Human-operated ransomware – Your business’ next cyber threat
By Armand Kruger, Head of Cyber Security, NEC XON
Ransomware attacks are a well-known threat, but human-operated ransomware (HOR) has emerged as an especially insidious danger.
Unlike automated ransomware, HOR uses a methodical and strategic approach by a human operator.
This form of ransomware is increasing, too, as Microsoft researchers noted a 200% increase in HOR attacks between September 2022 and October 2023.
The severity of HOR is exemplified by the attack on Medibank, where 9.7 million customers’ data was stolen.
To help businesses protect themselves, we explore HOR’s distinctions, dangers, and defence strategies.
What sets human-operated ransomware apart?
HOR attacks start long before the ransomware is deployed.
Operators must first infiltrate a network and establish a foothold using compromised credentials harvested through phishing campaigns, exploiting vulnerable internet-facing systems, or sending malicious emails.
These operators target internet-facing authentication systems that lack multi-factor authentication (MFA) and attempt to exploit these vulnerable systems.
The key difference between HOR and automated attacks is the hands-on involvement of skilled cybercriminals who adjust their tactics in real-time, responding to defensive measures.
Attackers sometimes spend weeks or months within a network, conducting reconnaissance and positioning themselves for the final ransomware deployment.
They are indistinguishable from competent IT professionals, making detection and prevention challenging.
Identifying early signs of human-operated ransomware
To defend against HOR, businesses must adopt a proactive stance, continually monitoring for signs of intrusion.
Early indicators of a HOR attack include:
- Unusual login patterns
- Unauthorised access attempts
- Unexplained system configuration changes
- Unusual tools & files on servers
Detecting compromised credentials early is crucial.
Immediate action, such as changing passwords, limiting access, enforcing MFA on all internet-facing services and reducing the number of internet-facing systems can hinder the attacker’s opportunities.
Building robust defences against human-operated ransomware
NEC XON helps customers defend against HOR using anticipation, prevention, detection, and brutal response. Key defences include:
- Cyberthreat anticipation – Regular external reconnaissance to identify potential adversarial intrusion points.
- Preventative measures – Implementing strong access controls and minimising internet-exposed systems.
- Detection systems – Deploying advanced monitoring tools to identify unusual activities early with decisive incident response actions.
- Adversarial tactics understanding – Training security teams to recognize and neutralise sophisticated threats.
Businesses must respond swiftly to any indication of HOR activity, isolating and neutralising suspicious accounts by disabling and changing credentials to disrupt the attacker’s access.
NEC XON has extensive experience helping businesses thwart HOR attacks through swift responses.
For instance, an African government entity regained control after NEC XON methodically identified and eliminated the threat actor’s access points, isolating and addressing every vulnerability.
Employee awareness and training are also crucial in mitigating HOR risks.
Educating privileged employees such as IT administrators on recognizing early signs of HOR and suspicious activities reduces the success rate of adversaries by allowing the cyber team to respond rapidly.
Common vulnerabilities, recovery, and future prevention
HOR attackers typically abuse third-party data leaks, weak passwords, lack of MFA, and unpatched internet-facing systems.
Businesses can address these by implementing regular external reconnaissance of their perimeter, limiting internet-facing systems and implementing a comprehensive privileged access strategy with MFA.
For businesses that have fallen victim to HOR, the recovery process involves regaining control of compromised systems and closing security gaps.
Quick action, effective stakeholder communication, and rigorous crisis management are essential.
HOR represents a formidable challenge, requiring a proactive and multi-layered defence strategy.
Continuous vigilance, employee training, and a swift, decisive response to any signs of intrusion are key to protecting businesses from HOR’s devastating impact.
Click here to learn how NEC XON can help you protect against human-operated ransomware.