Attacking the Active Directory and human-operated, the double-extortion ransomware group has already been spotted in the Philippines.

A new sophisticated ransomware campaign is on the rise, claiming victims in the US, Europe and the Philippines.

The ALPHV BlackCat ransomware is human-operated and command-line driven, which makes it hard for traditional detection tools to accurately alert on these incursions. Its operators attack the Active Directory (AD), use a variety of encryption modes, move laterally, and gain administrative privileges to spread between computers. They encrypt other devices in the network, and wipe out information to prevent recovery.

This group is also known to steal data before encrypting devices and publishing it on data leak sites for triple-extortion.

An attack on AD begins with attackers discovering privileged accounts and then stealing credentials like passwords, hashes, and Kerberos tickets; or by performing brute force attacks like ‘password spray’. Once an attacker compromises higher privileges or finds a vulnerability in AD, techniques like Golden Ticket attack, Silver Ticket attack, and Domain Replication are used to take over the AD. Attackers can thereby easily compromise the systems it manages, install backdoors, change security policies, and rapidly deploy the ransomware.

According to Jeremy Ho, Vice President (APAC), Attivo Networks: “Active Directory is the most commonly used identity platform by businesses; if compromised, it grants attackers complete control to escalate privileges, disable security tools, move laterally in the organization, and steal valuable data. AD protection is a security gap that is not currently addressed by EDR solutions or identity access management solutions focused on providing access instead of denying it.”

Ho said organizations need to employ a multi-pronged approach, which includes hardening, detecting reconnaissance, and preventing domain compromise, to defend against AD attacks. “Newer Identity Detection and Response (IDR) tools have become must-have security stack staples for delivering visibility and detection for credential theft and misuse and attempts to enumerate Active Directory,” Ho said.