Microsoft: Human-operated ransomware attacks tripled over past year

Human-operated ransomware attacks are up more than 200% since September 2022, according to researchers from Microsoft, who warned that it could represent a shift in the cybercrime underground.

Human-operated attacks typically involve the active abuse of remote monitoring and management tools that allow hackers to leave behind less evidence — as opposed to automated attacks that are delivered through malicious phishing documents. Microsoft warned that the growth in those kinds of incidents could signal an increase in individual ransomware hackers trying to maximize their returns by working for a range of gangs.

As part of the overall strategy, human-operated attacks often target so-called unmanaged devices — the kind people use under “bring your own device” policies — because they typically have fewer security controls and defenses, the researchers found.

The findings were part of a 131-page report on cybersecurity trends tracked by the company between July 1, 2022 and June 30, 2023. By the end of that month, human-operated attacks accounted for 40 percent of all ransomware incidents, the report said.

The increase in human-operated ransomware attacks was part of an overall increase in ransomware attacks compared to the previous year, Microsoft said. The company collects a vast amount of cybersecurity data through its software products.

The number of affiliates of ransomware-as-a-service groups grew by 12%, and Microsoft believes the number of human-operated attacks will grow in 2024. The hackers are also evolving their tactics to get around defensive measures Microsoft and other companies are beginning to take, the report said.

Microsoft’s incident responders found that since November 2022, the number of attacks involving data exfiltration doubled — meaning that the hackers actually stole data instead of just trying to encrypt it on a victim’s network.

“Thirteen percent of human-operated ransomware attacks that moved into the ransom phase had some form of data exfiltration,” they said.

One positive note was that Microsoft said most ransomware attacks did not succeed in encrypting anything, with most stopped at the pre-ransom phase. Just 2% of attacks progressed to a successful ransomware deployment, they found.

RDPs, VPNs and personal devices

Most attacks could be sourced back to three points of compromise: breaching external remote services, abusing valid accounts and compromising public-facing applications.

“We found that among external remote services, adversaries primarily leveraged unsecured remote desktop protocol (RDP) and virtual private networks (VPN). Threat actors attacking valid accounts, where the attacker somehow gained legitimate account credentials, were most often able to log in via Citrix,” Microsoft said.

“Among vulnerable external facing applications, cybercriminals exploited vulnerabilities ranging from zero-day vulnerabilities to those that were two to three years old, with Zoho Java ManageEngine, Exchange, MOVEit, and PaperCut print management software among the top applications exploited.”

Microsoft repeated longtime warnings that hackers love to target devices that are not managed directly by organizations and are brought in by employees. Microsoft said 80 to 90 percent of all compromises originate from unmanaged devices.

Ransomware gangs are also increasingly targeting less well-known software used by smaller organizations. Between July 2022 and September 2022, 70% of all attacks took place at organizations with less than 500 employees.

Nearly two-thirds of all attacks were traced back to four ransomware gangs: Magniber, LockBit, Hive and BlackCat. LockBit was the most observed among Microsoft Incident Response customer engagements.

Magniber, unlike the others, is automated and does not require a human operator. The ransomware was initially seen used against targets in Asian countries around 2017 but has expanded its footprint in recent years. Attackers typically disguise the ransomware as Windows updates.

As for groups that focus directly on data exfiltration over classic ransomware activities, Microsoft cited Karakurt, Lapsus$, Scattered Spider, Nwgen Team and others.

Details of incident response

Microsoft also provided a run-through of how many ransomware engagements work. Once the company identifies an attack and confirms a victim has had files encrypted, it coordinates with the National Cyber Forensics and Training Alliance (NCFTA) — a nonprofit organization that unites industry and government partners to combat cybercrime — to share information.

In cases where victims feel they have no choice but to pay a ransom, Microsoft said they can work with law enforcement to make it so that when organizations pay, the cryptocurrency can be tracked and in some cases returned.

The report focuses on four major topics – cybercriminal ecosystem changes, nation-state attacks, operational technology (OT) security and the ramifications of artificial intelligence for defenders as well as hackers.

“We have a unique view of the overall cybersecurity of the ecosystem and that results from the 65 trillion signals that come to Microsoft from our global ecosystem every day,” Microsoft corporate vice president Tom Burt told reporters earlier this week.

“It's a result of the 10,000 engineers and other professionals that we have that work to improve the security of our products and services and to help protect our customers through a wide range of different activities in which we're engaged.”