{"id":97524,"date":"2021-09-27T10:00:13","date_gmt":"2021-09-27T17:00:13","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=97524"},"modified":"2023-08-10T14:47:18","modified_gmt":"2023-08-10T21:47:18","slug":"a-guide-to-combatting-human-operated-ransomware-part-2","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/09\/27\/a-guide-to-combatting-human-operated-ransomware-part-2\/","title":{"rendered":"A guide to combatting human-operated ransomware: Part 2"},"content":{"rendered":"<p><em>This blog is part two of a two-part series focused on how Microsoft DART helps customers with human-operated ransomware. For more guidance on human-operated ransomware and how to defend against these extortion-based attacks, refer to our <a href=\"https:\/\/aka.ms\/ransomware\" target=\"_blank\" rel=\"noopener\">human-operated ransomware docs page<\/a>.<\/em><\/p>\n<p>In <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/09\/20\/a-guide-to-combatting-human-operated-ransomware-part-1\/\" target=\"_blank\" rel=\"noopener\">part one<\/a> of this blog series, we described the process and execution used in our customer engagements to provide perspective on the unique issues and challenges regarding human-operated ransomware. We also explained how Microsoft\u2019s Detection and Response Team (DART) leverages Microsoft solutions to help combat this threat. In this post, we will tackle the risks of human-operated ransomware and detail DART\u2019s security recommendations for tactical containment actions and post-incident activities in the event of an attack.<\/p>\n<h2>Understanding the risks of human-operated ransomware<\/h2>\n<p>Beyond the immediate threat of file encryption, there are several additional risks associated with human-operated ransomware events, some of which may be observed well after an investigation and the removal of the threat from the network. These risks include:<\/p>\n<h3>1. Disruption of business operations<\/h3>\n<p>Immediate actions need to be taken to reduce the blast radius of a ransomware event. In these cases, disabling portions of the network may feel like a self-inflicted denial of service, but they are necessary to counter the ransomware spread. The resulting business disruption may become public. If any affected systems are public-facing, it may require crisis communications.<\/p>\n<h3>2. Data theft<\/h3>\n<p>Most attackers are highly motivated to monetize their access to your network. In several cases investigated by DART, an attacker has performed reconnaissance for sensitive files (like contracts, financial documents, and internal communications), copied this data, and exfiltrated it before any ransomware was dropped. Taking this information before ransomware is deployed allows the attacker to have data to sell, leak, or simply show as proof that the attacker has had access to sensitive files.<\/p>\n<h3>3. Extortion<\/h3>\n<p>Data theft by ransomware operators opens an organization to extortion. It is not uncommon for threat actors to demand payment to prevent the leak of stolen data. These threats are typically sent via email with sample stolen documents attached as proof of possession. In some cases where DART has observed this activity, a threat actor accessed a cloud-based email account that was not protected by <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/business\/identity-access-management\/mfa-multi-factor-authentication\/?&amp;ef_id=Cj0KCQjwkIGKBhCxARIsAINMioKehnOAgRRbPeOcI9bORrUwgb7LkrGi142e1zwjuplDaiZWnLJSnm0aAnbQEALw_wcB:G:s&amp;OCID=AID2200938_SEM_Cj0KCQjwkIGKBhCxARIsAINMioKehnOAgRRbPeOcI9bORrUwgb7LkrGi142e1zwjuplDaiZWnLJSnm0aAnbQEALw_wcB:G:s&amp;gclid=Cj0KCQjwkIGKBhCxARIsAINMioKehnOAgRRbPeOcI9bORrUwgb7LkrGi142e1zwjuplDaiZWnLJSnm0aAnbQEALw_wcB\" target=\"_blank\" rel=\"noopener\">multifactor authentication<\/a> (MFA) and sent threatening emails to the board of directors. The threat of extortion is still high, even when the threat actors are unsuccessful at deploying ransomware.<\/p>\n<p>At DART, we often get asked, \u201cCan you tell us which data was stolen?\u201d To prove this requires concrete evidence, which would be either:<\/p>\n<ul>\n<li>A network capture that shows the actual data leaving the network (which rarely exists).<\/li>\n<\/ul>\n<p style=\"padding-left: 40px;\">Or<\/p>\n<ul>\n<li>Finding the data outside the organization\u2019s network, typically on a public file-sharing site. A log file showing \u2018x\u2019 bytes were transferred does not prove what data was stolen, and a command line history or event log showing a file archiving utility was run does not prove that data was stolen.<\/li>\n<\/ul>\n<h3>4. Follow-on attacks<\/h3>\n<p>To further their monetization efforts, attackers are also often observed deploying coin miners in compromised networks. This is a low-effort method to generate additional income from a victim organization when data theft or extortion are insufficient for the attacker. Depending on the attacker\u2019s motivation, additional malware may be deployed that would allow other criminals to gain access to the environment. This access is monetized, and the sale of compromised network access is common in most human-operated ransomware cases, performed after the primary attacker has obtained what they initially sought.