Understanding the tools ransomware attackers use and how they work can be very helpful in protecting yourself against cyber intruders. The more you know about how hackers work, the more you will understand how to avoid falling into their traps. Hackers are using a tool called Mimikatz to help their ransomware spread through networks. Defending against it can dramatically reduce the cost of ransomware response, so it’s worth taking some time to learn how it works and how to secure your network against it.
The Origin of Mimikatz
Mimikatz has existed for some time, but it’s recently seen increasing use as a component in complex ransomware attacks. It was originally developed by Benjamin Delpy, who worked for the French government at the time. Delpy found a critical flaw in the way Windows stores its passwords, and contacted Microsoft to warn them. Microsoft’s engineering team was not concerned, saying it would be too difficult to exploit, so Delpy developed Mimikatz to prove his point.
Delpy later presented his findings at a conference in Moscow, and a number of Russian government agents immediately took interest. Russian spies later made headlines when they used the tool to hack into the German parliament. The NSA’s spying program also later adopted Mimikatz.
Both the NotPetya and BadRabbit ransomware strains used Mimikatz to gain access to their victim’s systems. Windows has attempted a number of patches to counter Mimikatz, but hackers found ways to override all of them fairly quickly, so it looks like Mimikatz will remain a popular tool for hackers in the foreseeable future.
How Does Mimikatz Work?
Mimikatz extracts password data from Windows machines, including hashes, PINs, or Kerberos tickets. It then passes the data to other machines to gain administrative access.
To gain access to this data, Mimikatz uses a function called WDigest, which was part of Single Sign-On (SSO) features in older versions of Windows. Windows 8.1 allowed disabling WDigest, and Windows 10 came with it disabled by default, but if an attacker gains access to the system, they can turn WDigest back on in order to collect password data.
How does Mimikatz Help Ransomware Spread?
When ransomware attackers successfully break into a system, the first thing they do is try to gain access to as much of the network as they possibly can. They also search for backups, because the more data they are able to encrypt and/or steal, the greater the economic cost to the victim. The higher the value of the data compromised, the more likely the victim will be to pay the ransom.
Mimikatz makes it much easier for an attacker to move laterally throughout a network once they gain access. This means that they can encrypt more of the network and access more sensitive data.
How Can You Prevent Lateral Ransomware Spread?
Defending against Mimikatz will not actually reduce the risk of an attacker gaining access to your network. It can, however, be an effective means of damage control. A few minor operational changes can safeguard your network against Mimikatz, and stop the spread of ransomware.
If you are able to upgrade to Windows 8.1 or higher, do so. Running Local Security Authority Subsystem Service (LSASS) on one of these newer versions of Windows can prevent the use of Mimikatz.
Dedicated network security personnel to monitor network activity can be a good investment. The surest way to be sure your system is Mimikatz-proof, however, is to regularly test it with Mimikatz yourself.
One of the best wats to protect yourself is to use unique administrative passwords for each Windows machine on the network. Also, make sure only to assign administrative privileges to those users that absolutely need them.
Ransomware gangs use Mimikatz in conjunction with brute force attacks more and more in recent months. Brute force attacks can crack many weak passwords within a number of days. If the attackers are able to crack the administrative password, they could gain unrestricted access to the entire network. A strong administrative password can make the difference between a minor inconvenience and a catastrophic data breach.