Human-operated ransomware is a technique usually employed in nation-state attacks that is becoming very popular in the cybercrime ecosystem.
In human-operated ransomware attack scenario, attackers use stolen credentials, exploit misconfiguration and vulnerabilities to access target networks, attempt to escalate privileges and move laterally, and deliver malware and
“Human-operated ransomware campaigns pose a significant and growing threat to businesses and represent one of the most impactful trends in
Microsoft experts found similarities in the modus operandi of three threat actors specialized in human-operated ransomware attacks.
The first group, tracked as PARINACOTA, has been monitored by Microsoft for 18 months. The threat actor is hitting three to four organizations each week, it appears well resourced and demonstrated to be able to quickly change the configuration of the compromised network depending on the specific target.
“The group’s goals and payloads have shifted over time, influenced by the type of compromised infrastructure, but in recent months, they have mostly deployed the Wadhrama ransomware.” continues the report.
“The group most often employs a smash-and-grab method, whereby they attempt to infiltrate a machine in a network and proceed with subsequent ransom in less than an hour. There are outlier campaigns in which they attempt reconnaissance and lateral movement, typically when they land on a machine and network that allows them to quickly and easily move throughout the environment.”
Experts noticed that the group used different payloads for each attack, the most frequent one was the Wadhrama ransomware.
The threat actors targets servers that have Remote Desktop Protocol (RDP) exposed to the internet, then use brute force attacks for lateral movements
Attackers leverage stolen credentials, attempt to dump credentials and disable security solutions, then download tools to gather intelligence and make lateral movements.
The second human-operated ransomware family is Doppelpaymer that in recent months targeted enterprise environments through social engineering.
Once encrypted files with the ransomware, threat actors were also infected by banking Trojans like Dridex trojan, a circumstance that suggests this malware was used as the initial attack vector. However, In other cases, Doppelpaymer operators penetrated target networks using RDP brute force
“The use of numerous attack methods reflects how attackers freely operate without disruption – even when available endpoint detection and response (EDR) and endpoint protection platform (EPP) sensors already detect their activities. In many cases, some machines run without standard safeguards, like security updates and cloud-delivered antivirus protection.” continues Microsoft. “There is also the lack of credential hygiene, over-privileged accounts, predictable local administrator and RDP passwords, and unattended EDR alerts for suspicious activities.”
The Ryuk operators use Cobalt Strike tool and PowerShell Empire for lateral movement.
Microsoft experts pointed out that attackers maintain access to the compromised networks even if the victims have paid the ransom.
“Removing the ability of attackers to move laterally from one machine to another in a network would make the impact of human-operated ransomware attacks less devastating and make the network more resilient against all kinds of
(SecurityAffairs – hacking, Human-operated ransomare)