<\/p>\n<h3>5. Reputational damage<\/h3>\n<p>The risk of brand damage reputation is difficult to assess in the aftermath of a human-operated ransomware event. The reputation of an organization\u2019s brand may include lost customer and shareholder trust and loyalty, as well as current and future business. The risk of brand damage reputation is difficult to assess in the aftermath of a human-operated ransomware event. Reputational damage may be more costly and require longer-term solutions than the response to the human-operated ransomware event.<\/p>\n<h3>6. Compliance and regulatory reporting<\/h3>\n<p>Potential reporting requirements are another organizational risk depending on the industry or affiliation. This may include compliance or regulatory reporting in cases where sensitive financial information or personally identifiable information (PII) is stolen. Fines and loss of accreditation may further damage an organization\u2019s reputation.<\/p>\n<h2>Recommendations and best practices<\/h2>\n<h3>Containment<\/h3>\n<p>Containment can only happen once we determine what needs to be contained. In the case of ransomware, the adversary\u2019s goal is to obtain credentials that allow administrative control over a highly available server and then deploy the ransomware. In some cases, the threat actor identifies sensitive data and exfiltrates it to a location they control.<\/p>\n<p>Tactical recovery will be unique for each customer and tailored to the customer\u2019s environment, industry, and level of IT expertise and experience. The steps outlined below are recommended for short-term and tactical containment steps your organization can take. To learn more about <a href=\"https:\/\/aka.ms\/SPA\" target=\"_blank\" rel=\"noopener\">securing privileged access<\/a> for long-term guidance, visit our securing privileged access docs page. For a comprehensive view of ransomware and extortion and how to protect your organization, you can refer to our <a href=\"https:\/\/aka.ms\/ransomware\" target=\"_blank\" rel=\"noopener\">human-operated ransomware docs page<\/a>.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-97644\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/09\/Ransomware-containment.png\" alt=\"Graphic outlines DART\u2019s containment steps, which cover assessing the scope of the situation and preserving existing systems.\" width=\"1139\" height=\"534\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/09\/Ransomware-containment.png 1139w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/09\/Ransomware-containment-300x141.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/09\/Ransomware-containment-1024x480.png 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/09\/Ransomware-containment-768x360.png 768w\" sizes=\"(max-width: 1139px) 100vw, 1139px\" \/><\/p>\n<p><em>Figure 1. Containment steps that can be done concurrently as new vectors are discovered.<\/em><\/p>\n<p>After the first step of containment (assessing the scope of the situation), the second step is to preserve existing systems:<\/p>\n<ul>\n<li><strong>Disable all privileged user accounts<\/strong> except for a few accounts used by your admins to assist in resetting the integrity of your Active Directory&nbsp;infrastructure. If a user account is believed to be compromised, disable it immediately<em>.<\/em><\/li>\n<li><strong>Isolate compromised systems from the network<\/strong>, but <em>do not<\/em> shut them off.<\/li>\n<li><strong>Isolate at least one known good domain controller in every domain\u2014two is even better<\/strong>. Either disconnect them from the network or shut them down entirely. The object here is to stop the spread of ransomware to critical systems\u2014identity being among the most vulnerable. If all your domain controllers are virtual, ensure that the virtualization platform\u2019s system and data drives are backed to offline external media (<em>not<\/em> connected to the network) in case the virtualization platform itself is compromised.<\/li>\n<li>Isolate critical known good application servers (for example SAP, configuration management database (CMDB), billing, and accounting systems).<\/li>\n<\/ul>\n<p>These two steps can be done concurrently as new vectors are discovered. Disable those vectors and then try to find a known good system to isolate from the network.<\/p>\n<p>Other tactical containment actions can be accomplished:<\/p>\n<ul>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/identity\/ad-ds\/manage\/ad-forest-recovery-resetting-the-krbtgt-password\" target=\"_blank\" rel=\"noopener\">Reset the krbtgt password<\/a>, twice in rapid succession. Consider using a <a href=\"https:\/\/github.com\/microsoft\/New-KrbtgtKeys.ps1\" target=\"_blank\" rel=\"noopener\">scripted, repeatable process<\/a>. This script enables you to reset the krbtgt account password and related keys while minimizing the likelihood of Kerberos authentication issues being caused by the operation. To minimize potential issues, the krbtgt lifetime can be reduced one or more times prior to the first password reset so that the two resets are done relatively quickly. NOTE<strong>:<\/strong> All domain controllers that you plan to keep in your environment <em>must<\/em> be online.