by Will Oram Cyber Risk Advisory, Senior Supervisor | PwC UK
E-mail +44 (0)7730 599262

Human-operated ransomware assaults are probably the most critical cyber threats going through organisations right this moment. On this more and more frequent kind of assault, expert cyber criminals acquire entry to organisations and deploy ransomware to most disruptive impact. The top objective is to extort a big ransom, in some circumstances as excessive as eight figures, in return for decrypting the sufferer’s methods and knowledge. These criminals are vastly profitable; the FBI estimates that one group alone has revamped $61 million USD.
Regardless of these assaults being comparatively new, the defences which may cease them of their tracks should not. Human-operated ransomware attackers usually use well-established and well-known instruments, methods and procedures (TTPs) to attain their targets, they usually achieve this as a result of they work. This consists of:
Gaining preliminary entry through phishing emails, vulnerabilities in internet-facing infrastructure, and insecure distant entry providers;
Utilizing commodity malware and banking trojans (resembling Qakbot, Emotet, and TrickBot) to realize an preliminary foothold within the community; and,
Laterally transferring utilizing frequent offensive safety instruments (e.g. CobaltStrike and Empire) or respectable administrative performance (e.g. WMI, RDP, and PowerShell)
Primarily based on our understanding of the TTPs utilized by these attackers, and our expertise stopping, detecting and responding to assaults, we’ve got printed a brand new whitepaper referred to as Responding to the rising risk of human-operated ransomware assaults. On this article we have summarised the six areas we suggest CISOs and safety professionals give attention to for safety enchancment. You may obtain the total whitepaper for pragmatic, actionable suggestions on cut back the chance from these assaults.
1. Forestall workstations being compromised by phishing assaults
Phishing is a vastly frequent vector for preliminary an infection; in 2020 the US Cybersecurity and Infrastructure Safety Company (CISA) said that phishing assaults account for 90% of all cyber safety incidents. A mixture of safety coaching, e mail and internet filtering, and workstation hardening is essential to maximise defence.
2. Remediate internet-facing vulnerabilities and cut back the assault floor
Many organisations battle to handle their internet-facing presence, with no clear understanding of the methods and providers accessible remotely. Attackers benefit from this, in search of to both exploit vulnerabilities on this infrastructure (for instance, BlueKeep) or use brute forcing methods to authenticate utilizing respectable credentials. Organisations ought to search to know, restrict, and harden all internet-facing infrastructure with a view to minimise this danger.
3. Defend privileged accounts from being compromised
Privileged accounts (i.e. native, area or enterprise directors) give attackers the keys to the dominion, and are subsequently a high-value goal. Entry to a privileged account might help overcome defences, maximise unfold throughout the atmosphere, and evade detection. Granting of privileged entry should be restricted as a lot as doable, and privileged credentials afforded the strongest safety (i.e. utilizing robust authentication strategies and never uncovered by insecure practices). Privileged entry administration options mixed with Microsoft’s LAPS are sometimes one of the best ways to attain this in a big enterprise.
4. Remediate frequent hygiene points utilized by attackers to escalate privileges
Attackers generally exploit IT hygiene points to realize privileged entry, for instance by figuring out plaintext credentials on an open file share or cracking a weak service account password. Carry out scanning to determine and take away credentials on community file shares, and guarantee service accounts are managed securely with robust (ideally 32+ character) passwords. For organisations utilizing Microsoft 365, Safe Rating could be a fast option to determine hygiene points and fixes.
5. Prohibit the power of an attacker to compromise additional methods
Lateral motion is essential in human-operated ransomware assaults, because the criminals behind these search to maximise the variety of methods they’ll disrupt to extend the affect and probabilities of the ransom being paid. Proscribing alternatives for lateral motion is subsequently key to minimise the potential “blast radius”. Organisations ought to architect networks from the start to make sure applicable segmentation, host-based firewalling, and safety for software program deployment mechanisms which can be abused.
6. Quickly detect and comprise incidents earlier than they escalate
Earlier well-known ransomware assaults resembling WannaCry and NotPetya used worm-like performance to unfold quickly, leaving minimal time for defenders to detect and reply. The attackers behind human-operated ransomware usually spend weeks or months increasing their entry to sufferer networks to make sure most affect when ransomware is deployed. This offers many alternatives for defenders to take motion, however depends on methods being detected and the attacker being successfully contained. We see many organisations both failing to detect these frequent TTPs, or dismissing infections as low-risk, each with vital penalties – use technical risk intelligence to make sure that frequent TTPs might be successfully detected, and have the right processes in place to make sure that alerts are quickly and successfully responded to.
For extra data, obtain our whitepaper “Responding to the rising risk of human operated ransomware assaults” or get in contact with us.

by Will Oram Cyber Risk Advisory, Senior Supervisor | PwC UK
E-mail +44 (0)7730 599262