Getty Images

Microsoft Shares Preventable Human-Operated Ransomware Insights

One of the most significant cyberattack trends today, human-operated ransomware attacks are entirely preventable, Microsoft says; hackers prey on vulnerabilities to deploy payloads.

The Microsoft Threat Protection Intelligence Team released insights around human-operated ransomware attacks, a preventable threat where hackers target known vulnerabilities and weaknesses to deploy their payload.

One of the most growing and significant threat actors today, researchers explained that the hands-on-keyboard attacks differ from the more traditional auto-spreading ransomware events like WannaCry and NotPetya.

Instead, hackers will employ credential theft and lateral movement tactics, which in the past have been more commonly leveraged by nation-state actors.

In healthcare, ransomware attacks and those seeking lateral movement have been increasingly expanding over the last year. Since 2016, ransomware attacks have cost the sector at least $160 million in recovery costs. Those numbers are likely drastically low, given an increasing number of providers that do not report ransomware incidents.

Further, researchers from Barracuda and the University of California Berkeley and UC San Diego found lateral attacks are rapidly increasing through email compromise, with 50 percent of cyberattacks seeking lateral movement.

“[The attacks] exhibit extensive knowledge of systems administration and common network security misconfigurations, perform thorough reconnaissance, and adapt to what they discover in a compromised network,” Microsoft researchers wrote.

“These attacks are known to take advantage of network configuration weaknesses and vulnerable services to deploy devastating ransomware payloads,” they added. “While ransomware is the very visible action taken in these attacks, human operators also deliver other malicious payloads, steal credentials, and access and exfiltrate data from compromised networks.”

Microsoft noted that the attacks do not appear concerned with stealth and can operate without issues in networks. Hackers will compromise accounts with higher privileges, increase privileges, or use credential dumping to breach the enterprise and proliferate across the network.

Banking trojans and other unsophisticated threat actors are commonly leveraged in human-operated attacks, as they are typically marked unimportant despite multiple detection alerts.

Researchers provided users with insights into a range of these threats, including smash-and-grab campaigns, Doppelpaymer ransomware, and Ryuk ransomware. Ryuk has pummeled the healthcare sector, predominantly targeting larger organizations or distributed networks.

The ransomware was behind the attacks on DCH Health in Alabama and IT vendor, Virtual Care Provider, which disrupted care for at least 110 nursing facilities in November.

To combat what Microsoft calls a preventable threat, organizations need to improve their defenses beginning with comprehensive incident response procedures and network strengthening.

More importantly, IT leaders will play an important role in bolstering defenses.

“Some of the most successful human-operated ransomware campaigns have been against servers that have antivirus software and other security intentionally disabled, which admins may do to improve performance,” researches explained.

“Many of the observed attacks leverage malware and tools that are already detected by antivirus,” they added. “The same servers also often lack firewall protection and MFA, have weak domain credentials, and use non-randomized local admin passwords. Oftentimes these protections are not deployed because there is a fear that security controls will disrupt operations or impact performance.”

Organizations should lean on IT leaders to determine the impact of those settings, while working with the security team to mitigate the threat. Settings and configurations of admin management and controls, and Microsoft recommended shifting IT professionals as part of the security teams, in response.

As many human-operated attacks lie dormant through a lengthy and complex attack chain before deploying the ransomware payload, researchers also recommended prioritizing alerts around commodity malware and credential theft to prevent the launch of a more serious attack.

The most effective form of mitigation revolves around patching any infrastructure weaknesses. Most healthcare organizations don’t have a complete inventory of all devices or endpoints on the network, which leaves providers vulnerable to these types of attacks.

As a result, organizations should focus more on investigation just how the attack was able to breach the network, so IT and security leaders can strengthen those defenses.

“Human-operated ransomware groups routinely hit the same targets multiple times,” researchers wrote. “This is typically due to failure to eliminate persistence mechanisms, which allow the operators to go back and deploy succeeding rounds of payloads, as targeted organizations focus on working to resolve the ransomware infections.”

“[It] requires understanding the entire attack chain, but more importantly, identifying and fixing the weaknesses in the infrastructure to keep attackers out,” they added. “Removing the ability of attackers to move laterally from one machine to another in a network would make the impact of human-operated ransomware attacks less devastating and make the network more resilient against all kinds of cyberattacks.”

In the end, prevention boils down to credential hygiene and blocking unnecessary communication between endpoints, Microsoft concluded. These mitigation methods include hardening internet-facing assets, securing the remote desktop gateway, monitoring for brute-force cyberattacks, and turning on tamper protection features, among other important security features.

Next Steps

Dig Deeper on Cybersecurity strategies