Everyone’s heard of ransomware attacks. Now human-operated ransomware (HOR) has emerged as a particularly insidious and sophisticated menace.
By Armand Kruger, head of cybersecurity at NEC XON
Unlike automated ransomware attacks, which often rely on indiscriminate mass delivery methods such as phishing emails, HOR is marked by a methodical and strategic approach.
HOR attacks rose more than 200% between September 2022 and October 2023, according to researchers from Microsoft, who warned that it could represent a shift in the cybercrime underground.
If the stats don’t convince you of the HOR threat’s severity, just speak to Medibank, which had 9,7-million Medibank customers’ data stolen by a human who infiltrated its systems.
To offer insights for businesses to protect themselves against this growing threat, we explore the distinctions, dangers, and defence strategies associated with human-operated ransomware.
What Sets HOR Apart?
HOR attacks begin long before the ransomware is unleashed, with operators infiltrating a company’s network and establishing a foothold. This can involve harvesting compromised credentials through phishing campaigns or exploiting third-party data breaches.
Attackers often target internet-facing authentication systems, such as VPNs, which frequently lack multi-factor authentication (MFA).
The distinction between HOR and automated attacks lies in the hands-on involvement of skilled cybercriminals.
Unlike automated attacks that rely on pre-set instructions, human operators can adjust their tactics on the fly, responding to defensive measures taken by the target. They possess a deep understanding of IT environments and exploit this knowledge to maximise their impact. They plan ahead, exercise patience, explore corporate IT estates to gain as much control as possible and adapt to detection efforts in real-time, making them significantly more disruptive and challenging to neutralise.
Attackers typically spend weeks or even months within a network, conducting reconnaissance and positioning themselves for the final, devastating ransomware deployment. This extended presence allows them to identify and exploit critical vulnerabilities, making it difficult for businesses to detect and eliminate the threat before significant damage is done.
Identifying Early Signs of HOR
To defend against HOR, businesses must adopt a proactive stance, continually monitoring for signs of intrusion. This means placing themselves in the mindset of a threat actor and rigorously examining their own systems for vulnerabilities.
Early indicators of a HOR attack can include:
* Unusual login patterns;
* Unauthorised access attempts; and
* Unexplained changes in system configurations.
One of the most effective early warning signs is the detection of compromised credentials. If credentials are found to be compromised, immediate action should be taken to change passwords and limit further access.
Minimising the number of internet-facing systems can also reduce the avenues available to attackers, making it harder for them to exploit compromised credentials.
Robust Defences Against HOR
NEC XON helps customers defend against HOR using anticipation, prevention, detection, and brutal response:
* Cyberthreat Anticipation Capability: Regular reconnaissance to identify potential threats.
* Preventative Measures: Implementing strong access controls and minimising exposed systems.
* Detection Systems: Deploying advanced monitoring tools to identify unusual activities early.
* Adversarial Tactics Understanding: Training a team capable of recognizing and neutralising sophisticated threats.
Businesses must respond swiftly and decisively (even brutally) to any indication of HOR activity. This includes isolating and neutralising suspicious or compromised accounts, often by disabling and changing credentials multiple times to disrupt the attacker’s access.
By removing the attacker’s tools and access, businesses can effectively “remove the oxygen” needed for the ransomware to spread.
Common Vulnerabilities and How to Address Them
HOR attackers exploit various vulnerabilities, such as weak passwords, lack of MFA, and unpatched systems. Businesses can address these by implementing robust security practices, including regular software updates, strong password policies, and comprehensive access controls.
Recovery and Future Prevention
For businesses that have already fallen victim to HOR, but haven’t had the ransomware activated yet, the recovery process involves regaining control of compromised systems and conducting a thorough investigation to identify and close security gaps.
This often requires a scorched earth approach, where systems may be deliberately broken to eliminate the attacker’s foothold. It is essential to act quickly, communicate effectively with stakeholders, and employ rigorous crisis management strategies.
Human-operated ransomware represents a formidable challenge for businesses, requiring a proactive and multi-layered defence strategy. By understanding the sophisticated tactics of these attackers and implementing robust security measures, businesses can better protect themselves from the devastating impact of HOR. The key lies in continuous vigilance, employee training, and a swift, decisive response to any signs of intrusion.