What is ransomware?

Ransomware is a type of cyber security attack that destroys or encrypts files and folders, preventing the owner of the effected device from accessing their data. The cybercriminal can then extort money from the business owner in exchange for a key to unlock the encrypted data. But, even when paid, cybercriminals may not provide the key to return access to the business owner.


Need to start right now? See Protect your organization against ransomware and extortion to quickly configure your IT infrastructure for the best ransomware protection.

Automated ransomware attacks

Commodity ransomware attacks are usually automated. These cyber attacks can spread like a virus, infect devices through methods like email phishing and malware delivery, and require malware remediation. That means one ransomware prevention technique is to safeguard your mail with a system like Microsoft Defender for Office 365, or Microsoft 365 Defender, to detect malware and phishing attempts early.

Human-operated ransomware attacks

Human-operated ransomware is the result of an active attack by cybercriminals that infiltrate an organization's on-premises or cloud IT infrastructure, elevate their privileges, and deploy ransomware to critical data.

These "hands-on-keyboard" attacks target an organization rather than a single device. Human-operated means there is a human attacker using their insights into common system and security misconfigurations to infiltrate the organization, navigate the network, and adapt to the environment and its weaknesses as they go.

Hallmarks of these human-operated ransomware attacks typically include credential theft and lateral movement with a elevation of the privileges in stolen accounts. Activities might take place during maintenance windows and involve security configuration gaps discovered by cybercriminals. The goal is the deployment of a ransomware payload to whatever high business impact resources the attackers choose.


These attacks can be catastrophic to business operations and are difficult to clean up, requiring complete adversary eviction to protect against future attacks. Unlike commodity ransomware that usually only requires malware remediation, human-operated ransomware will continue to threaten your business operations after the initial encounter.

The graphic below shows how this extortion-based attack is growing in impact and likelihood.

The impact and likelihood that human-operated ransomware attacks will continue

Ransomware protection for your organization

For a comprehensive view of ransomware and extortion and how to protect your organization, use the information in the Human-Operated Ransomware Mitigation Project Plan PowerPoint presentation. But here's a summary of the guidance:

The summary of the guidance in the Human-Operated Ransomware Mitigation Project Plan

  • The stakes of ransomware and extortion-based attacks are high.
  • However, the attacks have weaknesses that can reduce your likelihood of being attacked.
  • There are three phases to configuring your infrastructure to exploit attack weaknesses.

For the three phases to exploit attack weaknesses, see the Protect your organization against ransomware and extortion solution to quickly configure your IT infrastructure for the best protection:

  1. Prepare your organization to recover from an attack without having to pay the ransom.
  2. Limit the scope of damage of a ransomware attack by protecting privileged roles.
  3. Make it harder for an attacker to get into your environment by incrementally removing risks.

The three phases to protecting against ransomware and extortion

Download the Protect your organization from ransomware poster for an overview of the three phases as layers of protection against ransomware attackers.

The "Protect your organization from ransomware" poster

Additional ransomware resources

Key information from Microsoft:

Microsoft 365:

Microsoft 365 Defender:

Microsoft Defender for Cloud Apps:

Microsoft Azure:

Microsoft Security team blog posts: