Demystifying Ransomware Attacks Against Microsoft Defender Solution


Hi IT Pros,

As you have known it, is in aggravated assault mode at this time of year 2020, the joint cybersecurity advisory comes from the Cybersecurity Infrastructure and Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) have just given a serious warning about Threat as shown in the following announcement:


Debut in August of 2018, the Ransomware Ryuk gained shocking attention in 2019, Ryuk gangs demanded multi-million-dollar ransoms from victims, among them are companies, hospitals, and local governments. The actors be able to pocket over $61 million just in the US alone, according to FBI's report.

Check Point, a security software vendor also noted that the gang was attacking on an average of 20 companies every week in the third quarter of 2020.

Sean Gallagher from Sophos Lab, gave us the story about a typical Ryuk and Conti Ransomeware attack.

  • The attack began on the afternoon of Tuesday. September 22,2020 when multiple employees of the targeted company had received highly targeted phishing emails.
  • The email was tagged with external sender warnings by the company's mail software. The link, served up through the mail delivery service Sendgrid, redirected to a malicious document hosted on

Multiple instances of the malicious attachment were detected and blocked. But there was one employee who clicked on the link in the email that afternoon, allowing the document to execute print_document.exe—a malicious executable identified as Buer Loader.

  • The Buer Loader malware dropped qoipozincyusury.exe, a Cobalt Strike “beacon,” along with other malware files.
  • Cobalt Strike's beacon makes a covert connection to the command and control of hackers.

By Wednesday morning the actors had obtained administrative credentials and had connected to a , where they performed a data dump of details.

Data dump to an Admin User directory was most likely accomplished using SharpHound, a Microsoft C#-based data “injestor” tool for BloodHound (an open-source analysis tool used to identify attack paths in AD environments).

  • Ransomware attack is now ready to remotely deploy to other servers using WMI, Powershell and Remote Desktop RDP
  • Next, the SystemBC malicious proxy was deployed on the . SystemBC is a SOCKS5 proxy used to conceal malware traffic that shares code and forensic markers with other malware from the Trickbot family. 
  • The malware installed itself (as itvs.exe), and created a scheduled job for the malware, using the old Windows task scheduler format in a file named itvs.job—in order to maintain persistence.


  • The organizational backup server was among the first target. The attackers used the icacls command to modify access control, giving them full control of all the system folders on the server. GMER is frequently used by ransomware actors to find and shut down hidden processes, and to shut down antivirus software protecting the server.

Ryuk ransomware was redeployed and re-launched three more times in short order after each failed attempt, no files were .


Lesson Learn

  •  The actor could repeat the attack multiple times with different variants of Ryuk, the attack period could be prolonged for days or weeks with multiple backdoors been used.
  • Response time is critical to prevent damage from further steps down the path of attacking sequence, from reconnaissance, credential compromise to later movement, domain dominance and exfiltration, data encryption, data deletion.
  • Team effort should be fully utilized during the attacking period.
  • If more resources are needed, Security Team could consult with online security support experts ASAP to form an united front against hackers .
  • We need to stop the attack at the Cobalt Strike Beacon level (step 2 in the above Chart) when compromised system starts connecting to outside command and control center of actor.
  • The attack also shows that Remote Desktop Protocol can be dangerous even when it is inside the firewall.
  • Proactive prevention with ASR rules for Office documents' macros could be an important factor to avoid the ransomware attack right at step 0, by giving no attack opportunity . We should consider it as the best option. (see MD for Endpoint Mitigation Plan)

How good is Microsoft Defender for Endpoint and Identity against ransomware attack? 

You may be worried and wonder how good the MD for Endpoint and MD for Identity could protect your systems from ransomware.

Well, let us bring MD to the test. The most trusted industry test could be AV-Test from the Independent IT-Security Institute, who has been known as the owner of the largest malware database in the world.

  • For Windows Systems Antivirus Products.  AV-Test conduct monthly tests against widespread and prevalent malware discovered in the last 4 weeks, for example, the test-set of August 2020 included 21,851 (virus) samples. AV-TEST creates identical and reproducible conditions for all the antivirus products from all big AV vendors who join the test program.
  • MD for Endpoint continue getting AV-TEST top score monthly as shown in the following image, it scores 100% compared to the Industry average at 97.6% protection level against 339 different samples of ” 0 day” malware type, the unknown yet and newly in the field malware type, tested for the month of May and June, 2020:


The test result table for all products based on protection, performance, usability scores is shown here, value of 6 is the highest score:


Now, let us conduct our own test using the MD for Endpoint – Evaluation Lab feature:

  • we will create at least 3 test devices run windows 10 and windows server 2019 as shown here:            


