• United States



The Playbook for Human-Operated Ransomware

BrandPost By Ken Malcomlson, Chief Security Advisor
Dec 17, 20214 mins

istock 1191833199
Credit: iStock

By Ken Malcolmson, Chief Security Advisor, Microsoft

2021 will be known as another year full of painful ransomware. In fact, according to our 2021 Digital Defense Report, ransomware attacks have evolved significantly to now include crippling network-wide attacks using multiple extortion methods to target both your organization’s data and reputation, all enabled by human intelligence. This has led to ransomware operators driving their profits to unprecedented levels, with predictions noting that the total cost of ransomware attacks will reach $265 billion by 2031, according to Cybersecurity Ventures. No industry is immune and the ransomware gangs behind these attacks are making a lot of money with very minimal risk of being caught. However, increasingly every industry has access to advanced tools and technologies to fight back.

We are now seeing a major shift from commodity ransomware attacks to human-operated ransomware. These “hands-on-keyboard” attacks target an entire organization rather than a single device or individual, leveraging human attackers’ knowledge of common system and security misconfigurations to get in, navigate the enterprise network, and adapt to the environment and its weaknesses as they go.

Attackers use a three-step approach to carry out successful human-operated ransomware attacks. First, they gain initial access to the environment using primarily identity attacks (via email, browser, password spray etc.). Once the attackers have gained access to the organization, they then move laterally within the network to steal more credentials to gain elevated privileges and ultimately find an admin account that gives them access to data. Now that the attackers have access to the data, they can steal it, encrypt it, and deploy a ransomware payload to the resources of their choosing. This type of attack results in catastrophic outcomes for business operations that are very difficult to clean up.

Given how common these ransomware attacks are, and how easy they are to carry out, what can you and your organization do to prepare for future attacks?

First, we strongly recommend implementing a Zero Trust approach. Based on the three principles of verify explicitly, use least privileged access, and assume breach, a comprehensive Zero Trust architecture creates several safeguards within and across identity, endpoints, apps, infrastructure, network, and data. We not only recommend this approach with our customers and partners, but we also embrace it in our approach to global security and software development here at Microsoft.

Next, integrated threat protection helps secure organizations by using the combination of XDR and SIEM tools to detect attacks while they are happening and stop them. Our cloud-based SIEM platform, Microsoft Sentinel, gives users insights and visibility across their entire organization while our Microsoft 365 Defender and Microsoft Defender for Cloud platforms provide XDR capabilities for end-user environments as well as infrastructure and multi-cloud platforms, respectively.

Lastly, we recommend having a backup and incident response (IR) plan prepared in the event that your organization is compromised. It is crucial to back up all critical systems automatically on a regular basis and ensure all backups are protected against deliberate erasure/encryption. With a tool such as Azure Backup, organizations are provided with security to their backup environments, both when their data is in transit and at rest. For incident response, organizations need to ensure rapid detection and remediation of common attacks on endpoint, email, and identity (ransomware operators love these three) by prioritizing common entry points and monitoring for adversaries disabling security. It is important to regularly practice these backup and incident response plans.

Mitigating human-operated ransomware attacks is a top priority for organizations worldwide. By implementing these strategies and tools, organizations can be fearless, armed with the ability to secure everything without limits.

For more information, download Microsoft’s Human-Operated Ransomware Mitigation Project Plan, watch our webcast on the Microsoft Playbook for Human-Operated Ransomware and please visit