The rise of human-operated ransomware

Ransomware has evolved from a nuisance crime of opportunity into a global cybercriminal industry causing significant financial and reputational damage and, in some cases, even posing an existential threat to organizations.

A new threat has emerged that is even more concerning: human-operated ransomware.

Human-operated ransomware is a type of attack carried out by skilled cybercriminals who use advanced techniques to gain access to an organization’s network and encrypt their data.
Unlike traditional ransomware attacks characterized by generic and automated tools and bots, human-operated ransomware attacks are executed in a bespoke method by real people leveraging human ingenuity to adapt their tactics to bypass traditional security measures.

Evidence is emerging that while human-operated ransomware is more expensive for cybercriminals to mount as an attack operation, it can also be much more profitable overall.
According to the Microsoft Digital Defense Report for 2022, while the number of ransomware attacks in some regions has decreased by upwards of 50 per cent, the actual ransom amounts demanded have more than doubled.

Human-operated ransomware attacks can be categorized into two phases: the pre-ransomware phase and the ransomware deployment phase.

During the pre-ransomware phase, attackers prepare to infiltrate the network by learning about the organization’s topology and security infrastructure. Attackers can use a variety of tactics and techniques to bypass traditional security measures and gain access to an organization’s network.

These can include:

1. Extensive initial reconnaissance of targets online and via social media channels.
2. Crafting of customized and highly authentic-looking spear-phishing emails and social engineering techniques to trick users into divulging their credentials.
3. Purchasing previously stolen credentials on the Dark Web from specialized cybercriminals known as Initial Access Brokers.
4. Exploiting specific vulnerabilities in software and hardware found during exploration of the victim’s infrastructure.
5. Using password spraying attacks to gain access to accounts with weak or reused passwords.

This phase takes the most time and effort on behalf of the cybercriminal and can range from a few days to several weeks or months, although it has been shortening over the past two years as attackers gain more experience.

Attackers might also invest time understanding the financial processes, available cash and insurance details of the victim to determine an optimum amount of ransom to demand and in so doing maximize their profits while increasing their odds of getting paid.

During the ransomware deployment phase, the trap is sprung. This phase likely lasts only minutes as attackers seek to maximize the advantage of surprise and encrypt as much data as possible before defenders are able to respond.

Combating and preventing human-operated ransomware attacks requires a shift in an organization’s mindset. The focus should be on comprehensive protection to slow and stop attackers before they can move from the initial stages to the ransomware deployment phase.

Weak identity controls contribute to the success of these attacks, as they allow human operators to steal credentials, access systems, and remain persistent in the network. To counter this, organizations should implement strong identity controls, such as multi-factor authentication and privileged access management.

In addition to weak identity controls, many organizations also have significant gaps in their security operations, tooling and IT asset lifecycle management. This can make it easier for attackers to gain access to sensitive systems and data. Organizations must take steps to identify and address these gaps, such as implementing security monitoring and incident response capabilities, regularly patching systems and applications, and properly managing access controls.

Finally, effective data protection is key to defending against human-operated ransomware attacks. Organizations must implement an effective data protection strategy that aligns with their business needs. This may include data backup and recovery solutions, encryption of sensitive data and implementing data loss prevention controls.

By taking these steps, organizations can increase their resilience to human-operated ransomware attacks and in doing so, help to disrupt the cybercriminal economy.

Kevin Magee is the chief security and compliance officer at Microsoft Canada.