  • We run the ” known ransomware infection” simulation by Safe breach for testmachine1
  • You may also want to run different attack simulations provided by Safebreach and AttackIQ for different devices


with ” known ransomware infection” attack simulation , the following ransomware names are detected and alerted on test machine1:


Click on WannaCrypt ransomware to show the details about malicious file named Llac.exe and how long it stayed before being quarantined (3 minutes and 15 seconds):


Click on Petya ransomware to show detail of malicious file named bdata.bin, it was existed within only 5 seconds and been quarantined:


The ransomware attack overview and its entities are shown in the incident named “Multi-stage incident involving Initial access & Discovery including Ransomware on multiple Endpoints” tree graph,

  • The Wanacry Ransomware file, llac.exe was blocked at source on testmachine1 with a total of 6 failed attempts.
  • The Wanacry Ransomware file, llac.exe was blocked at source on testserver3.


  • The Petya ransomware file, bdata.bin had been laterally spread out to testserver2 before it was stopped.


Ransomware Action


MD for Endpoint and MD for Identity Alert
Malicious services were created on remote servers using the same admin credentials, using WMI Event to drop command payload. MD for Endpoint Alert: WMI suspicious Event


PowerShell is used to download more malicious payloads. MD for Endpoint Alert


Credential theft activity MD for Identity Alert about overpass the hash attack:



Impersonate action on privilege account and privilege group membership by PowerShell script. Alert by MD for Identity and displayed in Cloud App Security Portal:


Keyboard hijack activity Alert by Defender for Endpoint:


Fileless attacks with memory payload. These activities could be detected by AMSI, Microsoft's Scanning Interface, when it inspects the in-memory process. MD for Endpoint raised the alert, details as follow:


Mimikatz was used as a credential theft tool, It was detected and blocked from installation.

Mimikatz files were quarantined.

Alert by MD for Endpoint


Backdoor activity detected Alerted by MD for Endpoint:


Ransomware Payload and encryption activities are prevented beforehand. There is no domain dominant – alert event.

There is no encryption – alert event.

 Ryuk Ransomware Prevention and Protection strategy provided by MD for Endpoint – Threat Analytics.

Microsoft Defender for Endpoint Analytics proposed an analyst report and mitigation (plan) against the Ryuk ransomware. Each of the attack step in Ryuk's killing chain is mapped to the protection measures which include Antivirus-EDR (MD for Endpoint), Azure ATP (MD for Identity), Multi Factors Authentication MFA, Attack Surface Reduction rules for Office Macro, Windows Host Firewall, and Tamper Protection Security Policy.

The detail of Ryuk attack based on MITRE ATT&CK process is shown in the following image, each Ransomware action step of the attack sequence was mapped to one or multiple counter attack measure:


Mitigations provided by MD for Endpoint – Threat Analytics

  1. Apply these mitigations to reduce the impact of this threat:
  • Utilize the Microsoft Defender Firewall and your network firewall to prevent RPC and communication among endpoints whenever possible. This limits lateral movement as well as other attack activities.
  • Turn on tamper protection features to prevent attackers from stopping security services.
  • Enforce strong, randomized local administrator passwords. Use tools like LAPS.
  • Monitor for clearing of event logs. Windows generates a security event ID 1102 when this occurs.
  • Ensure internet-facing assets have the latest security updates. Audit these assets regularly for suspicious activity.
  • Determine where highly privileged accounts are logging on and exposing credentials. Monitor and investigate logon events (event ID 4624) for logon type attributes. Highly privileged accounts should not be present on workstations.
  • Turn on cloud-delivered protection and automatic sample submission on Microsoft Defender Antivirus. These capabilities use and machine learning to quickly identify and stop new and unknown threats.
  • Turn on attack surface reduction rules, including rules that block credential theft, ransomware activity, and suspicious use of PsExec and WMI.
  1. Check the recommendations card for the deployment status of monitored mitigations in “Threat & Vulnerability Management” under “Remediation”.


If Security Administrators enable EDR and all features of Defender, setup alert notification and completely finish all of the Defender Endpoint and Defender Identity's remediation plans against each ransomware and malware, then, I guess, our colleagues may have a much better sleep at night, knowing that their systems are safe and well protected from ransomware and other malware threats.

To get to the 100% level of protection your defender strategy should always include Windows 10 Defender Guard (Application Guard, Credential Guard, Exploit Guard with Attack Surface Reduction rules, System Guard, …) together with MD for Endpoint deployed on workstations and servers and MD for Identity applied to all domain controllers.

I hope the info is useful,

Have a valuable time with your Defender!




This article was originally published by Microsoft's ITOps Talk Blog. You can find the original article here.