As the gatekeepers of digital infrastructure for not only themselves but their clients, the threat of ransomware to managed service providers (MSPs) extends beyond mere technical challenges. It encompasses operational, financial, and reputational risks. MSPs must remain vigilant, well-informed, and armed with effective cybersecurity measures.
Today, we delve into this highly pertinent topic – the anatomy of a ransomware attack, specifically focusing on the Dharma ransomware from the Crysis family that eluded firewall and antivirus protection. In this article we’ll guide you step-by-step through the tactics of the Dharma ransomware, how it infiltrates HVTs (high-value targets), evades detection, and impacts the network.
From this real-life incident learn how MSPs can safeguard against these attacks and how Managed XDR was able to detect, mitigate, and further harden security defenses to prevent future attacks.
Dharma ransomware is a sophisticated cyber threat typically a manual attack, meticulously orchestrated to infiltrate high-value networks. Since this is a manual attack, it's obviously expensive for the attacker and that's why they're pursuing high value networks. With a focus on stealth, Dharma's attackers exploit Remote Desktop Protocol (RDP) vulnerabilities using leaked or weak credentials.
Alternatively, they employ email spam with cleverly disguised payloads, leveraging double extensions to deceive victims. The attackers even imitate the names of prominent figures, like the President of the United States, to lull victims into a false sense of security.
Penetrating the Network
Once inside the network, the attackers swiftly uninstall existing antivirus software, a strategic move to ensure their activities remain hidden. The attackers understand the value of the high-value targets they're pursuing, making the manual approach worthwhile despite being an intensive process.
After gaining a foothold, Dharma ransomware initiates its encryption spree, targeting files across various drives. The attackers collect vital information, including computer names and encrypted files, which they leverage to demand a ransom. These encrypted files are then dispatched to a command-and-control server, and a ransom note, often demanding a Bitcoin payment, is left on the desktop. They will adjust the ransom based on what they think is the affordability by the attack organization and the criticality of the server.
So how did we catch this in real-life? An MSP leveraging Netsurion Managed Open XDR thwarted an attack on a client in the service industry. Despite the victim's proactive security measures, which included firewalls and antivirus protection, the attackers exploited RDP vulnerabilities and leaked credentials.
Detection and Mitigation
The detection process commenced when the attacker established a connection with the victim's system, dropping a seemingly innocuous piece of software which ran and generated the new software installation back at the Netsurion Open XDR console raising a weak signal. However, you can’t get excited every time someone installs something, but it is to watch out for.
While such signals might not raise alarms individually, Netsurion's advanced algorithms and SOC (human analysis) recognized the timing and context as suspicious. Coupled with the subsequent removal of antivirus software and the appearance of unfamiliar attack tools, the system flagged an ongoing attack. And then of course, escalated to the MSP with details who then was able to promptly quarantine and reimage the infected machine.
What MSPs can do
Notice in this case that all of the defenses that they had in place were really not effective and couldn't have caught this. It took someone in the SOC paying attention to relatively innocuous software installs and software uninstall type of commands to catch the attack.
This Dharma case study underscores the urgency of adopting a multi-pronged defense against ransomware threats. Here's what MSPs can do:
- Strengthen Passwords. Discourage attackers by promoting strong password practices and avoiding password reuse.
- Secure RDP. If RDP is essential, consider altering the default port, enforcing network-level authentication, and restricting connections to known IP addresses.
- Regular Patching. Keeping systems updated with the latest patches reduces vulnerabilities that attackers can exploit.
- Embrace Next-Gen Protection. Move beyond conventional antivirus solutions to EDR. Netsurion offers deep learning end point protection and behavioral analysis to identify and combat evolving threats.
- Robust Backup Strategy. Comprehensive, regularly tested backups are your insurance against data loss in the event of an attack.
- XDR (Extended Detection and Response). Netsurion’s prowess lies in its ability to correlate signals, uncovering complex attacks that evade traditional defenses.
Managed service providers are on the frontlines of cybersecurity battles, safeguarding clients from evolving threats like Dharma ransomware. By understanding the attack chain, bolstering defenses, and embracing Managed XDR, MSPs can proactively protect high-value networks from devastating attacks. MSPs must remain adaptable and vigilant, leveraging modern tools and strategies to stay one step ahead of adversaries.