Human-operated ransomware

Human-operated ransomware is a large and growing attack trend that represents a threat to organizations in every industry.

Human-operated ransomware is different than commodity ransomware. These “hands-on-keyboard” attacks target an organization rather than a single device and leverage human attackers’ knowledge of common system and security misconfigurations to infiltrate the organization, navigate the enterprise network, and adapt to the environment and its weaknesses as they go.

Hallmarks of these human-operated ransomware attacks typically include credential theft and lateral movement and can result in deployment of a ransomware payload to high business impact resources the attackers choose.

These attacks can be catastrophic to business operations and are difficult to clean up, requiring complete adversary eviction to protect against future attacks. Unlike commodity ransomware that only requires malware remediation, human-operated ransomware will continue to threaten your business operations after the initial encounter.

This figure shows how this extortion-based attack that uses maintenance and security configuration gaps and privileged access is growing in impact and likelihood.

The impact and likelihood that human-operated ransomware attacks will continue

Protect your organization against ransomware and extortion

For a comprehensive view of ransomware and extortion and how to protect your organization, use the information in the Human-Operated Ransomware Mitigation Project Plan PowerPoint presentation.

Here's a summary of the guidance:

The summary of the guidance in the Human-Operated Ransomware Mitigation Project Plan

  • The stakes of ransomware and extortion are high.
  • However, the attacks have weaknesses that can mitigate your likelihood of being attacked.
  • There are three phases to configure your infrastructure to exploit attack weaknesses.

For the three phases to exploit attack weaknesses, see the Protect your organization against ransomware and extortion solution to quickly configure your IT infrastructure for the best protection:

  1. Prepare your organization so you can recover from an attack without having to pay the ransom.
  2. Limit the scope of damage of an attack by protecting privileged roles.
  3. Make it harder for a ransomware attacker to get into your environment by incrementally removing risks.

The three phases to protecting against ransomware and extortion

You can also see an overview of the phases as levels of protection against ransomware attackers with the Protect your organization from ransomware poster.

The "Protect your organization from ransomware" poster

Additional ransomware resources

Key information from Microsoft:

Microsoft 365:

Microsoft 365 Defender:

Microsoft Defender for Cloud Apps:

Microsoft Azure:

Microsoft Security team blog posts: