Active Directory domain controllers spreading ransomware: After Brexit, it’s .SaveTheQueen!

News by Chandu Gopalakrishnan

Ransomware operators change operation and extortion tactics including using Active Directory domain controllers to spread the ransomware and publicly naming victims

After a bevy of malware with ‘Brexit’ in its title and code, a new strain of ransomware is doing rounds, encrypting files and appending them with the extension “.SaveTheQueen”. The ransomware tracks its progress using the SYSVOL share on Active Directory Domain Controllers, found researchers at Varonis. 

“This ransomware came to light when one of Varonis’s customers, an EU company with over 10k users in the business services sector, was alerted to unusual behaviour by an end user. Their activity was not typical for that particular user, so it raised a red flag for further investigation,” Varonis researcher Dolev Taler told SC Media UK.

The attacker injected the malware into winlogon.exe, which is a normal process that runs on the victim machine as part of Windows. It is likely that the attacker has obtained and used domain admin privileges to write files to SYSVOL. The attacker ran PowerShell code on the infected hosts that created a scheduled task to open, decode and run the malware, explained a Varonis blog post.

By injecting the malware into a normal process, it becomes harder for security teams and software to detect, said the researcher. ConfuserEx was used to protect the ransomware from detection and analysis. Even if detected, ConfuserEx makes it harder to figure out what the ransomware was doing, he explained. 

The disclosure comes at a time when ransomware gangs are resorting to naming and shaming their target companies by leaking confidential data as a threat tactic, to curb the growing tendency to not pay up.

SC Media UK reported in December 2019 that Maze ransomware operators are planning to publish data stolen from victims who refuse to pay up. A month later, the ransomware operators published data stolen from Medical Diagnostic Laboratories (MDLab) after the company refused to pay the 200 bitcoin ransom (close to £1.4 million). 

A minimum of five law firms were held hostage by the Maze group in late January and early February, reported Emisoft. The total number of organisations held for ransom range between 45 to 180 in January, the report added.

“Ransomware tactics are becoming extremely perilous by leaving the victims with no solution other than having to pay the ransom. Previously, most of the ransomware campaigns were merely hindering victims' daily operations, as organisations with daily backups and other important cyber-security processes managed to recover pretty quickly and without many losses,” commented Immuniweb founder and CEO Ilia Kolochenko.

“Moreover, some organisations did not even report such incidents to avoid potential fines and lawsuits. Now such incidents have become an invitation to file a class action by the victims and prosecution of careless organisations by competent law enforcement agencies”.

Varonis did not disclose whether the target organisation received a ransom call.

“What’s interesting is that it uses the company’s own Active Directory domain controllers to spread the ransomware within the organisation. Had this slipped under the radar, thousands of machines could've been encrypted due to its fast-spreading nature,” he pointed out.

This particular strain of ransomware is not new, neither is the practice of naming them in line with the trending terms in news, such as Coronavirus (COVID-19) and Oscar-nominated movies. the distribution method involving the domain controller makes it interesting and alarming, as this puts the attackers in a position to do a lot of damage, said Taler.

An online search showed advisories from several antivirus vendors on steps to deactivate the ransomware.

“The attacker used advanced obfuscation techniques that made the malware very evasive and hard to detect by conventional methods (signatures, etc). Fortunately, this particular organisation could detect the threat based on the infected user’s deviation from normal behaviour,” Taler said. 

“A smaller, less prepared organisation could easily be been crippled by SaveTheQueen,” he added.

The new generation of malware will likely change largely ignorant behavior of many organisations that consider cyber-racketeers undeserving of their attention, observed Kolochenko.

“Taking legal action against the criminals is virtually futile, given that they are located in faraway jurisdictions and are judgement-proof. Moreover, attempts to eradicate stolen data from the internet may result in a Streisand effect and further exacerbate damages,” he warned.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews