close
close

Human-operated ransomware poses a much greater threat to African businesses – Intelligent CIO Africa

Human-operated ransomware poses a much greater threat to African businesses – Intelligent CIO Africa

As Armand Kruger of NEC XON explains, the difference between human-led ransomware attacks and automated attacks is the direct involvement of skilled cybercriminals. Unlike automated attacks, which rely on pre-set instructions, humans can adjust their tactics on the fly.

Everyone has heard of ransomware attacks. Now, human-operated ransomware has become a particularly insidious and sophisticated threat. Unlike automated ransomware attacks, which often rely on unstructured mass-delivery methods like phishing emails, human-operated ransomware is characterized by a methodical and strategic approach.

The number of human-launched ransomware attacks increased by more than 200% between September 2022 and October 2023, according to Microsoft researchers, and it could signal a shift in the cybercrime underground.

If the statistics don’t convince you of the seriousness of the human-operated ransomware threat, just talk to Medibank, where 9.7 million Medibank customer records were stolen by a human who infiltrated its systems. To provide businesses with insight into how to protect themselves against this growing threat, let’s look at the differences, dangers, and defensive strategies associated with human-operated ransomware.

Human-led ransomware attacks begin long before the ransomware is released, as operators infiltrate a company’s network and gain a foothold. This can involve harvesting compromised credentials through phishing campaigns or exploiting third-party data breaches. Attackers often target internet-facing authentication systems, such as VPNs, which often do not support multi-factor authentication.

The difference between human-operated ransomware and automated attacks is the direct involvement of skilled cybercriminals. Unlike automated attacks, which rely on pre-set instructions, human operators can adjust their tactics on the fly, responding to defensive measures taken by the target.

They have a deep understanding of IT environments and use that knowledge to maximize their impact. They plan ahead, exercise patience, mine corporate IT resources to gain as much control as possible, and adapt to real-time detections, making them much more disruptive and difficult to neutralize.

Attackers typically spend weeks or even months in a network, conducting reconnaissance and preparing for the final, devastating ransomware deployment. This expanded presence allows them to identify and exploit critical vulnerabilities, making it harder for companies to detect and eliminate the threat before significant damage is done.

To defend against human-operated ransomware, companies must take a proactive approach by constantly monitoring for signs of compromise. This means taking on the role of the threat actor and rigorously examining their own systems for vulnerabilities.

Early signs of a human-initiated ransomware attack may include:

  • Unusual Login Patterns
  • Unauthorized access attempts
  • Unexplained changes in system configurations

One of the most effective early warning signs is the detection of compromised credentials. If it turns out that credentials have been compromised, immediate action should be taken to change passwords and restrict further access. Minimizing the number of systems facing the Internet can also limit the options for attackers, making it more difficult for them to exploit compromised credentials.

Specialist partners can help customers defend against human-initiated ransomware attacks by leveraging prediction, prevention, detection, and brute force response:

  • Ability to predict cyber threats: regular reconnaissance to identify potential threats.
  • Preventive measures: Implement strict access controls and minimize the number of exposed systems.
  • Detection systems: implementing advanced monitoring tools for early detection of unusual activities.
  • Understanding adversary tactics: training a team to recognize and neutralize complex threats.

Companies must respond quickly and decisively, even brutally, to any signs of human-operated ransomware activity. This includes isolating and neutralizing suspicious or compromised accounts, often by repeatedly disabling and changing credentials to disrupt attacker access. By removing attacker tools and access, companies can effectively starve ransomware of oxygen.

Employee awareness and training play a key role in mitigating the risk of human-operated ransomware. Attackers often start with unauthorized access, followed by situational awareness and lateral movement across the network. By educating employees on how to recognize phishing attempts and suspicious activity, companies can reduce the risk of an initial breach.

Human-directed ransomware attackers exploit a variety of vulnerabilities, including weak passwords, lack of multi-factor authentication, and unpatched systems. Businesses can combat them by implementing solid security practices, including regular software updates, strong password policies, and comprehensive access controls.

For companies that have been affected by a human-initiated ransomware attack but have not yet been activated, the data recovery process involves regaining control of the compromised systems and conducting a thorough investigation to identify and remediate any vulnerabilities.

This often requires a scorched earth approach, where systems can be deliberately breached to eliminate an attacker’s foothold. Quick action, effective stakeholder communication, and rigorous crisis management strategies are essential.

Human-operated ransomware poses a huge challenge to businesses, requiring a proactive and multi-layered defense strategy. By understanding the sophisticated tactics of these attackers and implementing robust security measures, businesses can better protect themselves from the devastating impact of human-operated ransomware.

The key is constant vigilance, employee training and a quick, decisive response to any signs of intrusion.

NEC XON is an African ICT solutions integrator and part of NEC, a Japanese global company. NEC XON has been operating in Africa since 1963 and provides communication, energy, safety, security and digital solutions.

NEC XON has experience helping companies prevent human-initiated ransomware attacks through rapid response. For example, one African government agency called for backup upon detecting an impending attack, and NEC XON was able to regain control by methodically identifying and eliminating the threat actor’s access points. This included a comprehensive search of their systems over several days, isolating and remediating every potential vulnerability.

Click below to share this article