Microsoft's Threat Protection Intelligence Team is warning that ransomware criminals continue to attack healtchare and critical service providers during the pandemic crisis, and has issued detailed guidance on how to reduce the risk of falling victim to them.
The ransomware attacks are not done in an automated fashion, Microsoft said.
Instead, they are conducted by criminal gangs that work by compromising internet-facing network devices in order to establish a presence on vulnerable systems months before they strike and steal and encrypt victims' data.
Attackers have a range of vectors with which they can enter victims' networks and move laterally within these to capture credentials and prepare for the final ransomware activation, Microsoft noted.
Recent ransomware campaigns that Microsoft security teams have observed featured Remote Desktop Protocol or Virtual Desktop systems that aren't secured with multi-factor authentication.
Older, unsupported and unpatched operating systems such as Microsoft Windows Server 2003 with weak passwords and 2008, misconfigured web servers including Internet Information Services, back up servers, electronic health record software and systems management servers are all being attacked currently.
Vulnerable Citrix Application Delivery Controller and Pulse Secure are also in ransomware criminals' sights and should be patched as soon as possible.
Once ransomware criminals have gained access to vulnerable, internet-facing devices and endpoints, they attempt to steal admin login credentials and move laterally within networks with common tools such as Mimikatz and Cobalt Strike, Microsoft said.
They can also hide on networks, for reconnaissance and data exfiltration.
With lateral movement achieved, attackers create new accounts, modify Group Policy Object s in Windows, add scheduled tasks and register operating system services, and deploy backdoors and remote access tools for persistence, and wait for an opportune moment to activate the ransomware to blackmail victims.
Several human-operated ransomware payloads are actively being used presently.
These include RobbinHood, REvil/Sodinokibi, the Java-based PonyFinal and Maze, the operators of which were one of the first to sell stolen data from technology providers and public services it has attacked, Microsoft said.
One particular campaign, NetWalker, targets hospitals and healthcare providers through bogus COVID-19 subject emails with the ransomware delivered as a malicious Visual Basic script file.
Apart from actively patching systems, Microsoft said to watch out for malicious behaviours such as tampering with security events logs and other techniques used to evade detection, suspicious access to Local Security Authority Subsystem Service (LSASS), and Windows Registry database modifications which could indicate that credentials theft is taking place.
Investigating the Windows Event Log during the earliest part of a suspected breach, looking for event ID 4624 and logon type 2 or 10 could indicate post-compromise access, Microsoft said.
Later on, searching WEL for type 4 or 5 logons could also indicate suspected breach activity.
Ransomware criminals show no compunction as to the impact their attacks have on health care providers, Microsoft warned.