Defending networks against human-operated ransomware

Posted by

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Tech Community.

Human-operated ransomware campaigns use credential theft and lateral movement methods traditionally associated with targeted attacks, like those from nation-state actors, to deploy ransomware payloads of their choice. Human-operated ransomware attacks represent a different level of threat because adversaries are adept at systems administration and security misconfigurations and can therefore adapt to any path of least resistance they find in a compromised network.


Many of these attacks gain access to target organizations by brute forcing or exploiting vulnerabilities on internet-facing network devices. However, these attackers are always on prowl for any path to gaining initial access to target organizations. In the midst of the current global crisis, as organizations moved to a remote workforce, we saw ransomware operators actively scanning the internet for vulnerable network devices like gateway and virtual private network (VPN) appliances


In April, multiple ransomware groups activated dozens of ransomware deployments. Using an attack pattern typical of human-operated ransomware campaigns, attackers had been accumulating access and maintaining persistence on target networks for several months, waiting to monetize their attacks by deploying ransomware when they would see the most financial gain.


The specific ransomware payload at the end of each attack is almost solely a stylistic choice made by the attackers. The ransomware payloads that have been used human-operated attacks include REvil (also called Sodinokibi), Samas, Bitpaymer, Ryuk, Wadhrama, Doppelpaymer, RobbinHood, Vatet loader, NetWalker, PonyFinal, and Maze.


Because ransomware deployments occur at the tail end of protracted attacks, defenders should focus on hunting for signs of adversaries performing credential theft and lateral movement activities. In human-operated ransomware campaigns, even if the ransom is paid, some attackers remain active on affected networks with persistence. To fully recover from human-powered ransomware attacks, comprehensive incident response procedures and subsequent network hardening need to be performed.


Removing the ability of attackers to move laterally from one machine to another in a network would lessen the impact of human-operated ransomware attacks and make the network more resilient against all kinds of cyberattacks. The top recommendations for mitigating ransomware and other human-operated campaigns are to practice credential hygiene and stop unnecessary communication between endpoints.


Apply these measures to make your network more resilient against new breaches, reactivation of dormant implants, or lateral movement:


  • Randomize local administrator passwords using a tool such as LAPS.
  • Apply Account Lockout Policy.
  • Ensure good perimeter security by patching exposed systems. Apply mitigating factors, such as MFA or vendor-supplied mitigation guidance, for vulnerabilities.
  • Utilize host firewalls to limit lateral movement. Preventing endpoints from communicating on TCP port 445 for SMB will have limited negative impact on most networks, but can significantly disrupt adversary activities.
  • Turn on cloud-delivered protection for Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.
  • Follow standard guidance in the security baselines for Office and Office 365 and the Windows security baselines. Use Microsoft Secure Score assesses to measures security posture and get recommended improvement actions, guidance, and control.
  • Turn on tamper protection features to prevent attackers from stopping security services.
  • Turn on attack surface reduction rules, including rules that can block ransomware activity:
    • Use advanced protection against ransomware
    • Block process creations originating from PsExec and WMI commands
    • Block credential stealing from the Windows local security authority subsystem (lsass.exe)


For additional guidance on improving defenses against human-operated ransomware and building better security posture against cyberattacks in general, read Human-operated ransomware attacks: A preventable disaster



Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.