Martin McGregor

Risk of local administrator privileges in ransomware and malware attacks

Many of the most infamous and devastating data breaches of recent years have shared something in common—poorly secured local administrator privileges.  

Local administrator privileges grant users the highest level of control over a system, allowing them to install software, access all files, modify system configurations and manage user permissions. While this can be convenient for legitimate users, it also provides open access and unbounded opportunities for malicious actors. 

Granting all team members local administrator rights is a “gift” to a hacker: a wide, open door. 

When an attacker compromises a user account with administrator access, they can: 

  • Modify or disable security settings: Many forms of malware aim to embed themselves deep within a system. To avoid detection and removal, some malware disable or modify other security measures. This could include disabling antivirus and antimalware software. 

  • Create new admins: Accounts with administrator privileges can create any number of new privileged accounts. This could allow a malicious actor to maintain access to the system even if the original compromised account is discovered and removed. They can also potentially use this access to lock out legitimate users.  

  • Delete system logs: With the ability to delete system logs, malicious actors can remove evidence of their presence and activities, making it more difficult for security teams to identify the breach. 

  • Hijack systems and run exploit code: With local administrator privileges, hackers can execute exploit code or tools, allowing for the installation of malicious apps such as spyware or malware aimed at stealing data or money, or disrupting activities. 

  • Access to sensitive data: An open door to an organisation's data and systems, administrator rights give users access to sensitive data, which attackers could hold at ransom. 

  • Pass-the-Hash attacks and lateral movement: If an attacker gains access to a system, they can pass the hashes. This means that if one privileged account is compromised, the attacker can potentially access any other account on the system.  

Removing local administrator privileges isn't just about limiting access; it's about disrupting the very foundation upon which cyber threats thrive. It's a critical step toward fortifying defences, mitigating risks, and safeguarding against the most destructive cyber adversaries. 

Impact of local administrator privileges for cyber adversaries

Local administrator privileges play a significant role in the impact and severity of various cyber attacks and malicious activities, including malware. 

This is because certain types of malware need local administrator privileges to carry out nefarious activities. 

"Privileged accounts pose a high risk for every organisation. 80% of data breaches stemmed from misuse of privileged account access."
Forrester Research

Without administrator access on the targeted or compromised account, certain types of attacks are significantly less successful or could even fail altogether. These include: 

  • Privilege escalation attacks: If threat actors gain access to an administrator account, they can use the elevated privileges to gain deeper access to the organisation’s operating environment, attack the network, and access sensitive information. 

  • Malware infections: While not all malware require administrator rights to function, many types do rely on it to maximise their impact. Malware often requires administrator privileges to bypass security settings, execute malicious code and spread through a network.  

  • Lateral movement: Lateral movement relies on local administrator privileges to exploit vulnerabilities, impersonate other accounts and access other resources and data. 

"93% of our ransomware incident response engagements revealed insufficient controls on privilege access and lateral movement. "

Microsoft Digital Defense Report 2022

The impact of administrator access in ransomware

The impact of ransomware attacks is often more severe when the compromised user has administrator privileges.  

"Ransomware remains the most destructive cybercrime threat in 2022–23 to Australian entities. ASD recorded 118 ransomware incidents – around 10% of all cyber security incidents."

ASD Cyber Threat Report 2022-2023

Take, for example, the BadRabbit ransomware. If a user with local administrator privileges is compromised, it can spread across networks and cause widespread disruption and damage by: 

  • Encrypting files and altering system settings: BadRabbit encrypts both the user’s files and the hard drive, restricting access to the infected machine. This means that all data on the system, including potentially sensitive or critical information, could be rendered inaccessible. 

  • Network Propagation: BadRabbit uses the Mimikatz tool to harvest credentials and attempt brute-force logins to propagate using the SMB protocol. If the compromised user has administrator access, this could potentially allow the ransomware to spread to other systems on the same network. 

Since September 2022, human-operated ransomware attacks have surged by more than 200%. Data extortion is also on the rise, with Microsoft observing a twofold increase in potential instances of data exfiltration since November 2022. 

"13% of human-operated ransomware attacks that moved into the ransom phase had some form of data exfiltration. "

Microsoft Digital Defense Report 2023

For organisations that employ stringent security protocols, ransomware attacks are usually thwarted during the pre-ransom phase. Approximately 2% of these attacks led to a successful ransomware deployment. One notable cyber attack was on Sony Pictures Entertainment in which malicious actors exploited compromised privileged accounts to exfiltrate a significant amount of data, including crucial intellectual property. The incident led to sensitive emails being disclosed and severe reputational damage. Furthermore, the attackers installed malware on workstations that wiped hard drives and led to a substantial loss or corporate information.

Ransomware that requires administrator access to infect systems and cause widespread damage include: 

  • BitPaymer 

  • Cerber 

  • Dharmer 

  • DoppelPaymer 

  • GrandCrab 

  • LockBit 

  • Locky 

  • Maze 

  • MeduzaLocker 

  • Netwalker 

  • Petya 

  • SamSam 

"From April 1, 2022, to March 31, 2023, LockBit made up 18% of total reported Australian ransomware incidents."

Understanding Ransomware Threat Actors: LockBit - ASD

Security risks of users having local administrator rights

Just one breached privileged account can cause significant damage to an organisation. 

Bad actors take advantage of heightened permissions to move through the network to get to the systems and data they seek for their malicious purposes. It's free rein. 

Taking on the challenge of removing administrator privileges

By restricting local administrator privileges, organisations can effectively ‘lock the doors’ to accessing critical system resources, reducing the severity of certain cyber attacks and malicious activity. This approach forms a crucial part of a defense in depth strategy, complementing antivirus software, firewalls, and other security measures. 

While the removal of administrator privileges proves instrumental in fortifying defences, this control remains a hotly debated topic. It’s an area where emotions run high, opinions vary and experiences influence perspectives. 

Resistance is not uncommon, especially from developers who prioritise productivity and may have faced challenges in the past when their administrator rights were revoked.  

Organisations can remove local administrator privileges without disrupting workflows or hindering productivity. They just need to rise to the challenge, adhere to the standards and have the proper support systems and framework in place to facilitate accessibility while maintaining stringent security protocols. 

Having a well-configured and monitored policies managed by your in-house team, MSP, MSSP or a product ensures only people who need local administrator privileges have them. Tools like Windows LAPS, Microsoft Endpoint Privilege Management and others can help you keep a handle on local administrator privileges and elevate privileges as needed for team members who need privileges for specific tasks.