<\/li>\n<li>Deploy a Group Policy to the entire domain(s) that prevents privileged log on (Domain Admins) to anything but Domain Controllers and privileged administrative-only workstations (if any).<\/li>\n<li>Install all missing security updates for operating systems and applications. Every missing update is a potential threat vector that adversaries can quickly identify and exploit. <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/business\/threat-protection\/endpoint-defender\" target=\"_blank\" rel=\"noopener\">Microsoft Defender for Endpoint\u2019s<\/a> Threat and Vulnerability Management provides an easy way to see exactly what is missing\u2014as well as the potential impact of the missing updates.\n<ul>\n<li>For Windows 10 (or higher) devices, confirm that the current version (or n-1) is running on <em>every <\/em>device.<\/li>\n<li>Apply <a href=\"https:\/\/docs.microsoft.com\/en-us\/microsoft-365\/security\/defender-endpoint\/attack-surface-reduction?view=o365-worldwide\" target=\"_blank\" rel=\"noopener\">attack surface reduction (ASR) rules<\/a> to prevent malware infection.<\/li>\n<li>Enable all <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/security\/threat-protection\/overview-of-threat-mitigations-in-windows-10\" target=\"_blank\" rel=\"noopener\">Windows 10 security features<\/a>.<\/li>\n<\/ul>\n<\/li>\n<li>Check that every external facing application, including VPN access, is protected by multifactor authentication, preferably using an authentication application that is running on a secured device.<\/li>\n<li>For devices not using Defender for Endpoint as their primary antivirus software, run a full scan with <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/security\/threat-protection\/intelligence\/safety-scanner-download\" target=\"_blank\" rel=\"noopener\">Microsoft Safety Scanner<\/a> on isolated \u201cknown good\u201d systems before reconnecting them to the network.<\/li>\n<li>For any legacy operating systems, upgrade to a supported OS or decommission these devices. If these options are not available, take every possible measure to isolate these devices, including network\/VLAN isolation, IPsec rules, and log on restrictions, so they are only accessible to the applications by the users\/devices to provide business continuity.<\/li>\n<\/ul>\n<p>DART sometimes finds customers who are running mission critical systems on legacy operating systems (some as old as Windows NT 4) and applications, all on legacy hardware. This is one of the riskiest configurations possible\u2014not only are these operating systems and applications insecure, if that hardware fails, backups typically cannot be restored on modern hardware. Unless replacement legacy hardware is available, these applications will cease to function.<\/p>\n<h2>Post-incident activities<\/h2>\n<p>DART recommends implementing the following security recommendations and best practices after each incident.<\/p>\n<ul>\n<li>Ensure that best practices are in place for <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/business\/threat-protection\/office-365-defender\" target=\"_blank\" rel=\"noopener\">email and collaboration solutions<\/a> to make it more difficult for attackers to abuse them while allowing internal users to access external content easily and safely.<\/li>\n<li>Follow <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/business\/zero-trust\" target=\"_blank\" rel=\"noopener\">Zero Trust<\/a> security best practices for remote access solutions to internal organizational resources.<\/li>\n<li>Starting with critical impact administrators, follow best practices for account security including <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/09\/15\/the-passwordless-future-is-here-for-your-microsoft-account\/\" target=\"_blank\" rel=\"noopener\">using passwordless<\/a> or MFA.<\/li>\n<li>Implement a comprehensive strategy to reduce the risk of privileged access compromise.\n<ul>\n<li>For cloud and forest\/domain administrative access, see below for an overview of Microsoft\u2019s privileged access model (PAM).<\/li>\n<li>For endpoint administrative management, see below for details on the local administrative password solution (LAPS).<\/li>\n<\/ul>\n<\/li>\n<li>Implement data protection to block ransomware techniques and to confirm rapid and reliable recovery from an attack.<\/li>\n<li>Review your critical systems. Check for protection and backups against deliberate attacker erasure\/encryption. It\u2019s important that these backups are periodically tested and validated.<\/li>\n<li>Ensure rapid detection and remediation of common attacks on endpoint, email, and identity.<\/li>\n<li>Actively discover and continuously improve the security posture of your environment.<\/li>\n<li>Update organizational processes to manage major ransomware events and streamline outsourcing to avoid friction.