Ransomware delivering a “motley crew” of payloads is straining security operations especially in health care, Microsoft warned, urging security teams to look for signs of credential theft and lateral movement activities that herald attacks.

Examination of an uptick in ransomware attacks during the first two weeks “showed that many of the compromises that enabled these attacks occurred earlier,” the company’s Microsoft Threat Protection Intelligence Team wrote in a blog post. “Using an attack pattern typical of human-operated ransomware campaigns, attackers have compromised target networks for several months beginning earlier this year and have been waiting to monetize their attacks by deploying ransomware when they would see the most financial gain,” the team explained.

Many attacks begin by exploiting vulnerable internet-facing network devices, taking advantage of Remote Desktop Protocol (RDP) or Virtual Desktop endpoints without multi-factor authentication (MFA), older, unsupported platforms, misconfigured web servers and Citrix Application Deliver Controller systems and Pulse Secure VPN systems affected by vulnerabilities.

The range of payloads is wide and varied but “all used the same techniques observed in human-operated ransomware campaigns: credential theft and lateral movement, culminating in the deployment of a ransomware payload of the attacker’s choice,” the researchers said.

“Ransomware actors continue to leverage some textbook breach tactics–service and account discovery, lateral movement, and widespread infection of endpoints–to maximize the impact and profitability of their operations,” said Keith McCammon, cofounder and CSO of Red Canary. “This underscores the need not just for better preventative controls, but for robust detection coverage, careful investigation and proactive hunting for threats that others controls have missed.”

Microsoft pressed organizations to apply security patches for internet-facing systems to prevent attacks. “It’s also important to note that, although Microsoft security researchers have not observed the recent attacks exploiting the following vulnerabilities, historical signals indicate that these campaigns may eventually exploit them to gain access, so they are worth reviewing: CVE-2019-0604CVE-2020-0688CVE-2020-10189,” the researchers wrote.

McCammon praised Microsoft’s dedication to preventing everyday ransomware attacks as “refreshing in a world where many security vendors focus their attention primarily on splashy detection of nation-state actors.”

Noting that “Microsoft is telling its customers how to use (Microsoft) technology to mitigate the attack after it has happened,” Lucy Security CEO Colin Bastable said, . Preventing what they define as “human-operated ransomware campaigns” in the first place requires a different, holistic approach, aimed at humans, because the attacks are designed and carried out using psychology and understanding human behavior.”

Training employees to recognize socially engineered attacks is paramount, considering that the bulk of attacks are initiated through email. Bastable recommends using “a strategy of patching people by simulating ransomware attacks on staff, and running ‘what if’ system tests to identify systemic vulnerabilities,” which he said “would be far more effective in reducing damage from ransomware attacks than solely focusing on plugging holes below the IT waterline after a hit.”

He also urged IT security to stop viewing non-IT workers “as part of the problem,” but rather “treat their colleagues as potential allies in the fight against cybercrime, engage HR, departmental heads and make the whole organization defense-ready.”