Ransomware attacks triggered by humans have tripled in the last year


Ransomware attacks triggered by humans have increased by more than 200% since September 2022, according to Microsoft researchers, who warned that this could represent a shift in clandestine cybercrime.

Human attacks typically involve the misuse of remote monitoring and management tools that allow hackers to leave less evidence behind, unlike automated attacks launched via malicious phishing documents. Microsoft has warned that the growth in these types of incidents could signal an increase in the number of ransomware hackers trying to maximize their income by working for a series of gangs.

As part of the overall strategy, human attacks often target so-called unmanaged devices – those that people use under “bring your own device” policies – because they typically have fewer security controls and defenses. , the researchers discovered.

The results were part of a 131-page report on cybersecurity trends tracked by the company between July 1, 2022 and June 30, 2023. By the end of that month, human attacks accounted for 40% of all ransomware incidents, according to the report.

The increase in ransomware attacks by humans is part of an overall increase in ransomware attacks compared to the previous year, Microsoft said. The company collects a large amount of cybersecurity data through its software products.

The number of affiliates of ransomware-as-a-service groups has increased by 12%, and Microsoft estimates that the number of human attacks will increase in 2024. Hackers are also evolving their tactics to circumvent defensive measures that Microsoft and other companies are setting up. begins to take, according to the report.

Microsoft stakeholders noted that since November 2022, the number of attacks involving data exfiltration has doubled, meaning hackers actually stole data instead of just trying to encrypt it on the network. ‘a victim.

“Thirteen percent of human-operated ransomware attacks that progressed to the ransom phase had some form of data exfiltration,” they said.

One positive note is that Microsoft said that most ransomware attacks failed to encrypt anything, with most being stopped before the ransom demand. According to them, only 2% of attacks resulted in successful ransomware deployment.

RDP, VPN and personal devices

Most attacks could come from three points of compromise: breach of external remote services, abuse of valid accounts, and compromise of public applications.

“We found that among external remote services, adversaries primarily exploited insecure Remote Desktop Protocol (RDP) and Virtual Private Networks (VPN). Malicious actors attacking valid accounts, where the attacker somehow obtained legitimate account credentials, have most often been able to log in through Citrix,” Microsoft said.

“Among vulnerable external applications, cybercriminals have exploited vulnerabilities ranging from zero-day vulnerabilities to those two to three years old, with Zoho Java print management software ManageEngine, Exchange, MOVEit and PaperCut among the top applications exploited .

Microsoft reiterated its long-standing warnings that hackers love to target devices that are not managed directly by organizations and are brought in by employees. Microsoft has said that 80 to 90 percent of all compromises come from unmanaged devices.

Ransomware gangs are also increasingly targeting lesser-known software used by smaller organizations. Between July 2022 and September 2022, 70% of all attacks took place in organizations with fewer than 500 employees.

Nearly two-thirds of all attacks were attributed to four ransomware gangs: Magniber, Lock bit, Hive And Black cat. LockBit was the most observed among Microsoft Incident Response customer engagements.

Magniber, unlike others, is automated and does not require a human operator. The ransomware was initially used against targets in Asian countries around 2017, but its footprint has expanded in recent years. Attackers usually disguise ransomware as Windows updates.

As for groups that focus directly on data exfiltration versus traditional ransomware activities, Microsoft cited Karakurt, Slip of the tongue$, Spider scatteredthe Nwgen team and others.

Incident response details

Microsoft also provided insight into how many ransomware engagements are working. Once the company identifies an attack and confirms that a victim has encrypted files, it coordinates with the National Cyber ​​Forensics and Training Alliance (NCFTA) – a nonprofit organization that brings together industry and government partners to fight cybercrime – to share information.

In cases where victims feel they have no choice but to pay a ransom, Microsoft said they can work with law enforcement to ensure that when organizations pay, the cryptocurrency can be tracked and, in certain cases, returned.

The report focuses on four major topics: changes in the cybercriminal ecosystem, nation-state attacks, operational technology (OT) security, and the ramifications of artificial intelligence for defenders as well as hackers.

“We have a unique view of the overall cybersecurity of the ecosystem and this is a result of the 65 trillion signals that come to Microsoft every day from our global ecosystem,” Microsoft Vice President Tom Burt told reporters more early this week.

“This is the result of the 10,000 engineers and other professionals we have who work to improve the security of our products and services and to help protect our customers across a wide range of different activities in which we are engaged. »

Get more information with the

Future saved

Intelligence cloud.

Learn more.

No previous articles

No new articles

Jonathan Greig

Jonathan Greig is a breaking news reporter at Recorded Future News. Jonathan has worked as a journalist around the world since 2014. Before returning to New York, he worked for media outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.

Leave a comment