Ransomware has become a global menace, but organizations should keep in mind that it’s humans -- not code -- attacking them, Microsoft said in its new Digital Defense report.

The company’s massive footprint across the software and hardware realms give it unique insight into the latest attacker behaviors. According to Microsoft, the data underlying their report was pulled from 8 trillion signals collected from PCs, servers, cloud and network logs, apps, IoT devices as well as Android, Linux, Mac and iOS devices.

Ransomware was the most common reason behind incident response engagements by Microsoft’s Detection and Response team over the past year, but according to the report, many organizations continue to treat the issue as a straightforward or automated malware threat.

This approach “often fails to address the root problem because it ignores the human actors behind the threat, the specificity of their targets, and that access to their networks might already be compromised,” the authors write.

In many cases, delivery of the actual ransomware payload is one of the last steps in a string of compromises. Treating ransomware primarily as a code-based or automated threat misses out on how dynamic these intrusions can be. Many of the choices made in ransomware attacks observed by Microsoft were dictated in the moment, depending on “which security tools were present, whether the network had good cybersecurity basics in place, and which data the cybercriminals wanted to exfiltrate from the network.”

Organizations should instead focus more attention on the earlier steps – like exploiting vulnerabilities in VPNs and the use of commodity malware or open source tools – that are frequently used to gain initial access or disable security features that could detect or block malicious activity.

“Understanding and fixing the fundamental security issues that led to the compromise in the first place should be a priority for ransomware victims,” the report advises.

Proof point: A Ransomware case study

Recent telemetry data from eSentire following an eight-hour ransomware siege on an online educational institution highlights some of these dynamics. The attacker obtained low-level credentials and used the organization’s VPN as an initial access point before deploying Mimikatz to harvest additional credentials and escalate their privileges across the network. They also attempted to uninstall an antivirus program that was blocking them from deploying the actual ransomware.

In the early stages of the attack, the organization identified the VPN tunnel used by the attackers and shut it down. However, within minutes the attacker entered again through another tunnel. After kicking them out again and temporarily shutting down the VPN network, the attacker logged back in four hours later using the same credentials they had harvested in the initial intrusion.

“They ran Mimikatz, so they would have collected all the hashes for passwords, and then…you can crack them locally, you can run dictionaries against them and find those weak passwords that people use,” said Keegan Keplinger, a research and reporting lead at eSentire, in an interview.

Low level phishing schemes have historically targeted the weakest, most gullible links in an organizational chain, but as initial user access has been increasingly linked as an entry point for lucrative ransomware and Business Email Compromise (BEC) attacks, Microsoft has found that criminal groups are “spending significant time, money, and effort to develop scams that are sufficiently sophisticated to victimize even savvy professionals” and harvest credentials.

While persistent access is becoming a more common feature in ransomware attacks, Keplinger said this incident was unique in how desperate the actors seemed to be to break into a specific organization. Still, it demonstrates that while many APTs will always get access, “if you make it more trouble than it’s worth, they’ll give up eventually.”

“Whereas usually you just kick them out and they’re gone and then it’s just investigation after that, this was a lot of back and forth,” he said. “It kind of highlighted the war of attrition…sometimes it’s just about wearing them out.”

Sizing up the target

There’s plenty of evidence to indicate that cybercriminal groups consider the human foibles of their victims. According to Microsoft, ransomware actors actively switch tactics and tools depending on the specific security environment they encounter upon initial network access, or plan attacks around holidays and other times when they know the patching response will be slow.

Meanwhile, new reporting this week by IBM’s X-Force security team show that ransomware cartels like Maze Group do pay close attention to financial reporting from victim organizations when developing a ransom figure, usually targeting between .08 percent and 9.1 percent of a company’s yearly revenues. Small businesses might see ransom demands as low as $1,500, while larger organizations could see price tags exceeding $40 million.

That same human-centric approach is not always followed by defenders. Catherine Lyle, head of claims for cyber insurer Coalition, told SC Media earlier this week that her firm continues to see two common themes in the majority of claims they receive around data breaches: organizations failing to implement simple fixes like two-factor authentication for email or critical systems and attackers relentlessly exploiting that laziness.

“Everyone says ‘Oh yes, I understand that.’ A minimal number of entities are doing it,” she said.

Both Microsoft and eSentire flag what has become a common feature for many ransomware groups: in addition to encrypting a company’s data, they will also exfiltrate that sensitive data and threaten to sell it on underground markets. This “double extortion” puts added pressure on companies to pay up.

Surprisingly, IBM’s research indicates that a number of large ransomware gangs actually avoid the temptation to double dip by both taking the ransom money and then later selling the stolen data anyway. This could be a way to build credibility with victims and give assurances that paying the ransom is worth it.

“We have not seen any data auctioned online from a company that paid a ransom,” said Camille Singleton, a senior threat analyst for IBM Security’s X-Force team in an email. “Based on our observation of the Sodinokibi and Maze ransomware actors, when a company pays the ransom, the ransomware actors generally follow through on their claims and do not sell or leak the data. That said, all bets are off if a company cannot or will not pay the ransom.”