View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
April 29, 2020updated 30 Apr 2020 8:16am

Named: The Top 5 Vulns Behind a Ransomware Surge

"The specific ransomware payload at the end of each attack chain was almost solely a stylistic choice"

By CBR Staff Writer

Morally bankrupt hackers have been hiding in compromised networks for months waiting for the right moment to initiate ransomware attacks, and given the activation of a host of ransomware deployments in the first two weeks of April, a pandemic is clearly that commercial opportunity.

An uptick in attacks at the beginning of April was recorded by the Microsoft Threat Protection Intelligence Team and reported this week, in a comprehensive blog that also names the top five vulnerabilities the team saw exploited by cyber criminals to gain an initial network foothold.

(Two “indigenous” Microsoft vulnerabilities are among them).

In the incidents MSFT tracked, threat actors spent months obtaining access to systems and maintaining a persistent threat on networks.

Over the past month they have deployed ransomware to the detriment of aid organisations, government institutions, manufacturing and education software providers, the company reported. Microsoft’s security data shows that the initial compromise of these systems happened months ago, indicating that cyber criminals were biding time waiting for the right moment to monetise the compromis, noting that this is “in stark contrast to attacks that deliver ransomware via email—which tend to unfold much faster, with ransomware deployed within an hour of initial entry”.

Microsoft security notes that: “Many of these attacks started with the exploitation of vulnerable internet-facing network devices; others used brute force to compromise RDP servers. The attacks delivered a wide range of payloads, but they all used the same techniques observed in human-operated ransomware campaigns: credential theft and lateral movement, culminating in the deployment of a ransomware payload of the attacker’s choice.”

“On networks where attackers deployed ransomware, they deliberately maintained their presence on some endpoints, intending to reinitiate malicious activity after ransom is paid or systems are rebuilt.”

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Hidden Network Hackers

The breaches and attacks occurring are part of human operated campaigns that require a certain degree of involvement from the hacker; as they conduct spear phishing campaigns and target vulnerable internet-facing systems.

The most common weakness exploited in internet-facing systems tend to be Remote Desktop Protocol (RDP) or Virtual Desktop endpoints that have not been secured with multi-factor authentication. In a similar vein misconfigured web and management servers are prime causes for breaches.

There are an insurmountable number of CVEs for security teams to watch out for these days, but Microsoft security has highlighted five known vulnerabilities that behind many initial exploitations:

The ransomware group REvil (also known as Sodinokibi) is thought to be the first to exploit the network device vulnerabilities in Pulse VPN allowing them to obtain credentials for network access escalations. This threat group has been targeting MSPs on a regular basis and during the pandemic they haven’t taken their foot off the pedal.

Read this: Head of “Evil Corp” Named, Indicted by UK, US

Microsoft security notes that: “They kept up this activity during the COVID-19 crisis, targeting MSPs and other targets like local governments.

“REvil attacks are differentiated in their uptake of new vulnerabilities, but their techniques overlap with many other groups, relying on credential theft tools like Mimikatz once in the network and performing lateral movement and reconnaissance with tools like PsExec.”

While each of the detected campaigns and threat groups are using different ransomware payloads and breaching techniques, the overall attack pattern is a common one. First they gain initial access, then they steal higher levels of credentials. Once an appropriate level of access is obtained they hangout on the network until the time is right to strike.

Hidden Network Hackers

Credit: Microsoft

Interestingly Microsoft notice that: “The specific ransomware payload at the end of each attack chain was almost solely a stylistic choice made by the attackers.”


Unfortunately once ransomware is deployed or data is stolen it’s pretty much too late to avoid serious damage to systems or reputation. Your best bet is to rout out attackers at the earliest stages of compromise by prioritizing robust investigation schedules and continuous systems checks for abnormalities.

Microsoft’s security team have highlighted a few malicious behaviours that IT teams should keep an eye out for, including:

> Malicious PowerShell, Cobalt Strike, and other penetration-testing tools that can allow attacks to blend in as benign red team activities.

> Credential theft activities, such as suspicious access to Local Security Authority Subsystem Service (LSASS) or suspicious registry modifications, which can indicate new attacker payloads and tools for stealing credentials.

> Any tampering with a security event log, forensic artifact such as the USNJournal, or a security agent, which attackers do to evade detections and to erase chances of recovering data

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.