<\/li>\n<\/ul>\n<h3>Privileged access model (PAM)<\/h3>\n<p>Using the <a href=\"https:\/\/docs.microsoft.com\/en-us\/security\/compass\/privileged-access-access-model\" target=\"_blank\" rel=\"noopener\">privileged access model<\/a> (formerly known as the tiered administration model) enhances Azure AD\u2019s security posture. This involves:<\/p>\n<ul>\n<li>Breaking out administrative accounts in a \u201cPlaned\u201d environment\u2014one account for each level, usually four:\n<ul>\n<li>Control Plane (formerly Tier 0): Administration of Domain Controllers and other crucial identity services (like Active Directory Federation Service (ADFS) or Azure AD Connect). This also includes applications that require administrative permissions to Active Directory, such as Exchange Server.<\/li>\n<li>The next two Planes were formerly Tier 1:\n<ul>\n<li>Management Plane: Asset management, monitoring, and security.<\/li>\n<li>Data\/Workload Plane: Applications and application servers.<\/li>\n<\/ul>\n<\/li>\n<li>The next two Planes were formerly Tier 2:\n<ul>\n<li>User Access: Access rights for users (such as accounts).<\/li>\n<li>App Access: Access rights for applications.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Each one of these Planes will have a separate administrative workstation for each Plane and will only have access to systems in that Plane. Other accounts from other Planes will be denied access to workstations and servers in the other Planes through user rights assignments set to those machines.<\/li>\n<li>The net result of the PAM is that:\n<ul>\n<li>A compromised user account will only have access to the Plane it is a part of.<\/li>\n<li>More sensitive user accounts will not be logging into workstations and servers with a lower Plane\u2019s security level, thereby reducing lateral movement.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3>Local Administrative Password Solution (LAPS)<\/h3>\n<p>By default, Microsoft Windows and Active Directory have no centralized management of local administrative accounts on workstations and member servers. This usually results in a common password that is given for all these local accounts, or at the very least in groups of machines. This enables would-be attackers to compromise one local administrator account, and then use that account to gain access to other workstations or servers in the organization.<\/p>\n<p>Microsoft\u2019s <a href=\"https:\/\/docs.microsoft.com\/en-us\/defender-for-identity\/cas-isp-laps\" target=\"_blank\" rel=\"noopener\">Local Administrator Password Solution<\/a> (LAPS) mitigates this by using a Group Policy client-side extension that changes the local administrative password at regular intervals on workstations and servers according to the policy set. Each of these passwords are different and stored as an attribute in the Active Directory computer object. This attribute can be retrieved from a simple client application, depending on the permissions assigned to that attribute.<\/p>\n<p>LAPS requires the Active Directory schema to be extended to allow for the additional attribute, the LAPS Group Policy templates to be installed, and a small client-side extension to be installed on every workstation and member server to provide the client-side functionality.<\/p>\n<p>Download LAPS from the official <a href=\"https:\/\/www.microsoft.com\/en-us\/download\/details.aspx?id=46899\" target=\"_blank\" rel=\"noopener\">Microsoft Download Center<\/a>.<\/p>\n<h2>Harden your environment<\/h2>\n<p>Each ransomware case is different and there is no one-size-fits-all approach. But there are things you can do now to harden your environment and prepare for a worst-case scenario. Although, these changes may impact how your organization currently works, consider the risk of not implementing them now versus dealing with a potential human-operated ransomware event. An organization that has fallen victim to a ransomware attack should keep the crucial human element in mind\u2014real people are responding to the incident at the end of the day.<\/p>\n<h2 class=\"x-hidden-focus\">Learn more<\/h2>\n<p class=\"x-hidden-focus\">Want to learn more about DART? Read our past&nbsp;<a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/microsoft-detection-and-response-team-dart-blog-series\/\" target=\"_blank\" rel=\"noopener\">blog posts<\/a>.<\/p>\n<p class=\"x-hidden-focus\">To learn more about Microsoft Security solutions,&nbsp;<a href=\"https:\/\/www.microsoft.com\/en-us\/security\/business\/solutions\" target=\"_blank\" rel=\"noopener\">visit our&nbsp;website<\/a>.&nbsp;Bookmark the&nbsp;<a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\" target=\"_blank\" rel=\"noopener\">Security blog<\/a>&nbsp;to keep up with our expert coverage on security matters. Also, follow us at&nbsp;<a href=\"https:\/\/twitter.com\/@MSFTSecurity\" target=\"_blank\" rel=\"noopener\">@MSFTSecurity<\/a>&nbsp;for the latest news and updates on cybersecurity.