Ransomware has emerged as a dominant cyber threat and one of the most expensive types of cyberattacks that an organization can fall victim to. However, not all ransomware attacks are created equal. Human-operated ransomware has emerged as a more dangerous and expensive alter

Early ransomware attacks like WannaCry were largely undirected, taking advantage of targets of opportunity. For example, the WannaCry ransomware worm was self-spreading, exploiting vulnerabilities in the Windows Server Message Block (SMB) protocol. Unless the malware has built-in restrictions on targets, any computer could be infected by this type of ransomware.

A human-operated ransomware attack is far more directed. Instead of spreading automatically, human-operated ransomware is planted and executed on a system by a person. The attacker gains access to the target environment, determines the system where ransomware would have the greatest impact, and deploys the ransomware at that location.

Ransomware operators have largely switched to human-operated ransomware because of the greater control and profitability that it offers. By selecting which organizations to target and where to deploy malware on them, a ransomware group can better tailor its attacks and ransom demands to its targets.


Human-Operated Ransomware vs. Traditional Ransomware

The differences between human-operated and traditional ransomware attacks are significant, and include the following:

  • Infection Vectors: Human-driven ransomware attacks may employ different initial access vectors than traditional ransomware. For example, a human attacker may gain access via compromised credentials and then move laterally through the network to achieve their objective, while traditional ransomware may rely upon phishing emails for malware delivery and execution.
  • Encryption Impact: All ransomware attacks are designed to force an organization to pay a ransom by encrypting valuable files. However, human-operated ransomware attacks may have a greater impact than traditional ones. The human behind the attack can plant and execute ransomware where it will have the greatest impact on an organization’s operations, amplifying the disruption and the size of the ransom that the attacker can demand.
  • Data Theft: Ransomware attacks are increasingly using data theft to increase the attacker’s leverage over the target when demanding a ransom. With human-operated ransomware, the threat actor is able to seek out high-value data such as customer data, financial information, source code, etc.
  • Remediation Complexity: All ransomware attacks require in-depth and time-consuming remediation to clean up after an incident.  However, while traditional ransomware attacks may only require the removal of the malware, a human-driven attack may have additional remediation needs. A human actor may have compromised employee accounts or implanted persistence mechanisms, providing them with backdoor access to systems that must be removed.

The Risks Of Ransomware

Ransomware is one of the greatest threats to corporate cybersecurity and can have major impacts on a company, including:

  • Lost Data: A ransomware attack works by encrypting an organization’s data and demanding a ransom in exchange for decryption. However, even companies that pay a ransom do not always get all of their data back. Organizations that suffer from a ransomware attack can expect to lose at least some of their data permanently.
  • Data Breach: In recent years, ransomware operators have expanded their attacks to steal sensitive data before encrypting it. By threatening to leak this data, the attackers increase their leverage over their targets to pay the ransom. Even if an organization can restore encrypted data from backups, a successful ransomware attack is likely also a data breach.
  • Operational Impacts: Ransomware attacks inhibit an organization’s operations and require costly and time-consuming remediation.  Additionally, some ransomware groups will also perform distributed denial of service (DDoS) attacks to encourage ransom payments.  All of these have a significant impact on an organization’s ability to operate.
  • Reputational Damage: While anyone can fall victim to a ransomware attack, ransomware victims are commonly seen as having done something wrong to make the attack possible. After an attack, an organization’s reputation may be damaged among customers, and a company may undergo investigation for potential non-compliance with applicable regulations.

How To Prevent Ransomware

Protecting against ransomware attacks requires implementing anti-ransomware protections and best practices, such as:

  • Employee Education: Ransomware operators commonly target employees for initial access via phishing and other social engineering attacks. Training employees on how to detect and properly respond to phishing and how to create and use strong passwords helps to minimize the threat that employees pose to corporate cybersecurity.
  • Data Backups: Ransomware’s business model is based on denying an organization access to its own data so that it pays a ransom to regain access. By backing up data regularly, a company can restore its encrypted data without paying the ransom.
  • Vulnerability Management: Ransomware can infect a system in a variety of ways; however, exploiting vulnerabilities is a common choice. Promptly applying vulnerability patches when they become available enables an organization to close these security gaps before they can be exploited by an attacker.
  • Strong Authentication: Human-operated ransomware is commonly deployed by an attacker using compromised employee credentials. Enforcing the use of multi-factor authentication (MFA) for all corporate applications and systems makes it more difficult to use compromised credentials, limiting exposure to this attack vector.
  • Least Privilege: The cybercriminals behind human-operated ransomware commonly move laterally through an enterprise network to a high-value system where ransomware can do the most damage. Implementing least privilege and zero trust security principles can help to make this lateral movement more difficult to perform and easier to detect.

Ransomware Protection With Check Point

Ransomware is one of many major cyber trends.  Sign up for a free demo to learn how Check Point Harmony Endpoint and Check Point Harmony Email & Collaboration protect against human-operated ransomware and other modern cyber threats.