The distinction between human-operated ransomware and automated attacks lies in the hands-on involvement of skilled cybercriminals and unlike automated attacks that rely on pre-set instructions, human operators can adjust their tactics on the fly, explains Armand Kruger at NEC XON.
Everyone has heard of ransomware attacks. Now human-operated ransomware, has emerged as a particularly insidious and sophisticated menace. Unlike automated ransomware attacks, which often rely on indiscriminate mass delivery methods such as phishing emails, human-operated ransomware is marked by a methodical and strategic approach.
Human-operated ransomware attacks rose more than 200% between September 2022 and October 2023, according to researchers from Microsoft, who warned that it could represent a shift in the cybercrime underground.
If the statistics do not convince you of the human-operated ransomware threat’s severity, just speak to Medibank, which had 9.7 million Medibank customers’ data stolen by a human who infiltrated its systems. To offer insights for businesses to protect themselves against this growing threat, let us explore the distinctions, dangers, and defence strategies associated with human-operated ransomware.
Human-operated ransomware attacks begin long before the ransomware is unleashed, with operators infiltrating a company’s network and establishing a foothold. This can involve harvesting compromised credentials through phishing campaigns or exploiting third-party data breaches. Attackers often target Internet-facing authentication systems, such as VPNs, which frequently lack multi-factor authentication.
The distinction between human-operated ransomware and automated attacks lies in the hands-on involvement of skilled cybercriminals. Unlike automated attacks that rely on pre-set instructions, human operators can adjust their tactics on the fly, responding to defensive measures taken by the target.
They possess a deep understanding of IT environments and exploit this knowledge to maximise their impact. They plan ahead, exercise patience, explore corporate IT estates to gain as much control as possible and adapt to detection efforts in real-time, making them significantly more disruptive and challenging to neutralise.
Attackers typically spend weeks or even months within a network, conducting reconnaissance and positioning themselves for the final, devastating ransomware deployment. This extended presence allows them to identify and exploit critical vulnerabilities, making it difficult for businesses to detect and eliminate the threat before significant damage is done.
To defend against human-operated ransomware, businesses must adopt a proactive stance, continually monitoring for signs of intrusion. This means placing themselves in the mindset of a threat actor and rigorously examining their own systems for vulnerabilities.
Early indicators of a human-operated ransomware attack can include:
- Unusual login patterns
- Unauthorised access attempts
- Unexplained changes in system configurations
One of the most effective early warning signs is the detection of compromised credentials. If credentials are found to be compromised, immediate action should be taken to change passwords and limit further access. Minimising the number of Internet-facing systems can also reduce the avenues available to attackers, making it harder for them to exploit compromised credentials.
Specialised partners can help customers defend against human-operated ransomware using anticipation, prevention, detection, and brutal response:
- Cyberthreat anticipation capability: Regular reconnaissance to identify potential threats.
- Preventative measures: Implementing strong access controls and minimising exposed systems.
- Detection systems: Deploying advanced monitoring tools to identify unusual activities early.
- Adversarial tactics understanding: Training a team capable of recognising and neutralising sophisticated threats.
Businesses must respond swiftly and decisively, even brutally to any indication of human-operated ransomware activity. This includes isolating and neutralising suspicious or compromised accounts, often by disabling and changing credentials multiple times to disrupt the attacker’s access. By removing the attacker’s tools and access, businesses can effectively remove the oxygen needed for the ransomware to spread.
Employee awareness and training play crucial roles in mitigating the risks of human-operated ransomware. Attackers often begin with unauthorised access, followed by situational awareness and lateral movement within the network. By educating employees on recognising phishing attempts and suspicious activities, businesses can reduce the risk of initial compromise.
Human-operated ransomware attackers exploit various vulnerabilities, such as weak passwords, lack of multi factor authentication, and unpatched systems. Businesses can address these by implementing robust security practices, including regular software updates, strong password policies, and comprehensive access controls.
For businesses that have already fallen victim to human-operated ransomware, but have not had the ransomware activated yet, the recovery process involves regaining control of compromised systems and conducting a thorough investigation to identify and close security gaps.
This often requires a scorched earth approach, where systems may be deliberately broken to eliminate the attacker’s foothold. It is essential to act quickly, communicate effectively with stakeholders, and employ rigorous crisis management strategies.
Human-operated ransomware represents a formidable challenge for businesses, requiring a proactive and multi-layered defence strategy. By understanding the sophisticated tactics of these attackers and implementing robust security measures, businesses can better protect themselves from the devastating impact of human-operated ransomware.
The key lies in continuous vigilance, employee training, and a swift, decisive response to any signs of intrusion.
NEC XON is a African integrator of ICT solutions and part of NEC, a Japanese global company. NEC XON has operated in Africa since 1963 and delivers communications, energy, safety, security, and digital solutions.
NEC XON has experience in helping businesses to thwart human-operated ransomware attacks through swift responses. For instance, one African government entity, upon detecting an impending attack, called for support and NEC XON managed to regain control by methodically identifying and eliminating the threat actor’s access points. This involved a comprehensive sweep of their systems over several days, isolating and addressing every potential vulnerability.