Six ways to reduce the risk from human-operated ransomware attacks

by Gabriel Currie Cyber Threat Advisory, Senior Manager, PwC UK

Email +44 (0)7802 658893

by Will Oram Cyber Threat Advisory, Senior Manager, PwC UK

Email +44 (0)7730 599262

Human-operated ransomware attacks are one of the most serious cyber threats facing organisations today. In this increasingly common type of attack, skilled cyber criminals gain access to organisations and deploy ransomware to maximum disruptive effect. The end goal is to extort a large ransom, in some cases as high as eight figures, in return for decrypting the victim’s systems and data. These criminals are hugely successful; the FBI estimates that one group alone has made over $61 million USD.

Despite these attacks being relatively new, the defences which can stop them in their tracks are not. Human-operated ransomware attackers often use well-established and well-known tools, techniques and procedures (TTPs) to achieve their objectives, and they do so because they work. This includes:

  • Gaining initial access via phishing emails, vulnerabilities in internet-facing infrastructure, and insecure remote access services;
  • Using commodity malware and banking trojans (such as Qakbot, Emotet, and TrickBot) to gain an initial foothold in the network; and,
  • Laterally moving using common offensive security tools (e.g. CobaltStrike and Empire) or legitimate administrative functionality (e.g. WMI, RDP, and PowerShell)

Based on our understanding of the TTPs used by these attackers, and our experience preventing, detecting and responding to attacks, we have published a new whitepaper called Responding to the growing threat of human-operated ransomware attacks. In this article we've summarised the six areas we recommend CISOs and security professionals focus on for security improvement. You can download the full whitepaper for pragmatic, actionable recommendations on how to reduce the risk from these attacks.

1. Prevent workstations being compromised by phishing attacks

Phishing is a hugely common vector for initial infection; in 2020 the US Cybersecurity and Infrastructure Security Agency (CISA) stated that phishing attacks account for 90% of all cyber security incidents. A combination of security training, email and web filtering, and workstation hardening is key to maximise defence.

2. Remediate internet-facing vulnerabilities and reduce the attack surface

Many organisations struggle to manage their internet-facing presence, with no clear understanding of the systems and services accessible remotely. Attackers take advantage of this, seeking to either exploit vulnerabilities in this infrastructure (for example, BlueKeep) or use brute forcing techniques to authenticate using legitimate credentials. Organisations should seek to understand, limit, and harden all internet-facing infrastructure in order to minimise this risk.

3. Protect privileged accounts from being compromised

Privileged accounts (i.e. local, domain or enterprise administrators) give attackers the keys to the kingdom, and are therefore a high-value target. Access to a privileged account can help overcome defences, maximise spread across the environment, and evade detection. Granting of privileged access must be limited as much as possible, and privileged credentials afforded the strongest protection (i.e. using strong authentication methods and not exposed through insecure practices). Privileged access management solutions combined with Microsoft’s LAPS are often the best way to achieve this in a large enterprise.

4. Remediate common hygiene issues used by attackers to escalate privileges

Attackers commonly exploit IT hygiene issues to gain privileged access, for example by identifying plaintext credentials on an open file share or cracking a weak service account password. Perform scanning to identify and remove credentials on network file shares, and ensure service accounts are managed securely with strong (ideally 32+ character) passwords. For organisations using Microsoft 365, Secure Score can be a quick way to identify hygiene issues and fixes.

5. Restrict the ability of an attacker to compromise further systems

Lateral movement is key in human-operated ransomware attacks, as the criminals behind these seek to maximise the number of systems they can disrupt to increase the impact and chances of the ransom being paid. Restricting opportunities for lateral movement is therefore key to minimise the potential “blast radius”. Organisations should architect networks from the beginning to ensure appropriate segmentation, host-based firewalling, and security for software deployment mechanisms which may be abused.

6. Rapidly detect and contain incidents before they escalate

Previous well-known ransomware attacks such as WannaCry and NotPetya used worm-like functionality to spread rapidly, leaving minimal time for defenders to detect and respond. The attackers behind human-operated ransomware often spend weeks or months expanding their access to victim networks to ensure maximum impact when ransomware is deployed. This provides many opportunities for defenders to take action, but relies on techniques being detected and the attacker being effectively contained. We see many organisations either failing to detect these common TTPs, or dismissing infections as low-risk, both with significant consequences - use technical threat intelligence to ensure that common TTPs can be effectively detected, and have the proper processes in place to ensure that alerts are rapidly and effectively responded to.

For more information, download our whitepaper “Responding to the growing threat of human operated ransomware attacks” or get in touch with us.


by Gabriel Currie Cyber Threat Advisory, Senior Manager | PwC UK

Email +44 (0)7802 658893

by Will Oram Cyber Threat Advisory, Senior Manager | PwC UK

Email +44 (0)7730 599262