{"id":124506,"date":"2022-11-03T09:00:00","date_gmt":"2022-11-03T16:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=124506"},"modified":"2023-10-13T07:11:20","modified_gmt":"2023-10-13T14:11:20","slug":"stopping-c2-communications-in-human-operated-ransomware-through-network-protection","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/11\/03\/stopping-c2-communications-in-human-operated-ransomware-through-network-protection\/","title":{"rendered":"Stopping C2 communications in human-operated ransomware through network protection"},"content":{"rendered":"\n
Command-and-control (C2) servers are an essential part of ransomware, commodity, and nation-state attacks. They are used to control infected devices and perform malicious activities like downloading and launching payloads, controlling botnets, or commanding post-exploitation penetration frameworks to breach an organization as part of a ransomware attack. Blocking these communications can mitigate attacks, sometimes before they\u2019re even started.<\/p>\n\n\n\n
For example, one of the most impactful cyberattack trends today is human-operated ransomware<\/a> attacks, which succeed through a combination of components, including leveraging C2 infrastructure. To gain initial access, human-operated ransomware attacks are often delivered via spear-phishing with malicious attachments that, once launched by the target, typically reach out to a C2 server to download instructions and run payloads. These payloads persist on the device and periodically reach out to a (usually) separate set of C2s, awaiting instructions and takeover by a human operator as part of ransomware-as-a-service<\/a>. After the hands-on-keyboard transition, remote C2s are commonly used to control post-exploitation frameworks to initiate reconnaissance, elevate privileges, and move laterally within the network to achieve data exfiltration and mass file encryption.<\/p>\n\n\n\n