True North Networks Blog
A new ransomware strain called 'Save the Queen’, distributes itself from your own Domain Controllers
Sophisticated cybercriminals have continuously improved the effectiveness of ransomware attacks, according to Yaki Faitelson, co-founder and CEO of Varonis. In an article for Forbes, Faitelson explained that targeted ransomware attacks attempt to encrypt the most valuable data at the worst possible time for the victim organization.
“Small-time criminals go for the quick buck,” Faitelson writes. “They don’t have the time or skill to pull off an enterprisewide cyberattack while covering their tracks. Big-game ransomware groups are not small-time criminals — they have time, skills and motivation. That means they’ll get in, figure out what matters and then burn things to the ground only when they’ve maximized their return.”
Faitelson describes recent attacks in which the attackers gained access to the victim’s Active Directory accounts. Active Directory has become a frequent target in these types of ransomware attacks.
“Our company recently analyzed a new strain of ransomware, called ‘Save the Queen,’ that distributes its ransomware from its victim’s Active Directory Servers (known as Domain Controllers),” Faitelson says. “Domain Controllers hold the keys to your digital kingdom. They are important systems that pretty much every other system connects to, making them ideal for distributing ransomware. Because of their importance, manipulating Active Directory Servers requires a very high level of access — and that’s exactly what these attackers had.”
Faitelson points out sophisticated cybercriminals can do more with this access than simply encrypt data, and they may go even further than holding stolen data for ransom.
“If big-game hunters have all this access, why wouldn’t they also grab financial information or intellectual property?” Faitelson asks. “Trade on insider information? Grab copies of important files before they encrypt them so they can threaten to leak them later? It would be naïve to think they don’t. And that should be a board-level worry....[A]s these groups get more organized and efficient at monetizing your property, it’s more likely that they’re not going to leave any money on the table.”
Faitelson also notes that there are additional security challenges that accompany a remote workforce, which is particularly pressing now.
“Remote workers are now easy conduits to corporate resources, and most organizations are unprepared to spot unusual activity generated by these remote users,” Faitelson says. “Your goal should be to detect attackers who are looking to take advantage of remote workers as early as possible.”