Microsoft is warning of human-operated ransomware, this kind of attack against businesses is becoming popular in the cybercrime ecosystem.

Human-operated ransomware is a technique usually employed in nation-state attacks that is becoming very popular in the cybercrime ecosystem.

In human-operated ransomware attack scenario, attackers use stolen credentials, exploit misconfiguration and vulnerabilities to access target networks, attempt to escalate privileges and move laterally, and deliver malware and exfiltrate data.

“Human-operated ransomware campaigns pose a significant and growing threat to businesses and represent one of the most impactful trends in cyberattacks today. In these hands-on-keyboard attacks, which are different from auto-spreading ransomware like WannaCry or NotPetya, adversaries employ credential theft and lateral movement methods traditionally associated with targeted attacks like those from nation-state actors.” reads the post published by Microsoft. “They exhibit extensive knowledge of systems administration and common network security misconfigurations, perform thorough reconnaissance, and adapt to what they discover in a compromised network.”

Most infamous human-operated ransomware campaigns include SodinokibiSamas, Bitpaymer, and Ryuk.

Microsoft experts found similarities in the modus operandi of three threat actors specialized in human-operated ransomware attacks.

The first group, tracked as PARINACOTA, has been monitored by Microsoft for 18 months. The threat actor is hitting three to four organizations each week, it appears well resourced and demonstrated to be able to quickly change the configuration of the compromised network depending on the specific target.

“The group’s goals and payloads have shifted over time, influenced by the type of compromised infrastructure, but in recent months, they have mostly deployed the Wadhrama ransomware.” continues the report.

“The group most often employs a smash-and-grab method, whereby they attempt to infiltrate a machine in a network and proceed with subsequent ransom in less than an hour. There are outlier campaigns in which they attempt reconnaissance and lateral movement, typically when they land on a machine and network that allows them to quickly and easily move throughout the environment.”

Experts noticed that the group used different payloads for each attack, the most frequent one was the Wadhrama ransomware.

The threat actors targets servers that have Remote Desktop Protocol (RDP) exposed to the internet, then use brute force attacks for lateral movements

Attackers leverage stolen credentials, attempt to dump credentials and disable security solutions, then download tools to gather intelligence and make lateral movements.

The second human-operated ransomware family is Doppelpaymer that in recent months targeted enterprise environments through social engineering.

Once encrypted files with the ransomware, threat actors were also infected by banking Trojans like Dridex trojan, a circumstance that suggests this malware was used as the initial attack vector. However, In other cases, Doppelpaymer operators penetrated target networks using RDP brute force attempts.

“The use of numerous attack methods reflects how attackers freely operate without disruption – even when available endpoint detection and response (EDR) and endpoint protection platform (EPP) sensors already detect their activities. In many cases, some machines run without standard safeguards, like security updates and cloud-delivered antivirus protection.” continues Microsoft. “There is also the lack of credential hygiene, over-privileged accounts, predictable local administrator and RDP passwords, and unattended EDR alerts for suspicious activities.”

The third family is the Ryuk human-operated ransomware one that leverages banking Trojan like Trickbot to hit its targets.

The Ryuk operators use Cobalt Strike tool and PowerShell Empire for lateral movement.

Microsoft experts pointed out that attackers maintain access to the compromised networks even if the victims have paid the ransom.

“Removing the ability of attackers to move laterally from one machine to another in a network would make the impact of human-operated ransomware attacks less devastating and make the network more resilient against all kinds of cyberattacks. The top recommendations for mitigating ransomware and other human-operated campaigns are to practice credential hygiene and stop unnecessary communication between endpoints.”

Pierluigi Paganini