Microsoft Defender Effectively Blocks Extensive Akira Ransomware Attack

On Wednesday, Microsoft revealed that a user containment feature within Microsoft Defender for Endpoint was pivotal in blocking a significant remote encryption attempt launched by actors associated with the Akira ransomware. 

Microsoft’s threat intelligence unit is closely monitoring the entity referred to as Storm-1567.

Modus Operandi of Attack

The attack strategy involved exploiting devices that had not been integrated into Microsoft Defender for Endpoint, which was utilized to evade defense mechanisms. 

Furthermore, the attackers conducted a series of surveillance and lateral movement tactics before encrypting the compromised devices using a user account that had been compromised.

However, introducing the new automatic attack disruption capability effectively blocked the breached accounts from accessing endpoints and other network resources. 

This measure significantly constrained the attackers’ ability to move laterally, irrespective of the account’s Active Directory status or privilege level.

In simpler terms, the primary objective was to sever all incoming and outgoing communications, thereby preventing human-operated attacks from infiltrating other devices within the network.

Microsoft’s Analysis

Additionally, Microsoft reported that its enterprise endpoint security platform successfully thwarted lateral movement efforts against a medical research laboratory in August 2023. 

In this particular incident, the adversary attempted to reset the password for a default domain administrator account as part of their follow-up actions.

Microsoft highlighted the critical importance of highly privileged user accounts in the eyes of attackers. 

Threat Actor: Akira
Ransomware Victim: Healix @HealixHealth
Date: 2023-10-07
Note: Allegedly, #Akira has named #Healix as a victim. #Ransomware #StopRansomware #DarkWeb #DarkWebInformer pic.twitter.com/UId6Pvrj08

— Dark Web Informer (@DarkWebInformer) October 7, 2023

It noted that compromised domain admin-level accounts in environments using traditional security solutions grant attackers access to Active Directory and can undermine conventional security measures.

Identifying and containing such compromised user accounts, therefore, serves as a proactive measure to halt the progression of attacks, even in cases where attackers have gained initial access.

Ransomware: A Threat Till Future

The surge in ransomware attacks has correspondingly resulted in a 12% upswing in cyber insurance claims during the first half of the year in the United States. 

Businesses with annual revenues exceeding $100 million have witnessed the most substantial surge in claims.

Ransomware variants persistently engage in malicious activities, constantly adapting and focusing on enterprises from diverse industry sectors. 

Ransomware-as-a-Service (RaaS) entities and RaaS-associated groups are a concerning trend.

Continuous learning is paramount for staying ahead of these evolving threats and adopting a proactive stance against them.