{"id":97473,"date":"2021-09-20T10:00:49","date_gmt":"2021-09-20T17:00:49","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=97473"},"modified":"2023-08-10T14:46:22","modified_gmt":"2023-08-10T21:46:22","slug":"a-guide-to-combatting-human-operated-ransomware-part-1","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/09\/20\/a-guide-to-combatting-human-operated-ransomware-part-1\/","title":{"rendered":"A guide to combatting human-operated ransomware: Part 1"},"content":{"rendered":"

This blog is part one of a two-part series focused on how Microsoft DART helps customers with human-operated ransomware. For more guidance on human-operated ransomware and how to defend against these extortion-based attacks, refer to our human-operated ransomware docs page<\/a>.<\/em><\/p>\n

Microsoft\u2019s Detection and Response Team (DART) has helped customers of all sizes, across many industries and regions, investigate and remediate human-operated ransomware for over five years. This blog aims to explain the process and execution used in our customer engagements to provide perspective on the unique issues and challenges regarding human-operated ransomware. We will also discuss how DART leverages Microsoft solutions such as Microsoft Defender for Endpoint<\/a>, Microsoft Defender for Identity<\/a>, and Microsoft Cloud App Security<\/a> (MCAS) within customer environments while collaborating with cross-functional threat intelligence teams across Microsoft who similarly track human-operated ransomware activities and behaviors.<\/p>\n

Human-operated ransomware is not a malicious software problem\u2014it\u2019s a human criminal problem. The solutions used to address commodity problems aren\u2019t enough to prevent a threat that more closely resembles a nation-state threat actor. It disables or uninstalls your antivirus software before encrypting files. They locate and corrupt or delete backups before sending a ransom demand. These actions are commonly done with legitimate programs that you might already have in your environment and are not considered malicious. In criminal hands, these tools are used maliciously to carry out attacks.<\/p>\n

Responding to the increasing threat of ransomware requires a combination of modern enterprise configuration, up-to-date security products, and the vigilance of trained security staff to detect and respond to the threats before data is lost.<\/p>\n

Key steps in DART\u2019s approach to conducting ransomware incident investigations<\/h2>\n

To maximize DART\u2019s efforts to restore business continuity while simultaneously analyzing the details of the incident, a careful and thorough investigation is coordinated with remediation measures to ensure that the root cause is determined. These efforts take place as we assist and advise customers with the task of getting the organization up and running again in a secure manner.<\/p>\n

Every effort is made to determine how the adversary gained access to the customer\u2019s assets so that vulnerabilities can be remediated. Otherwise, it is highly likely that the same type of attack will take place again in the future. In some cases, the threat actor takes steps to \u201ccover their tracks\u201d and destroy evidence, so it is possible that the entire chain of events may not be evident.<\/p>\n

The following are three key steps in our ransomware investigations:<\/p>\n

\"Graphic<\/p>\n

Figure 1. Key steps in DART\u2019s ransomware investigations.<\/em><\/p>\n

1. Assess the current situation<\/h3>\n

This is critical to understanding the scope of the incident and for determining the best people to assist and to plan and scope the investigation and remediation tasks. Asking these initial questions is crucial in helping us determine the situation being dealt with:<\/p>\n

What initially made you aware of the ransomware attack?<\/strong><\/p>\n

If the initial threat was identified by IT staff (like noticing backups being deleted, antivirus (AV) alert, endpoint detection and response (EDR) alert, suspicious system changes), it is often possible to take quick decisive measures to thwart the attack, typically by disabling all inbound and outbound internet communication. This may temporarily affect business operations, but that would typically be much less impactful than an adversary deploying ransomware.<\/p>\n

If the threat was identified by a user call to the IT helpdesk, there may be enough advance warning to take defensive measures to prevent or minimize the effects of the attack. If the threat was identified by an external entity (like law enforcement or a financial institution), it is likely that the damage is already done, and you will see evidence in your environment that the threat actor has already gained administrative control of your network. This can range from ransomware notes, locked screens, or ransom demands.<\/p>\n

What date\/time did you first learn of the incident?<\/strong><\/p>\n

Establishing the initial activity date and time is important because it helps narrow the scope of the initial triage for \u201cquick wins.\u201d Additional questions may include:<\/p>\n