Manual Ransomware Attacks Increasing in Sophistication and Pose Growing Threat to Businesses

Automated ransomware attack techniques such as those utilized by the threat actors behind WannaCry and NotPetya certainly have potential to cause massive disruption, but human-operated ransomware attacks are increasing and now pose a major threat to businesses, according to Microsoft. These manual attacks provide attackers with unrestricted access to networks and allow them to cause maximum disruption, increasing the probability that the ransom will be paid but also making sure that the attacks are profitable if it isn’t.

These manual attacks are conducted by the threat actors behind the ransomware variants Ryuk, BitPaymer, Samas, REvil, and Wadhrama. These attacks can start with a phishing campaign to obtain credentials, although brute forcing RDP is most common.

The attackers need to compromise accounts with high-level privileges. Once those credentials are obtained, the attackers move laterally and compromise large parts of the network, using living-of-the-land techniques that are difficult for network defenders to identify. These threat groups have extensive knowledge of systems administration and are aware of common network security misconfigurations which are exploited. Each attack is adapted on the fly once the attackers have gained a foothold in a system.

The Parinacota threat group has been tracked by Microsoft for several months. The tactics often change based on the configuration of the compromised network and different malware and ransomware variants have been deployed. Potential victims are found by scanning the internet for systems that listen on Port 3389, then brute force tactics are used to obtain RDP credentials although the threat group is known to use the path of least resistance and multiple attack methods are used.

A typical attack chain involves brute forcing RDP, scanning for connectivity and performance, switching off security controls, conducting network recon, and then moving laterally to compromise as many devices as possible. The attackers then steal credentials, install backdoors to give them persistent access, before finally the ransomware is deployed. This is a smash and grab raid, which takes about an hour from compromise to deployment of the ransomware. In some attacks, such as when cryptocurrency mining or spamming malware has been deployed, it is left active for a few weeks before the attackers return to deploy the ransomware.

These threat actors are highly skilled and are able to operate without restriction even when their presence has been detected by endpoint detection and response (EDR) and endpoint protection platform (EPP) sensors. Similar tactics have been used by other threat groups including those behind MegaCortex, LockerGoga, RobbinHood, and GandCrab ransomware.

These human-operated ransomware campaigns often start with banking Trojans such as TrickBot or Dridex. Microsoft notes that when organizations discover these banking Trojans, they are often viewed as trivial infections and are not properly investigated. Consequently, the operators of the ransomware can continue to operate.

The operators of Ryuk ransomware are known to use TrickBot while the DoppelPaymer threat actors have been observed using Dridex. In many cases, investigations of ransomware attacks have shown that systems have been compromised several months before the ransomware payload has been deployed. If the initial banking Trojan infections were identified and properly investigated, the ransomware attacks could have been prevented. Alerts about commodity malware need to be thoroughly investigated as they could indicate a much more extensive attack is about to unfold.

The researchers also note that the attackers often still have access to networks even after the ransom is paid. Victims are often targeted on more than one occasion until the backdoors are identified and the attackers are kicked out of the system.

Some of the vulnerabilities that are exploited include the lack of firewall protection or multi-factor authentication and the use of weak passwords. Addressing these issues is essential, along with taking steps to make it harder for the attackers to move laterally.

“Human-operated attacks will continue to take advantage of security weaknesses to deploy destructive attacks until defenders consistently and aggressively apply security best practices to their networks,” explained Microsoft.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of