Human-operated ransomware campaigns use credential theft and lateral movement methods traditionally associated with targeted attacks, like those from nation-state actors, to deploy ransomware payloads of their choice. Human-operated ransomware attacks represent a different level of threat because adversaries are adept at systems administration and security misconfigurations and can therefore adapt to any path of least resistance they find in a compromised network.
Many of these attacks gain access to target organizations by brute forcing or exploiting vulnerabilities on internet-facing network devices. However, these attackers are always on prowl for any path to gaining initial access to target organizations. In the midst of the current global crisis, as organizations moved to a remote workforce, we saw ransomware operators actively scanning the internet for vulnerable network devices like gateway and virtual private network (VPN) appliances
In April, multiple ransomware groups activated dozens of ransomware deployments. Using an attack pattern typical of human-operated ransomware campaigns, attackers had been accumulating access and maintaining persistence on target networks for several months, waiting to monetize their attacks by deploying ransomware when they would see the most financial gain.
The specific ransomware payload at the end of each attack is almost solely a stylistic choice made by the attackers. The ransomware payloads that have been used human-operated attacks include REvil (also called Sodinokibi), Samas, Bitpaymer, Ryuk, Wadhrama, Doppelpaymer, RobbinHood, Vatet loader, NetWalker, PonyFinal, and Maze.
Because ransomware deployments occur at the tail end of protracted attacks, defenders should focus on hunting for signs of adversaries performing credential theft and lateral movement activities. In human-operated ransomware campaigns, even if the ransom is paid, some attackers remain active on affected networks with persistence. To fully recover from human-powered ransomware attacks, comprehensive incident response procedures and subsequent network hardening need to be performed.
Removing the ability of attackers to move laterally from one machine to another in a network would lessen the impact of human-operated ransomware attacks and make the network more resilient against all kinds of cyberattacks. The top recommendations for mitigating ransomware and other human-operated campaigns are to practice credential hygiene and stop unnecessary communication between endpoints.
Apply these measures to make your network more resilient against new breaches, reactivation of dormant implants, or lateral movement:
For additional guidance on improving defenses against human-operated ransomware and building better security posture against cyberattacks in general, read Human-operated ransomware attacks: A preventable disaster.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.