Skip to main content

What is human-operated ransomware, and how does it differ from traditional ransomware?

lab monitors.Ransomware existed in small pockets starting in 2013 and was opportunistic, typically affecting one or two devices within an organization.

The more popular and destructive types of ransomware appeared as WannaCry in May 2017 and NotPetya in June 2017. Because these variants of ransomware used vulnerabilities in unpatched operating systems to propagate, this kind of ransomware affected entire organizations rather than one or two devices.

Microsoft and other cybersecurity organizations started noticing a business model created from these more sophisticated and persistent types of ransomware starting in June 2019. This vastly expanded the ransomware business model into an enterprise scale operation blending targeted attack techniques and the extortion business model, threatening disclosure of data or encryption in exchange for payment. Human-operated ransomware is persistent, which means that it can mutate to evade detection from common anti-malware systems. This allows it to remain hidden within an organization and used in the future.

How does human-operated ransomware affect the health and life sciences industry?

Criminal organizations will target critical infrastructure, which may include the electrical grid, gas pipelines, water management, schools, governments, traffic management systems, and even healthcare organizations. These criminal organizations realize that time is of the essence when providing patient care because lives are on the line. This makes the healthcare organization victim more likely to pay the ransom to return to business as usual.

How to define the risk of human-operated ransomware to senior management

There are many examples of ransomware affecting 500 or more individuals in the healthcare sector available for reference. The U.S. Department of Health and Human Services Office for Civil Rights keeps records of reported incidents in healthcare throughout the US. Given these overwhelming statistics and the net impact of ransomware on healthcare organizations, it should be less difficult than before to create a business case for senior management to implement the right people, processes, and technologies to lower the risk of occurrence and severity of impact.

How to reduce the risk of becoming a victim of any kind of ransomware

  1. Integrated and automated cybersecurity solution. This solution enables you to “see” everything, providing the opportunity for technology to share intelligence throughout the attack chain and apply the NIST Cybersecurity Framework to identify, protect, detect, respond, recover in the early, middle, or late stages of the attack. Best-of-breed, unintegrated solutions do not have built-in integration, so they have difficulty sharing their intelligence throughout the stages of the attack chain.
  2. Use security orchestration and automated response (SOAR). Cloud-based integrated solutions come bundled with sophisticated security orchestration and automated response (SOAR) capabilities, so defensive and remediation activities will execute either before the attack occurs or before the ransomware has a chance to spread throughout the organization’s infrastructure.
  3. Cloud-powered threat intelligence Real-time detection, analysis, and remote remediation of advanced attacks call for sophisticated machine learning algorithms to analyze billions of pieces of data to differentiate between what looks trustworthy versus what looks suspicious. The Microsoft Intelligent Security Graph API can help because it is based on massive amounts of attack behavior data that is compiled and analyzed at hyperscale. This approach gives the integrated system the advantage of detecting and preventing malicious behavior before it can do harm.
  4. Move to cloud services to reduce patch management debt. If you are responsible for the infrastructure in your environment, such as servers running in a data center or infrastructure as a service in the cloud, you must ensure that every tier of the system is up to date on patching. That means that everything from firmware to the operating system to the drivers to the application that runs on the operating system, the database, and any other code (whether commercial or proprietary) must be vulnerability-free to the extent that it can be. Risk can never be zero percent because there is always the possibility of a zero-day vulnerability that neither the customer nor the vendor is aware of before a patch is issued for it.
  5. Move to the cloud to simplify vulnerability management. PaaS and SaaS applications do not need patching because the cloud service provider is responsible for vulnerability management in the common shared responsibility model.
  6. Move to the cloud to simplify and accelerate backup and recovery. It is simpler to ensure backup and recovery of data residing in cloud-based services than on-premises, usually by adding a backup service, like Azure Cloud Backup Service, Azure Block Blob Storage Backup, and third-party cloud-based Office 365 Backup and Recovery Services. These services ensure that if data residing in cloud services become affected by ransomware, recovery can be both immediate and comprehensive.
  7. Cyber hygiene. This concept means understanding what resources are in production and implementing secure benchmark configurations that protect those resources. In other words, cyber hygiene is good configuration governance. Azure Security Center provides comprehensive cyber hygiene for on-premises and cloud resources.
  8. Zero trust model. A zero trust approach means that any device or user is evaluated for risk before it is permitted to access resources like applications, files, databases, and other devices. This decreases the chance that a malicious identity or device would have the ability to access resources and install or propagate ransomware.

Learn more about human-operated ransomware and the steps you can take to reduce its effectiveness.