization and authentication services for.
Despite this clear and present threat, many companies still lack Active Directory security and recovery plans. This makes recovering from a ransomware attack very difficult.
To avoid that fate, companies should strongly consider taking active measures to harden their Active Directory deployments and protect them from sophisticated ransomware attacks.
How to protect Active Directory from ransomware attacks
As we point out in our Active Directory hardening whitepaper, there are multiple common Active Directory misconfigurations that hackers look to exploit. As such, security teams need to build a comprehensive Active Directory strategy that encompasses multiple areas.
With that in mind, let’s examine a few strategies you can use to protect your Active Directory from ransomware attacks.
1. Avoid adding Domain Users to the Local Administrator Group
Hackers often try to discover misconfigurations and networked systems with Domain Users in the Local Administrator group. This strategy enables bad actors to move laterally within a network, elevating credentials along the way.
For this reason, it’s a good idea to avoid adding Domain Users to the Local Administrator group in the first place. Instead, least privilege access controls with just-in-time privilege elevation to give admins limited elevated rights only when necessary. You should also scan continuously to detect and eliminate potential misconfigurations.
2. Fortify your Remote Desktop Protocol
It’s also common for attackers to try to brute-force weak credentials for endpoints using Remote Desktop Protocol (RDP). Brute-force entry can allow hackers to gain complete access to a remote system.
To protect against brute-force RDP attacks, you should always deploy strong multi-factor authentication and privileged access security. We also advise scanning continuously for brute-force attempts to detect and eliminate incoming threats and prevent them from cascading across the network.
3. Use Active Directory Bridging
Active Directory Bridging is a feature that enables users to access non-Windows operating systems using Active Directory credentials. This feature allows Active Directory to work with Linux, Windows, and Unix IT systems and devices.
Bridging boosts Active Directory ransomware protection by eliminating local identity sprawl. Users then authenticate (See What is Active Directory Authentication) to all systems using an individual Active Directory identity. This significantly reduces the attack surface by creating fewer entry points for attackers. It also simplifies access compliance reporting.
In addition, bridging helps establish a unified privileged access management (PAM) strategy with centralized cross-platform access policy administration, tight access, privilege control, and identity consolidation. When it comes down to it, unified PAM is critical for preventing Active Directory ransomware attacks.
Break the ransomware attack chain with Delinea
Many companies use Active Directory bridging solutions that provide surface-level visibility and control. In other words, basic Active Directory bridging solutions lack the intelligence needed to see and navigate all forests, trees, domains, and nested groups within an Active Directory environment.
Delinea offers advanced Active Directory bridging through the Server Suite, which is an on-prem PAM service for Linux, Unix, and Windows systems. Server Suite leverages the Active Directory Global Catalog to achieve real-time awareness across site topologies and domain controllers. Server Suite also simplifies identity access management and makes it easier to enforce the principle of least privilege and gain deeper visibility at the server level.
To learn more about how Server Suite can help you keep bad actors away from Active Directory, request a trial today.
More Ransomware Resources:
- Webinar: Get Incident Response Ready - Key Steps of a Ransomware Incident Response Plan
- Podcast: Ransomware Rundown with Dan Lohrmann
- Report: 2021 State of Ransomware Survey Report & Infographic
- Whitepaper: Advanced Active Directory Bridging
- Whitepaper: Ransomware on the Rise
- Blog: AD Bridging: If you're only using it for authentication, you're missing a ton of value
FREE EBOOK
Servers are targeted by cybercriminals looking to exploit weaknesses in your server security