Ransomware threats have been growing in the past couple of years, and while most target broad attack surface and have opportunistic patterns, Microsoft has now issued a warning about human-operated ransomware (we'll refer to this as "HOR" for brevity moving forward), that is becoming dominant in the ransomware-as-a-service (RaaS) gig economy.
HOR differs from traditional ransomware because it targets specific weaknesses in your system, discovered manually by humans. An example is exploiting a service that has elevated privileges in your environment. Microsoft states that HOR involves human input in every stage of the attack and system flaws or human errors could be used to elevate privileges, get access to more sensitive data, and ultimately result in a bigger payout. What makes HOR even more dangerous is that attackers typically do not leave the network even after payment. They keep trying to monetize their access by deploying new malware until they are completely purged.
Microsoft has highlighted that RaaS has recently started gravitating towards a double extortion model where your data is not only encrypted but attackers also threaten to make it public until you pay them. The firm has also noted that HOR campaigns typically take advantage of legacy configurations and misconfigurations, as well as poor credential hygiene to elevate their privileges. As such, security experts in organizations need to transition to a Zero Trust model where they are not only on the lookout for single alerts but have a holistic view of their entire security posture and incidents.
Microsoft has also warned organizations about the RaaS affiliate model, described below:
In the past, we’ve observed a tight relationship between the initial entry vector, tools, and ransomware payload choices in each campaign of one strain of ransomware. The RaaS affiliate model, which has allowed more criminals, regardless of technical expertise, to deploy ransomware built/managed by someone else, is weakening this link. As ransomware deployment becomes a gig economy, it has become more difficult to link the tradecraft used in a specific attack to the ransomware payload developers.
[...] RaaS is an arrangement between an operator and an affiliate. The RaaS operator develops and maintains the tools to power the ransomware operations, including the builders that produce the ransomware payloads and payment portals for communicating with victims.
[...] RaaS thus gives a unified appearance of the payload or campaign being a single ransomware family or set of attackers. However, what happens is that the RaaS operator sells access to the ransom payload and decryptor to an affiliate, who performs the intrusion and privilege escalation and who is responsible for the deployment of the actual ransomware payload. The parties then split the profit. In addition, RaaS developers and operators might also use the payload for profit, sell it, and run their campaigns with other ransomware payloads—further muddying the waters when it comes to tracking the criminals behind these actions.
In order to combat these growing and sophisticated threats, Microsoft has recommended that organizations should migrate to a Zero Trust model, build credential hygiene, audit credential exposure, perform cloud hardening, prioritize deployment of Active Directory updates, reduce the attack surface, mitigate security blindspots, and harden perimeters - especially internet-facing resources. Lastly, it has also encouraged customers to use Microsoft 365 Defender's unified investigation capabilities and cross-domain visibility to detect and proactively respond to threats. Microsoft plans to talk about this area in more detail at the Microsoft Security Summit digital event on May 12, you can register for it here.