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this post, we will tackle the risks of human-operated ransomware and detail DART\u2019s security recommendations for tactical containment actions and post-incident activities in the event of an attack. <\/p>\n","protected":false},"author":106,"featured_media":97659,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"ep_exclude_from_search":false,"_classifai_error":"","footnotes":""},"content-type":[3663],"topic":[3674,3687],"products":[],"threat-intelligence":[3735],"tags":[3909,3776],"coauthors":[2064],"class_list":["post-97524","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","content-type-research","topic-incident-response","topic-threat-intelligence","threat-intelligence-ransomware","tag-extortion","tag-human-operated-ransomware"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>A guide to combatting human-operated ransomware: Part 2 | Microsoft Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/09\/27\/a-guide-to-combatting-human-operated-ransomware-part-2\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"A guide to combatting human-operated ransomware: Part 2 | Microsoft Security Blog\" \/>\n<meta property=\"og:description\" content=\"In this post, we will tackle the risks of human-operated ransomware and detail DART\u2019s security recommendations for tactical containment actions and post-incident activities in the event of an attack.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/09\/27\/a-guide-to-combatting-human-operated-ransomware-part-2\/\" \/>\n<meta property=\"og:site_name\" content=\"Microsoft Security Blog\" \/>\n<meta property=\"article:published_time\" content=\"2021-09-27T17:00:13+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-08-10T21:47:18+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/09\/CLO20b_Sylvie_office_night_001.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"800\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Microsoft Incident Response\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/09\/CLO20b_Sylvie_office_night_001.jpg\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Microsoft Incident Response\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/09\/27\/a-guide-to-combatting-human-operated-ransomware-part-2\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/09\/27\/a-guide-to-combatting-human-operated-ransomware-part-2\/\"},\"author\":[{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/detection-and-response-team-dart\/\",\"@type\":\"Person\",\"@name\":\"Microsoft Incident Response\"}],\"headline\":\"A guide to combatting human-operated ransomware: Part 2\",\"datePublished\":\"2021-09-27T17:00:13+00:00\",\"dateModified\":\"2023-08-10T21:47:18+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/09\/27\/a-guide-to-combatting-human-operated-ransomware-part-2\/\"},\"wordCount\":2207,\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/09\/27\/a-guide-to-combatting-human-operated-ransomware-part-2\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/09\/CLO20b_Sylvie_office_night_001.jpg\",\"keywords\":[\"Extortion\",\"Human-operated ransomware\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/09\/27\/a-guide-to-combatting-human-operated-ransomware-part-2\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/09\/27\/a-guide-to-combatting-human-operated-ransomware-part-2\/\",\"name\":\"A guide to combatting human-operated ransomware: Part 2 | Microsoft Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/09\/27\/a-guide-to-combatting-human-operated-ransomware-part-2\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/09\/27\/a-guide-to-combatting-human-operated-ransomware-part-2\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/09\/CLO20b_Sylvie_office_night_001.jpg\",\"datePublished\":\"2021-09-27T17:00:13+00:00\",\"dateModified\":\"2023-08-10T21:47:18+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/09\/27\/a-guide-to-combatting-human-operated-ransomware-part-2\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/09\/27\/a-guide-to-combatting-human-operated-ransomware-part-2\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/09\/27\/a-guide-to-combatting-human-operated-ransomware-part-2\/#primaryimage\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/09\/CLO20b_Sylvie_office_night_001.jpg\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/09\/CLO20b_Sylvie_office_night_001.jpg\",\"width\":1200,\"height\":800,\"caption\":\"Female developer coding her workspace in an enterprise office, using Visual Studio on a multi-monitor set up.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/09\/27\/a-guide-to-combatting-human-operated-ransomware-part-2\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"A guide to combatting human-operated ransomware: Part 2\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"name\":\"Microsoft Security Blog\",\"description\":\"Expert coverage of cybersecurity topics\",\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\",\"name\":\"Microsoft Security Blog\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"width\":512,\"height\":512,\"caption\":\"Microsoft Security Blog\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"A guide to combatting human-operated ransomware: Part 2 | Microsoft Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/09\/27\/a-guide-to-combatting-human-operated-ransomware-part-2\/","og_locale":"en_US","og_type":"article","og_title":"A guide to combatting human-operated ransomware: Part 2 | Microsoft Security Blog","og_description":"In this post, we will tackle the risks of human-operated ransomware and detail DART\u2019s security recommendations for tactical containment actions and post-incident activities in the event of an