What is ransomware?
In practice, a ransomware attack blocks access to your data until a ransom is paid.
In fact, ransomware is a type of malware or phishing cyber security attack that destroys or encrypts files and folders on a computer, server, or device.
Once devices or files are locked or encrypted, cybercriminals can extort money from the business or device owner in exchange for a key to unlock the encrypted data. But, even when paid, cybercriminals may never give the key to the business or device owner, and stop access permanently.
How do ransomware attacks work?
Ransomware can be automated, or involve human hands on a keyboard--a human operated attack.
Automated ransomware attacks
Commodity ransomware attacks are often automated. These cyber attacks can spread like a virus, infect devices through methods like email phishing and malware delivery, and require malware remediation.
That means one ransomware prevention technique is to safeguard your email system with Microsoft Defender for Office 365 that protects against malware and phishing delivery. Microsoft Defender for Endpoint works alongside Defender for Office 365 to automatically detect and block suspicious activity on your devices, while Microsoft Defender XDR detects malware and phishing attempts early.
Human-operated ransomware attacks
Human-operated ransomware is the result of an active attack by cybercriminals that infiltrate an organization's on-premises or cloud IT infrastructure, elevate their privileges, and deploy ransomware to critical data.
These "hands-on-keyboard" attacks usually target organizations rather than a single device.
Human-operated also means there's a human attacker using their insights into common system and security misconfigurations. The goal is to infiltrate the organization, navigate the network, and adapt to the environment and its weaknesses.
Hallmarks of these human-operated ransomware attacks typically include credential theft and lateral movement with an elevation of the privileges in stolen accounts.
Activities might take place during maintenance windows and involve security configuration gaps discovered by cybercriminals. The goal is the deployment of a ransomware payload to whatever high business impact resources the attackers choose.
Important
These attacks can be catastrophic to business operations and are difficult to clean up, requiring complete adversary eviction to protect against future attacks. Unlike commodity ransomware that usually only requires malware remediation, human-operated ransomware will continue to threaten your business operations after the initial encounter.
This graphic shows how extortion-based attacks are growing in impact and likelihood.
The impact and likelihood that human-operated ransomware attacks will continue
Ransomware protection for your organization
First, prevent phishing and malware delivery with Microsoft Defender for Office 365 to protect against malware and phishing delivery, Microsoft Defender for Endpoint to automatically detect and block suspicious activity on your devices, and Microsoft Defender XDR to detect to malware and phishing attempts early.
For a comprehensive view of ransomware and extortion and how to protect your organization, use the information in the Human-Operated Ransomware Mitigation Project Plan PowerPoint presentation.
Here's a summary of the guidance:
The summary of the guidance in the Human-Operated Ransomware Mitigation Project Plan
- The stakes of ransomware and extortion-based attacks are high.
- However, the attacks have weaknesses that can reduce your likelihood of being attacked.
- There are three steps to configuring your infrastructure to exploit attack weaknesses.
For the three steps to exploit attack weaknesses, see the Protect your organization against ransomware and extortion solution to quickly configure your IT infrastructure for the best protection:
- Prepare your organization to recover from an attack without having to pay the ransom.
- Limit the scope of damage of a ransomware attack by protecting privileged roles.
- Make it harder for an attacker to get into your environment by incrementally removing risks.
Download the Protect your organization from ransomware poster for an overview of the three phases as layers of protection against ransomware attackers.
Additional ransomware prevention resources
Key information from Microsoft:
- The growing threat of ransomware, Microsoft On the Issues blog post on July 20, 2021
- Rapidly protect against ransomware and extortion
- 2023 Microsoft Digital Defense Report
- Ransomware: A pervasive and ongoing threat threat analytics report in the Microsoft Defender portal
- Microsoft's Detection and Response Team (DART) ransomware approach and best practices and case study
Microsoft 365:
- Deploy ransomware protection for your Microsoft 365 tenant
- Maximize Ransomware Resiliency with Azure and Microsoft 365
- Recover from a ransomware attack
- Malware and ransomware protection
- Protect your Windows 10 PC from ransomware
- Handling ransomware in SharePoint Online
- Threat analytics reports for ransomware in the Microsoft Defender XDR portal
Microsoft Defender XDR:
Microsoft Defender for Cloud Apps:
Microsoft Azure:
- Azure Defenses for Ransomware Attack
- Maximize Ransomware Resiliency with Azure and Microsoft 365
- Backup and restore plan to protect against ransomware
- Help protect from ransomware with Microsoft Azure Backup (26 minute video)
- Recovering from systemic identity compromise
- Advanced multistage attack detection in Microsoft Sentinel
- Fusion Detection for Ransomware in Microsoft Sentinel
Microsoft Security team blog posts:
For the latest list of ransomware articles in the Microsoft Security blog, click here.
3 steps to prevent and recover from ransomware (September 2021)
A guide to combatting human-operated ransomware: Part 1 (September 2021)
-
Key steps on how Microsoft's Detection and Response Team (DART) conducts ransomware incident investigations.
A guide to combatting human-operated ransomware: Part 2 (September 2021)
Defenders beware: A case for post-ransomware investigations(October 2023)
Recommendations and best practices.
-
See the Ransomware section.
Human-operated ransomware attacks: A preventable disaster (March 2020)
Includes attack chain analyses of actual attacks.
Norsk Hydro responds to ransomware attack with transparency (December 2019)
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for