Human-operated ransomware families including Dharma ransomware manage to get hold of user credentials through targeting phishing campaigns and extracting credentials to get Domain Admin access. Ultimately, threat actors encrypt those files in SharePoint or OneDrive for a ransom.
How to defend against Dharma ransomware
Microsoft has outlined recovery and preventative measures to defend against human-operated ransomware techniques, predominantly the ones used by Dharma. To understand how human-operated ransomware can infect computers, Microsoft tools map every attack. This way, depicting how the attacker achieves its end state of dropping the malicious payload is easier.
Defending against Dharma human-operated ransomware attacks requires guidelines that Microsoft has divided into two parts: Protection against the ransomware attack and how to recover files. As part of his demonstrations, Microsoft’s cybersecurity engineer John Barbare attempted to gain Domain level access.
“The sensitive files in the company are normal and everything is secure until I get ready to deploy an attack to get the SharePoint Admin’s credentials (which I am hoping is just a long and complex password) to deploy the Ransomware payload and encrypt and/or delete the files,” Barbare explained.
He further went on to explain that using only a long and complex password is insufficient when it comes to keeping the human-operated ransomware operators at bay. Microsoft also believes passwords are inconvenient and a drain on productivity.
“An option exists to restore the files without paying a ransom through Microsoft’s restore option. This is not a new feature, but lots of clients are not aware of it or have just migrated to O365 in the cloud,” Barbare added.
However, this method works only when recovery and preventive measures are taken before files are encrypted but it is possible that an attacker could either delete or encrypt files to the point where restoring them is nearly impossible.
Attackers trying to delete or encrypt files don’t affect the backups. Microsoft says users have 14 days to restore those files with the help of Microsoft support.
The SharePoint information rights management (IRM) feature allows administrators to protect lists or libraries.
“When a user checks out a document, the downloaded file is protected so that only authorized people can view and use the file according to the information protection policies that you specify,” Barbare said.
Additionally, there are ways to deal with Dharma ransomware with the help of multi-factor authentication (MFA) or by adding specific users to the SharePoint Admin Role. Customers are advised to enable MFA for a SharePoint Admin for manages sensitive files.