attack.","og_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/09\/27\/a-guide-to-combatting-human-operated-ransomware-part-2\/","og_site_name":"Microsoft Security Blog","article_published_time":"2021-09-27T17:00:13+00:00","article_modified_time":"2023-08-10T21:47:18+00:00","og_image":[{"width":1200,"height":800,"url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/09\/CLO20b_Sylvie_office_night_001.jpg","type":"image\/jpeg"}],"author":"Microsoft Incident Response","twitter_card":"summary_large_image","twitter_image":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/09\/CLO20b_Sylvie_office_night_001.jpg","twitter_misc":{"Written by":"Microsoft Incident Response","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/09\/27\/a-guide-to-combatting-human-operated-ransomware-part-2\/#article","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/09\/27\/a-guide-to-combatting-human-operated-ransomware-part-2\/"},"author":[{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/detection-and-response-team-dart\/","@type":"Person","@name":"Microsoft Incident Response"}],"headline":"A guide to combatting human-operated ransomware: Part 2","datePublished":"2021-09-27T17:00:13+00:00","dateModified":"2023-08-10T21:47:18+00:00","mainEntityOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/09\/27\/a-guide-to-combatting-human-operated-ransomware-part-2\/"},"wordCount":2207,"publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/09\/27\/a-guide-to-combatting-human-operated-ransomware-part-2\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/09\/CLO20b_Sylvie_office_night_001.jpg","keywords":["Extortion","Human-operated ransomware"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/09\/27\/a-guide-to-combatting-human-operated-ransomware-part-2\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/09\/27\/a-guide-to-combatting-human-operated-ransomware-part-2\/","name":"A guide to combatting human-operated ransomware: Part 2 | Microsoft Security Blog","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/09\/27\/a-guide-to-combatting-human-operated-ransomware-part-2\/#primaryimage"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/09\/27\/a-guide-to-combatting-human-operated-ransomware-part-2\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/09\/CLO20b_Sylvie_office_night_001.jpg","datePublished":"2021-09-27T17:00:13+00:00","dateModified":"2023-08-10T21:47:18+00:00","breadcrumb":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/09\/27\/a-guide-to-combatting-human-operated-ransomware-part-2\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/09\/27\/a-guide-to-combatting-human-operated-ransomware-part-2\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/09\/27\/a-guide-to-combatting-human-operated-ransomware-part-2\/#primaryimage","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/09\/CLO20b_Sylvie_office_night_001.jpg","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/09\/CLO20b_Sylvie_office_night_001.jpg","width":1200,"height":800,"caption":"Female developer coding her workspace in an enterprise office, using Visual Studio on a multi-monitor set up."},{"@type":"BreadcrumbList","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/09\/27\/a-guide-to-combatting-human-operated-ransomware-part-2\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/"},{"@type":"ListItem","position":2,"name":"A guide to combatting human-operated ransomware: Part 2"}]},{"@type":"WebSite","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","name":"Microsoft Security Blog","description":"Expert coverage of cybersecurity topics","publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization","name":"Microsoft Security Blog","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","width":512,"height":512,"caption":"Microsoft Security Blog"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/"}}]}},"msxcm_display_generated_audio":false,"distributor_meta":false,"distributor_terms":false,"distributor_media":false,"distributor_original_site_name":"Microsoft Security Blog","distributor_original_site_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog","push-errors":false,"_links":{"self":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/97524"}],"collection":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/users\/106"}],"replies":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/comments?post=97524"}],"version-history":[{"count":0,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/97524\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media\/97659"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media?parent=97524"}],"wp:term":[{"taxonomy":"content-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/content-type?post=97524"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/topic?post=97524"},{"taxonomy":"products","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/products?post=97524"},{"taxonomy":"threat-intelligence","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/threat-intelligence?post=97524"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/tags?post=97524"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/coauthors?post=97524"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}