Woman on Computer

Human Operated Ransomware (HoR): Everything You Need to Know

Published 16 February 2022

Ransomware began as a relatively opportunistic method for extorting money from individuals and organisations. But since earlier this year, we’ve seen a shift to ransomware being used by threat actors such as organised crime groups.

In their article, Ransomware gangs are using these ‘ruthless’ tactics as they aim for bigger payouts the technology news website ZDNet reports, “Human-operated attacks represent a more challenging threat than previous well-known ransomware attacks, such as NotPetya and WannaCry. In these attacks, wormlike functionality was used to spread the ransomware automatically and rapidly across the Internet and through organisations’ networks. In contrast, human-operated ransomware is controlled by skilled and adaptable criminals who are motivated by financial gain, and can spend months identifying and overcoming defences to maximise the impact of their attacks.”

HoR operators will leverage multiple initial access vectors , and once in, will blend their tactics, tools, techniques and procedures to suit the environment and use varying kill chains during an attack. In fact modern ransomware operators will use whatever means necessary to achieve their objectives.


It’s also believed that some APTs are using the ransomware business model to generate money to fund initiatives and subsequently impact the economy of nations they’re targeting, while the National Cyber Security Centre reports state-sponsored espionage to be increasingly behind many of the ransomware attacks, with Russia and China said to be high players.

In addition, actors have transitioned to using more innovative approaches, such as that of double extortion and whereby they receive a ransom for the decryption of data, and additional payment by threatening to disclose sensitive data to the public, with the victim facing risk of reputational damage and potential fines.

Actors are also utilising the supply chain to subvert defences put in place by more mature organisations. This has included the software supply chain in recent high-profile attacks and which can be particularly difficult to detect and overcome.

The technology news website, ZDNet, reports in their article, Supply chain attacks are getting worse, and you are not ready for them, a quote from the European Union Agency for Cybersecurity (ENISA) on analysing 24 software supply chain attacks, and warning that it’s “crucial to understand that an organization could be vulnerable to a supply chain attack even when its own defences are quite good and therefore the attackers are trying to explore new potential highways to infiltrate them by moving to their suppliers and making a target out of them.”

In recent years ransomware as a service (RaaS) has grown into a thriving multimillion-pound industry and one very much run and operated in a comparable manner to that of modern-day tech companies. In fact, the level of customer service and aftercare provided at times is quite astonishing. Even in the criminal underworld it’s understood that customer centric approaches are important to success…

The Impact

The impact of ransomware is now having such an effect that politicians and policy makers have started to take note, with many believing that legislation offers the best way to address this growing problem. US President Joe Biden recently warned Russia to act against ransomware groups, or otherwise face repercussions from the USA.

Reuters, in their article Biden presses Putin to act on ransomware attacks, hints at retaliation, quotes President Biden as saying, “I made it very clear to him that the United States expects, when a ransomware operation is coming from his soil even though it’s not sponsored by the state, we expect them to act if we give them enough information to act on who that is.”

Director of GCHQ, Jeremy Fleming, says in introduction to the NCSC’s 2021 Annual Review, “This year we have seen countless examples of cyber security threats: from state sponsored activity to criminal ransomware attacks. It all serves to remind us that what happens online doesn’t stay online – there are real consequences of virtual activity.”

Some Facts and Figures

The impact of ransomware in 2021 has been clear to see.

Mandiant M-trends show the impact on global dwell time, where the overall median dwell time for investigations stood at 24 days, significantly down from 2019, and with the global dwell time for ransomware intrusions in 2020 reported as just five days. However, this drop in dwell time was being influenced by an increase in the number of ransomware intrusions seen globally, which was up 11% from the 2019 figures. In fact, there is still controversy over the figures, as not all ransomware attacks are linked back to the potential initial intrusion – often due to insufficient audit policies being in place, and/or inadequate log retention or detective capabilities.

In the 2021 Verizon the Data Breach Investigations Report (DBIR) a new pattern was uncovered within the System Intrusion section. This pattern indicated that a series of more complex attacks was taking place, of which the majority involved malware (70%).

This is believed to be related to the emergence of ransomware as a service and the lucrative nature of the ransomware as a service industry. The primary motivation behind these attacks was financial (93%) with ransomware now accounting for 5% of all global incidents, and appearing within 9% of all breaches – and linked in particular to the rise of the double extortion movement.

Earlier in 2021 there were reports that overall attacks had decreased in number as the criminals were becoming more targeted in their approach, as mentioned in Infosecurity Magazine’s article, Ransomware Attacks Decline as Gangs Focus on Lucrative Targets – and reporting Raj Samani, McAfee fellow and chief scientist as saying “Criminals will always evolve their techniques to combine whatever tools enable them to best maximize their monetary gains with the minimum of complication and risk. We first saw them use ransomware to extract small payments from millions of individual victims. Today, we see RaaS supporting many players in these illicit schemes holding organizations hostage and extorting massive sums for the criminals.”

Coveware, a specialised ransomware services provider, produced statistics on the median size of organisations targeted within Q2 of 2021. This research showed that the size of the companies being targeted had grown significantly since 2018. However, there had been a slight drop in size from Q4 2020.

Nevertheless, Coveware also indicated that ransomware remains a big problem for small and medium sized businesses as well.

Anatomy of an Attack

A HoR intrusion is made up of multiple stages and has a high level of complexity when compared to earlier commodity ransomware incidents.

Initial Access –HoR ransomware differs from previous ransomware methods of access, in that it can originate through a variety of vectors – from social engineering, compromised credentials, web facing exploitable vulnerabilities, for example, and also at times purchased through what have become known as an ‘initial access broker’ – someone who’s done the hard work for you.

InfoSecurity Magazine was reporting on The Rise of Initial Access Brokers back in the summer, advising, “An emerging trend in the underground economy is initial access brokerage, a flourishing market where opportunistic threat actors gain initial access to organizations (for example, via compromised VPN or RDP accounts) and sell or offer it as a service to other cyber-criminals in underground forums. Outsourcing the initial access to an external entity lets attackers focus on the execution phase of an attack without having to worry about how to find entry points into the victim’s network.”

  • Command and Control – once HoR actors have gained access, they execute their malware via techniques such as through scripting languages or manual execution.
  • Credential Theft – the ransomware operators move on to harvesting any credentials available.
  • Privilege Escalation, Persistence – here the HoR operators elevate their privileges using well known common vulnerabilities and exposures or through the newly discovered credentials, and install persistence mechanisms.
  • Collection and Exfiltration – the ransomware actors start to collect and stage data before exfiltrating the data.
  • Impact – the attack impairs defences and inflicts its damage. By this stage the victim organisation is often in crisis mode.
  • Inhibiting System Recovery – the next step in a HoR attack is usually to inhibit system recovery. This can include turning off or disabling services linked to system restore or backup.
  • Data Encryption For Impact &ndash the ransomware operators start to encrypt files and data.

For the victim organisation, it’s effectively breaking point and if the actors have been able to disrupt or remove the ability to recover, it often means the business cannot effectively operate, and forcing tough decisions to be made.

In their article, Responding to the growing threat of human-operated ransomware attacksPwC says, “Human-operated ransomware is not a malicious software problem—it’s a human criminal problem. The solutions used to address commodity problems aren’t enough to prevent a threat that more closely resembles a nation-state threat actor. It disables or uninstalls your antivirus software before encrypting files. They locate and corrupt or delete backups before sending a ransom demand.”  

This is what makes HoR particularly dangerous. Organisations are now dealing with nation states and organised criminal gangs that have a high degree of skill in writing malware, performing intrusions, and extorting money from businesses.

But the Good News

HoR poses a potentially huge threat to organisations of any size. But it’s not all doom and gloom, because how these actors operate is well understood and, in many cases, they make mistakes, in fact lots of mistakes.

The key is to implement the necessary prevention, detection, and response capabilities to either prevent the intrusion from occurring or to be able to capitalise on their mistakes, and in doing so evict them before they can cause any damage.


Whitepaper: Human Operated Ransomware

In his paper Human Operated Ransomware (HOR), Bridewell Cyber Defence Technical Lead, Gavin Knapp looks in detail at the ransomware threat as we head into 2022, covering:

  • The types of ransomware attack currently prevalent
  • The major ransomware players
  • An in-depth look at human operated ransomware and its complexity
  • How to protect against an attack
  • How to detect, respond to, and recover from an attack

Download Now


Gavin Knapp

Cyber Defence Technical Lead