Ransomware Attacks on Active Directory: A Call to Action

In recent years, ransomware attacks have surged, posing a serious threat to businesses worldwide. Shockingly, by the end of 2023, over 72% of businesses have been hit by these attacks, marking the highest number yet. One worrying trend is the targeted attack on Active Directory (AD), a crucial part of business networks. 

Cybercriminal groups like AlphaV/BlackCat and state-backed ones like Volt Typhoon are exploiting AD vulnerabilities to wreak havoc. The consequences are severe: damaged reputation, disrupted operations, and hefty financial losses. In 2023, the average ransomware attack cost $5.23 million, up by 19.5% from the year before. As these attacks become more common and sophisticated, businesses must strengthen their defences and implement solid cybersecurity measures.

Below, we’ll explore ransomware attacks on businesses worldwide, dissecting tactics used by groups like AlphaV/BlackCat and Volt Typhoon. We’ll also reveal the flaws of traditional defences and introduce Certes DPRM as a proactive solution, safeguarding against Active Directory-targeted threats.

Understanding Ransomware Attack Tactics

AlphaV/BlackCat and Volt Typhoon exemplify the evolving tactics and relentless pursuit of cybercriminals. These groups employ cunning methods to infiltrate organisations, often relying on stolen credentials acquired through initial access brokers. Once inside the network, they set their sights on AD, with the clear objective of decrypting the AD database, creating their own admin or super user accounts, and roaming freely within the network—a technique aptly dubbed “living off the land.”

“Living off the land” is a tactic where attackers leverage existing tools, utilities, and legitimate processes native to the target environment to carry out malicious activities. Instead of relying on traditional malware or external tools, attackers use built-in functionalities of operating systems, applications, and network infrastructure to evade detection and blend into normal network traffic. This approach allows attackers to operate stealthily, making it challenging for traditional security measures to detect and mitigate their activities. 

Some recent examples of their tactics include the recent breach of Microsoft’s corporate network by the Midnight Blizzard Group, involving an ongoing assault on the theft of source code and unauthorised access attempts to internal systems. The attackers specifically targeted Microsoft’s internal computer systems, gaining access to source code repositories. 

The AlphaV/Black Cat group has reportedly targeted nearly 70 victims, with the healthcare sector being the most frequently victimised, as per the latest FBI report. Among these victims was Change Healthcare, which had 6 terabytes of data stolen, resulting in system disruptions lasting over a week back in December 2023. This incident was later confirmed by the company in February 2024.

Their ability to penetrate well-defended targets underscores the need for organisations to remain vigilant and strengthen their defences against advanced adversaries like Volt Typhoon and AlphaV/BlackCat.

The Inadequacy of Traditional Defences

Despite recommendations from esteemed organisations like the UK National Cyber Security Centre (NCSC) and tech giant Microsoft, traditional perimeter defences have proven insufficient in thwarting sophisticated cyber attacks. These groups employ targeted tactics, exploit vulnerabilities in software, and continuously evolve their techniques to bypass conventional defences. With a specific focus on targeting Active Directory, ransomware attackers can escalate privileges and encrypt critical data, causing widespread disruption. The emphasis on detection and response over prevention in these defences leaves organisations vulnerable to attacks. 

While suggestions regarding documentation, backups, and recovery strategies are undoubtedly valuable, they primarily address the aftermath of an attack, neglecting the crucial aspect of prevention. Even Microsoft, a titan in the tech industry, lacks a comprehensive solution to counter the specific threat posed by ransomware groups exploiting AD vulnerabilities. 

To effectively counter these threats, organisations must adopt proactive and innovative security solutions that address the dynamic nature of ransomware attacks and strengthen defences at entry points and throughout the network.

Introducing Certes DPRM: A Paradigm Shift in Security

Amidst this escalating threat landscape, Certes Data Protection and Risk Mitigation (DPRM) emerges as a beacon of hope. Unlike conventional approaches, Certes DPRM adopts a proactive stance against ransomware attacks on AD. Its innovative crypto-segmentation technology not only prevents the extraction of the AD database but also renders any stolen information useless to attackers.

The Certes DPRM Advantage

Certes DPRM’s policies disrupt the attack chain of ransomware groups like AlphaV/BlackCat and Volt Typhoon. By encrypting data flows with unique quantum-safe keys and placing keys and policies under the sole control of the customer’s security team, not a vendor or service provider, Certes DPRM ensures that even in the event of a breach, stolen data remains inaccessible to unauthorised users.This approach effectively neutralises the ability of attackers to create their own login accounts and roam freely within the network, preventing their malicious intentions.

Ransomware attacks targeting Active Directory represent a critical and imminent threat to organisations worldwide. With the rise of cybercriminal groups like AlphaV/BlackCat and state-sponsored entities like Volt Typhoon, the need for a proactive and data-centric security approach has never been greater. Certes DPRM stands as a proven deployed solution, offering unparalleled protection against ransomware attacks on AD and safeguarding critical data from malicious exploitation. In the ongoing battle against cyber threats, Certes DPRM empowers organisations to defend their data from attack, protect their assets, and ensure a secure digital future.

To gain deeper insights into how DPRM can fortify your data protection and safeguard your Active Directory, explore our whitepapers: “Going on the Offensive – Tackling Volt Typhoon attacks on Active Directory” and “Unveiling AlphaV/BlackCat”.