• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

CitrixBleed 2: The nightmare that echoes the 'CitrixBleed' flaw in Citrix NetScaler devices

 | 

Hackers deploy fake SonicWall VPN App to steal corporate credentials

 | 

Mainline Health Systems data breach impacted over 100,000 individuals

 | 

Disrupting the operations of cryptocurrency mining botnets

 | 

Prometei botnet activity has surged since March 2025

 | 

The U.S. House banned WhatsApp on government devices due to security concerns

 | 

Russia-linked APT28 use Signal chats to target Ukraine official with malware

 | 

China-linked APT Salt Typhoon targets Canadian Telecom companies

 | 

U.S. warns of incoming cyber threats following Iran airstrikes

 | 

McLaren Health Care data breach impacted over 743,000 people

 | 

American steel giant Nucor confirms data breach in May attack

 | 

The financial impact of Marks & Spencer and Co-op cyberattacks could reach £440M

 | 

Iran-Linked Threat Actors Cyber Fattah Leak Visitors and Athletes' Data from Saudi Games

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 50

 | 

Security Affairs newsletter Round 529 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Iran confirmed it shut down internet to protect the country against cyberattacks

 | 

Godfather Android trojan uses virtualization to hijack banking and crypto apps

 | 

Cloudflare blocked record-breaking 7.3 Tbps DDoS attack against a hosting provider

 | 

Linux flaws chain allows Root access across major distributions

 | 

A ransomware attack pushed the German napkin firm Fasana into insolvency

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Cyber Crime
  • Hacking
  • Malware
  • Microsoft warns of Human-Operated Ransomware as a growing threat to businesses

Microsoft warns of Human-Operated Ransomware as a growing threat to businesses

Pierluigi Paganini March 10, 2020

Microsoft is warning of human-operated ransomware, this kind of attack against businesses is becoming popular in the cybercrime ecosystem.

Human-operated ransomware is a technique usually employed in nation-state attacks that is becoming very popular in the cybercrime ecosystem.

In human-operated ransomware attack scenario, attackers use stolen credentials, exploit misconfiguration and vulnerabilities to access target networks, attempt to escalate privileges and move laterally, and deliver malware and exfiltrate data.

“Human-operated ransomware campaigns pose a significant and growing threat to businesses and represent one of the most impactful trends in cyberattacks today. In these hands-on-keyboard attacks, which are different from auto-spreading ransomware like WannaCry or NotPetya, adversaries employ credential theft and lateral movement methods traditionally associated with targeted attacks like those from nation-state actors.” reads the post published by Microsoft. “They exhibit extensive knowledge of systems administration and common network security misconfigurations, perform thorough reconnaissance, and adapt to what they discover in a compromised network.”

Most infamous human-operated ransomware campaigns include Sodinokibi, Samas, Bitpaymer, and Ryuk.

Microsoft experts found similarities in the modus operandi of three threat actors specialized in human-operated ransomware attacks.

The first group, tracked as PARINACOTA, has been monitored by Microsoft for 18 months. The threat actor is hitting three to four organizations each week, it appears well resourced and demonstrated to be able to quickly change the configuration of the compromised network depending on the specific target.

“The group’s goals and payloads have shifted over time, influenced by the type of compromised infrastructure, but in recent months, they have mostly deployed the Wadhrama ransomware.” continues the report.

“The group most often employs a smash-and-grab method, whereby they attempt to infiltrate a machine in a network and proceed with subsequent ransom in less than an hour. There are outlier campaigns in which they attempt reconnaissance and lateral movement, typically when they land on a machine and network that allows them to quickly and easily move throughout the environment.”

Experts noticed that the group used different payloads for each attack, the most frequent one was the Wadhrama ransomware.

The threat actors targets servers that have Remote Desktop Protocol (RDP) exposed to the internet, then use brute force attacks for lateral movements

Attackers leverage stolen credentials, attempt to dump credentials and disable security solutions, then download tools to gather intelligence and make lateral movements.

Human-operated ransomware

The second human-operated ransomware family is Doppelpaymer that in recent months targeted enterprise environments through social engineering.

Once encrypted files with the ransomware, threat actors were also infected by banking Trojans like Dridex trojan, a circumstance that suggests this malware was used as the initial attack vector. However, In other cases, Doppelpaymer operators penetrated target networks using RDP brute force attempts.

“The use of numerous attack methods reflects how attackers freely operate without disruption – even when available endpoint detection and response (EDR) and endpoint protection platform (EPP) sensors already detect their activities. In many cases, some machines run without standard safeguards, like security updates and cloud-delivered antivirus protection.” continues Microsoft. “There is also the lack of credential hygiene, over-privileged accounts, predictable local administrator and RDP passwords, and unattended EDR alerts for suspicious activities.”

The third family is the Ryuk human-operated ransomware one that leverages banking Trojan like Trickbot to hit its targets.

The Ryuk operators use Cobalt Strike tool and PowerShell Empire for lateral movement.

Microsoft experts pointed out that attackers maintain access to the compromised networks even if the victims have paid the ransom.

“Removing the ability of attackers to move laterally from one machine to another in a network would make the impact of human-operated ransomware attacks less devastating and make the network more resilient against all kinds of cyberattacks. The top recommendations for mitigating ransomware and other human-operated campaigns are to practice credential hygiene and stop unnecessary communication between endpoints.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Human-operated ransomare)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

Cybercrime Hacking hacking news human operated ransomware malware Pierluigi Paganini Security Affairs Security News

you might also like

Pierluigi Paganini June 26, 2025
CitrixBleed 2: The nightmare that echoes the 'CitrixBleed' flaw in Citrix NetScaler devices
Read more
Pierluigi Paganini June 25, 2025
Hackers deploy fake SonicWall VPN App to steal corporate credentials
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    CitrixBleed 2: The nightmare that echoes the 'CitrixBleed' flaw in Citrix NetScaler devices

    Hacking / June 26, 2025

    Hackers deploy fake SonicWall VPN App to steal corporate credentials

    Hacking / June 25, 2025

    Mainline Health Systems data breach impacted over 100,000 individuals

    Data Breach / June 25, 2025

    Disrupting the operations of cryptocurrency mining botnets

    Malware / June 25, 2025

    Prometei botnet activity has surged since March 2025

    Cyber Crime / June 25, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT