 Armand Kruger, Head of Cyber Security, NEC XON Everyone’s heard of ransomware attacks. Now human-operated ransomware (HOR) has emerged as a particularly insidious and sophisticated menace. Unlike automated ransomware attacks, which often rely on indiscriminate mass delivery methods such as phishing emails, HOR is marked by a methodical and strategic approach. Human-operated ransomware attacks rose more than 200% between September 2022 and October 2023, according to researchers from Microsoft, who warned that it could represent a shift in the cybercrime underground. If the stats don’t convince you of the HOR threat’s severity, just speak to Medibank, which had 9.7 million Medibank customers’ data stolen by a human who infiltrated its systems. To offer insights for businesses to protect themselves against this growing threat, we explore the distinctions, dangers, and defence strategies associated with human-operated ransomware.
What Sets Human-Operated Ransomware Apart? Human-operated ransomware attacks begin long before the ransomware is unleashed, with operators infiltrating a company's network and establishing a foothold. This can involve harvesting compromised credentials through phishing campaigns or exploiting third-party data breaches. Attackers often target internet-facing authentication systems, such as VPNs, which frequently lack multi-factor authentication (MFA). The distinction between HOR and automated attacks lies in the hands-on involvement of skilled cybercriminals. Unlike automated attacks that rely on pre-set instructions, human operators can adjust their tactics on the fly, responding to defensive measures taken by the target. They possess a deep understanding of IT environments and exploit this knowledge to maximise their impact. They plan ahead, exercise patience, explore corporate IT estates to gain as much control as possible and adapt to detection efforts in real-time, making them significantly more disruptive and challenging to neutralise. Attackers typically spend weeks or even months within a network, conducting reconnaissance and positioning themselves for the final, devastating ransomware deployment. This extended presence allows them to identify and exploit critical vulnerabilities, making it difficult for businesses to detect and eliminate the threat before significant damage is done. Identifying Early Signs of Human-Operated Ransomware To defend against HOR, businesses must adopt a proactive stance, continually monitoring for signs of intrusion. This means placing themselves in the mindset of a threat actor and rigorously examining their own systems for vulnerabilities. Early indicators of a HOR attack can include:
Building Robust Defences Against Human-Operated Ransomware NEC XON helps customers defend against HOR using anticipation, prevention, detection, and brutal response:
Businesses must respond swiftly and decisively (even brutally) to any indication of HOR activity. This includes isolating and neutralising suspicious or compromised accounts, often by disabling and changing credentials multiple times to disrupt the attacker’s access. By removing the attacker’s tools and access, businesses can effectively "remove the oxygen" needed for the ransomware to spread. Case Studies of Successful Defence NEC XON has deep experience in helping businesses to thwart HOR attacks through swift responses. For instance, one African government entity, upon detecting an impending attack, called us for help and NEC XON managed to regain control by methodically identifying and eliminating the threat actor's access points. This involved a comprehensive sweep of their systems over several days, isolating and addressing every potential vulnerability. Employee awareness and training play crucial roles in mitigating the risks of HOR. Attackers often begin with unauthorised access, followed by situational awareness and lateral movement within the network. By educating employees on recognising phishing attempts and suspicious activities, businesses can reduce the risk of initial compromise. Common Vulnerabilities and How to Address Them HOR attackers exploit various vulnerabilities, such as weak passwords, lack of MFA, and unpatched systems. Businesses can address these by implementing robust security practices, including regular software updates, strong password policies, and comprehensive access controls. Recovery and Future Prevention For businesses that have already fallen victim to HOR, but haven’t had the ransomware activated yet, the recovery process involves regaining control of compromised systems and conducting a thorough investigation to identify and close security gaps. This often requires a scorched earth approach, where systems may be deliberately broken to eliminate the attacker’s foothold. It is essential to act quickly, communicate effectively with stakeholders, and employ rigorous crisis management strategies. Human-operated ransomware represents a formidable challenge for businesses, requiring a proactive and multi-layered defence strategy. By understanding the sophisticated tactics of these attackers and implementing robust security measures, businesses can better protect themselves from the devastating impact of HOR. The key lies in continuous vigilance, employee training, and a swift, decisive response to any signs of intrusion. Comments are closed.
|
Archives
November 2025
Tags
All
|
RSS Feed
6/8/2024