Cybersecurity insights from industry experts.

The Playbook for Human-Operated Ransomware

Ransomware attacks are on the rise, but organizations also have access to advanced tools and technologies they can use to fight back.

Ken Malcolmson, Chief Security Advisor, Microsoft

October 13, 2022

3 Min Read
A person in a black hoodie with face hidden against a dark background and the words ransomware in red and green.
Source: Igor Stevanovic via Alamy Stock Photo

Ransomware is a hot topic. No industry is immune, and the ransomware gangs behind these attacks are making a lot of money with minimal risk of being caught. However, every industry has increasing access to the advanced tools and technologies needed to fight back.

In the past few years, ransomware attacks have evolved to include crippling, networkwide attacks using multiple extortion methods to target both your data and reputation, all enabled by human intelligence. This has led to ransomware operators driving their profits to unprecedented levels, with predictions noting that the total cost of ransomware attacks will reach $265 billion by 2031.

We have seen a major shift from commodity ransomware attacks to human-operated ransomware. These “hands-on-keyboard” attacks target an entire organization rather than a single device or individual, leveraging human attackers’ knowledge of common system and security misconfigurations to get in, navigate the enterprise network, and adapt to the environment and its weaknesses as they go.

Attackers use a three-step approach to carry out successful human-operated ransomware attacks. First, they gain initial access to an environment using primarily identity attacks (via email, browser, password spray, etc.). Once the attackers have gained access to the organization, they then move laterally within the network to steal more credentials to gain elevated privileges and ultimately find an admin account that gives them access to data. Now that the attackers have access to the data, they can steal it, encrypt it, and deploy a ransomware payload to the resources of their choosing. This type of attack results in catastrophic outcomes for business operations that are very difficult to clean up.

Ways to Prepare

Given how common these ransomware attacks are and how easy they are to carry out, what can you and your organization do to prepare for future attacks?

First, we strongly recommend implementing a zero-trust approach. Based on the three principles of verify explicitly, use least-privileged access, and assume a breach, a comprehensive zero-trust architecture creates several safeguards within and across identity, endpoints, apps, infrastructure, network, and data. We not only recommend this approach with our customers and partners, but we also embrace it in our own approach to global security and software development here at Microsoft.

Next, integrated threat protection helps secure organizations by using the combination of extended detection and response (XDR) and security information and event management (SIEM) tools to detect attacks while they are happening and stop them. Cloud-native SIEM systems can help eliminate security infrastructure setup and maintenance while scaling to meet organizational security needs and without being restricted by storage or query limits. Likewise, cross-domain threat protection, cloud security posture management (CSPM), and cloud workload protection (CWP) solutions can be deployed to increase efficiency and effectiveness while securing your digital estate.

Lastly, we recommend having a backup and incident response (IR) plan prepared in the event that your organization is compromised. It is crucial to back up all critical systems automatically on a regular basis and ensure all backups are protected against deliberate erasure/encryption. Your backup service should offer a centralized management interface to monitor, govern, and optimize data protection at scale, and you should look for a platform that can secure your backup platform whether data is in transit or at rest.

For incident response, organizations need to ensure rapid detection and remediation of common attacks on endpoint, email, and identity (ransomware operators love these three) by prioritizing common entry points and monitoring for adversaries disabling security. It is important to regularly practice these backup and incident response plans.

Mitigating human-operated ransomware attacks is a top priority for organizations worldwide. By implementing these strategies and tools outlined in our ransomware mitigation plan, organizations can be fearless, armed with the ability to secure everything without limits.

Read more Partner Perspectives from Microsoft.

Read more about:

Partner Perspectives

About the Author

Ken Malcolmson

Chief Security Advisor, Microsoft

Ken Malcolmson is the Chief Security Advisor at Microsoft

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights