and in a manner that aligns with the business.
And, usually, ransomware has relied on humans to make mistakes and allow malware to install persistence mechanisms and utilise automated techniques to attempt to steal credentials, or spread via well known, often unpatched vulnerabilities or vulnerable services.
There have been some disaster stories – such as resulting from the WannaCry and NotPetya attacks.
But in general, these were not full hands-on keyboard attacks and organisations with reasonable levels of security hygiene could recover quickly. These attacks and commodity malware strains definitely posed a threat to the unprepared, but they were not life ending for a business.
Human operated ransomware (HoR) is different, however, and should be at forefront of mind for anyone working in cyber defence. It is not a topic to take lightly. Attacks are complex and usually involve multiple methods of entry originating from skilled human actors, physically interacting with the keyboard, and who are motivated to do whatever is necessary to achieve their goals.
In their article, Ransomware gangs are using these ‘ruthless’ tactics as they aim for bigger payouts the technology news website ZDNet reports, “Human-operated attacks represent a more challenging threat than previous well-known ransomware attacks, such as NotPetya and WannaCry. In these attacks, wormlike functionality was used to spread the ransomware automatically and rapidly across the Internet and through organisations’ networks. In contrast, human-operated ransomware is controlled by skilled and adaptable criminals who are motivated by financial gain, and can spend months identifying and overcoming defences to maximise the impact of their attacks.”
HoR operators will leverage multiple initial access vectors , and once in, will blend their tactics, tools, techniques and procedures to suit the environment and use varying kill chains during an attack. In fact modern ransomware operators will use whatever means necessary to achieve their objectives.
Anatomy of an Attack
A HoR intrusion is made up of multiple stages and has a high level of complexity when compared to earlier commodity ransomware incidents.
Initial Access –HoR ransomware differs from previous ransomware methods of access, in that it can originate through a variety of vectors – from social engineering, compromised credentials, web facing exploitable vulnerabilities, for example, and also at times purchased through what have become known as an ‘initial access broker’ – someone who’s done the hard work for you.
InfoSecurity Magazine was reporting on The Rise of Initial Access Brokers back in the summer, advising, “An emerging trend in the underground economy is initial access brokerage, a flourishing market where opportunistic threat actors gain initial access to organizations (for example, via compromised VPN or RDP accounts) and sell or offer it as a service to other cyber-criminals in underground forums. Outsourcing the initial access to an external entity lets attackers focus on the execution phase of an attack without having to worry about how to find entry points into the victim’s network.”
- Command and Control – once HoR actors have gained access, they execute their malware via techniques such as through scripting languages or manual execution.
- Credential Theft – the ransomware operators move on to harvesting any credentials available.
- Privilege Escalation, Persistence – here the HoR operators elevate their privileges using well known common vulnerabilities and exposures or through the newly discovered credentials, and install persistence mechanisms.
- Collection and Exfiltration – the ransomware actors start to collect and stage data before exfiltrating the data.
- Impact – the attack impairs defences and inflicts its damage. By this stage the victim organisation is often in crisis mode.
- Inhibiting System Recovery – the next step in a HoR attack is usually to inhibit system recovery. This can include turning off or disabling services linked to system restore or backup.
- Data Encryption For Impact &ndash the ransomware operators start to encrypt files and data.
For the victim organisation, it’s effectively breaking point and if the actors have been able to disrupt or remove the ability to recover, it often means the business cannot effectively operate, and forcing tough decisions to be made.
In their article, Responding to the growing threat of human-operated ransomware attacks, PwC says, “Human-operated ransomware is not a malicious software problem—it’s a human criminal problem. The solutions used to address commodity problems aren’t enough to prevent a threat that more closely resembles a nation-state threat actor. It disables or uninstalls your antivirus software before encrypting files. They locate and corrupt or delete backups before sending a ransom demand.”
This is what makes HoR particularly dangerous. Organisations are now dealing with nation states and organised criminal gangs that have a high degree of skill in writing malware, performing intrusions, and extorting money from businesses.
But the Good News
HoR poses a potentially huge threat to organisations of any size. But it’s not all doom and gloom, because how these actors operate is well understood and, in many cases, they make mistakes, in fact lots of mistakes.
The key is to implement the necessary prevention, detection, and response capabilities to either prevent the intrusion from occurring or to be able to capitalise on their mistakes, and in doing so evict them before they can cause any damage.
Whitepaper: Human Operated Ransomware
In his paper Human Operated Ransomware (HOR), Bridewell Cyber Defence Technical Lead, Gavin Knapp looks in detail at the ransomware threat as we head into 2022, covering:
- The types of ransomware attack currently prevalent
- The major ransomware players
- An in-depth look at human operated ransomware and its complexity
- How to protect against an attack
- How to detect, respond to, and recover from an attack