What is ransomware?

Article
10/16/2024

In practice, a ransomware attack blocks access to your data until a ransom is paid.

In fact, ransomware is a type of malware or phishing cyber security attack that destroys or encrypts files and folders on a computer, server, or device.

Once devices or files are locked or encrypted, cybercriminals can extort money from the business or device owner in exchange for a key to unlock the encrypted data. But even when paid, cybercriminals might never give the key to the business or device owner and stop access permanently.

Microsoft Copilot for Security leverages AI to help mitigate ransomware attacks. For more Microsoft solutions to ransomware, visit our Ransomware solutions library.

How do ransomware attacks work?

Ransomware can be automated or involve human hands on a keyboard - a human-operated attack, such as seen in recent attacks using LockBit ransomware.

Human-operated ransomware attacks involve the following stages:

Initial compromise - The threat actor first gains access to a system or environment following a period of reconnaissance to identify weaknesses in defense.
Persistence and defense evasion - The threat actor establishes a foothold in the system or environment using a backdoor or other mechanism that operates in stealth to avoid detection by incident response teams.
Lateral movement - The threat actor uses the initial point of entry to migrate to other systems connected to the compromised device or network environment.
Credential access - The threat actor uses a fake sign-in page to harvest user or system credentials.
Data theft - The threat actor steals financial or other data from compromised users or systems.
Impact - The affected user or organization might suffer material or reputational damage.

Common malware used in ransomware campaigns

Qakbot – Uses phishing to spread malicious links, malicious attachments, and to drop malicious payloads like Cobalt Strike Beacon
Ryuk – Data encryptor typically targeting Windows
Trickbot – Has targeted Microsoft applications such as Excel and Word. Trickbot was typically delivered via email campaigns that used current events or financial lures to entice users to open malicious file attachments or click links to websites hosting the malicious files. Since 2022, Microsoft’s mitigation of campaigns using this malware appears to have disrupted its usefulness.

Prevalent threat actors associated with ransomware campaigns

LockBit – Financially motivated ransomware-as-a-service (RaaS) campaign and most prolific ransomware threat actor in the 2023-24 time period
Black Basta – Gains access through spear-phishing emails and uses PowerShell to launch an encryption payload

How Microsoft can help once an attack has begun

To help mitigate in-progress ransomware attacks, Microsoft Incident Response can leverage and deploy Microsoft Defender for Identity — a cloud-based security solution that helps detect and respond to identity-related threats. Bringing identity monitoring into incident response early supports the affected organization's security operations team to regain control. Microsoft Incident response uses Defender for Identity to help identify the incident scope and impacted accounts, protect critical infrastructure, and evict the threat actor. The response team then brings in Microsoft Defender for Endpoint to trace the threat actor’s movements and disrupt their attempts to use compromised accounts to reenter the environment. After containing the incident andregaining and full administrative control over the environment, Microsoft Incident Response collaborates with the customer to help prevent future cyberattacks.

Automated ransomware attacks

Commodity ransomware attacks are often automated. These cyber attacks can spread like a virus, infect devices through methods like email phishing and malware delivery, and require malware remediation.

Therefore, you can safeguard your email system using Microsoft Defender for Office 365 that protects against malware and phishing delivery. Microsoft Defender for Endpoint works alongside Defender for Office 365 to automatically detect and block suspicious activity on your devices, while Microsoft Defender XDR detects malware and phishing attempts early.

Human-operated ransomware attacks

Human-operated ransomware is the result of an active attack by cybercriminals that infiltrate an organization's on-premises or cloud IT infrastructure, elevate their privileges, and deploy ransomware to critical data.

These "hands-on-keyboard" attacks usually target organizations rather than a single device.

Human-operated also means there's a human threat actor using their insights into common system and security misconfigurations. They aim to infiltrate the organization, navigate the network, and adapt to the environment and its weaknesses.

Hallmarks of these human-operated ransomware attacks typically include credential theft and lateral movement with an elevation of the privileges in stolen accounts.

Activities might take place during maintenance windows and involve security configuration gaps discovered by cybercriminals. The goal is the deployment of a ransomware payload to whatever high business impact resources the threat actors choose.

Important

These attacks can be catastrophic to business operations and are difficult to clean up, requiring complete adversary eviction to protect against future attacks. Unlike commodity ransomware that usually only requires malware remediation, human-operated ransomware will continue to threaten your business operations after the initial encounter.

The impact and likelihood that human-operated ransomware attacks will continue

Ransomware protection for your organization

First, prevent phishing and malware delivery with Microsoft Defender for Office 365 to protect against malware and phishing delivery, Microsoft Defender for Endpoint to automatically detect and block suspicious activity on your devices, and Microsoft Defender XDR to detect to malware and phishing attempts early.

For a comprehensive view of ransomware and extortion and how to protect your organization, use the information in the Human-Operated Ransomware Mitigation Project Plan PowerPoint presentation.

Follow Microsoft Incident Response's approach to ransomware prevention and mitigation.

Assess the situation by analyzing the suspicious activity that alerted your team to the attack.
What time/date did you first learn of the incident? What logs are available and is there any indication that the actor is currently accessing systems?
Identify the affected line-of-business (LOB) applications, and get any impacted systems back online. Does the affected application require an identity that might have been compromised?
Are backups of the application, configuration, and data available and regularly verified using a restore exercise?
Determine the compromise recovery (CR) process to remove the threat actor from the environment.

Here's a summary of Microsoft's Human-Operated Ransomware Mitigation Project Plan guidance:

The summary of the guidance in the Human-Operated Ransomware Mitigation Project Plan

The stakes of ransomware and extortion-based attacks are high.
However, the attacks have weaknesses that can reduce your likelihood of being attacked.
There are three steps to configuring your infrastructure to exploit attack weaknesses.

For the three steps to exploit attack weaknesses, see the Protect your organization against ransomware and extortion solution to quickly configure your IT infrastructure for the best protection:

Prepare your organization to recover from an attack without having to pay the ransom.
Limit the scope of damage of a ransomware attack by protecting privileged roles.
Make it harder for a threat actor to access your environment by incrementally removing risks.