Skip to main content
Microsoft Security

Expert Profile: Nick Carr

Behind the scenes with Microsoft’s cybercrime and counter ransomware expert

September 27, 2022

Nick Carr, Cybercrime Intelligence Team Lead at the Microsoft Threat Intelligence Center, discusses ransomware trends, explains what Microsoft is doing to protect customers from ransomware, and describes what organizations can do if they’ve been affected by it.

Expert Profile: Steve Ginty

Behind the scenes with Microsoft’s threat intelligence expert

Steve Ginty, Director of cyber intelligence at Microsoft, talks about the importance of knowing your external attack surface, provides tips on effective security readiness, and identifies the most important step you can take to protect yourself against threat actors online.

ISSUE 2 - Cyber Signals

Extortion Economics

Ransomware’s new business model

August 22, 2022

Over 80 percent of ransomware attacks can be traced to common configuration errors in software and devices.1

Cybercriminals are emboldened by underground ransomware economy

While ransomware continues to be a headline-grabbing topic, there’s ultimately a relatively small, connected ecosystem of players driving this sector of the cybercrime economy. The specialization and consolidation of the cybercrime economy has fueled ransomware as a service (RaaS) to become a dominant business model, enabling a wider range of criminals, regardless of their technical expertise, to deploy ransomware.

Watch the Cyber Signals digital briefing where Vasu Jakkal, CVP of Microsoft Security, interviews top threat intelligence experts on the ransomware economy and how organizations can help protect themselves.

Threat Briefing

New business model offers fresh insights for defenders

Just as many industries have shifted toward gig workers for efficiency, cybercriminals are renting or selling their ransomware tools for a portion of the profits, rather than performing the attacks themselves.

The Ransomware as a Service economy allows cybercriminals to purchase access to Ransomware payloads and data leakage as well as payment infrastructure. Ransomware ”gangs” are in reality RaaS programs like Conti or REvil, used by many different actors who switch between RaaS programs and payloads.

RaaS lowers the barrier to entry and obfuscates the identity of the attackers behind the ransoming. Some programs have 50+ “affiliates,” as they refer to the users of their service, with varying tools, tradecraft, and objectives. Just as anyone with a car can drive for a rideshare service, anyone with a laptop and credit card willing to search the dark web for penetration testing tools or out-of-the-box malware can join this economy

This industrialization of cybercrime has created specialized roles, like access brokers who sell access to networks. A single compromise often involves multiple cybercriminals in different stages of the intrusion.

RaaS kits are easy to find on the dark web and are advertised in the same way goods are advertised across the internet.

A RaaS kit may include customer service support, bundled offers, user reviews, forums and other features. Cybercriminals can pay a set price for a RaaS kit while other groups selling RaaS under the affiliate model take a percentage of the profits.

Ransomware attacks involve decisions based on configurations of networks and differ for each victim even if the ransomware payload is the same. Ransomware culminates an attack which can include data exfiltration and other impact. Because of the interconnected nature of the cybercriminal economy, seemingly unrelated intrusions can build upon each other. Infostealer malware that steals passwords and cookies get treated with less severity, but cybercriminals sell these passwords to enable other attacks.

These attacks follow a template of initial access via malware infection or exploitation of a vulnerability then credential theft to elevate privileges and move laterally. Industrialization allows prolific and impactful ransomware attacks to be performed by attackers without sophistication or advanced skills. Since the shutdown of Conti we’ve observed shifts in the ransomware landscape. Some affiliates who were deploying Conti moved to payloads from established RaaS ecosystems like LockBit and Hive, while others simultaneously deploy payloads from multiple RaaS ecosystems.

New RaaS like QuantumLocker and Black Basta are filling the vacuum left by Conti’s shutdown. Since most Ransomware coverage focuses on payloads instead of actors, this payload switching is likely to confuse governments, law enforcement, media, security researchers, and defenders about who is behind the attacks.

Reporting on ransomware may seem like an endless scaling problem; however, the reality is a finite set of actors using the set of techniques.


Build credential hygiene: Develop a logical network segmentation based on privileges that can be implemented alongside network segmentation to limit lateral movement.

Audit credential exposure: Auditing credential exposure is critical in preventing ransomware attacks and cybercrime in general. IT security teams and SOCs can work together to reduce administrative privileges and understand the level at which their credentials are exposed.

Reduce the attack surface: Establish attack surface reduction rules to prevent common attack techniques used in ransomware attacks. In observed attacks from several ransomware associated activity groups, organizations with clearly defined rules have been able to mitigate attacks in their initial stages while preventing hands on keyboard activity.

Download Cyber Signals 2

1. Methodology: For snapshot data, Microsoft platforms, including Defender and Azure Active Directory, and our Digital Crimes Unit provided anonymized data on threat activity, such as malicious email accounts, phishing emails, and attacker movement within networks. Additional insights are from the 43 trillion daily security signals gained across Microsoft, including the cloud, endpoints, the intelligent edge, and our Compromise Security Recovery Practice and Detection and Response teams.


Cyber Signals: Issue 1

Identity is the new battleground. Gain insights into evolving cyberthreats and what steps to take to better protect your organization.

February 9, 2022

There’s a dangerous mismatch between most organizations’ security protocols and the threats they face. While attackers do try to force their way into networks, their preferred tactic is simpler: guessing weak login passwords. Basic measures like multifactor authentication are effective against 98 percent of attacks, but only 20 percent of organizations fully employ them (Microsoft Digital Defense Report, 2021).

In issue 1, you’ll learn about current security trends and recommendations from Microsoft researchers and experts, including:

  • Who’s relying on password and identity-based attacks.
  • What to do to counteract attacks, including endpoint, email, and identity strategies.
  • When to prioritize different security measures.
  • Where ransomware strains enter and proliferate within networks, and how to stop them.
  • Why identity protection remains the greatest cause for concern—but is also the greatest opportunity to improve your security.

Explore Issue 1:

Security snapshot:

Endpoint, e-mail, and identity threats

Threat briefing:

Nation-state actors redouble efforts to grab identity building blocks

Defending Attacks:

Ransomware dominates mindshare, but only a few strains dominate

Expert profile:

Christopher Glyer, Principal Threat Intelligence Lead, MSTIC

Download Cyber Signals

The global attack surface may be bigger than most think

April 19, 2022

The global attack surface grows with the internet

And it is growing every day. In 2020, the amount of data on the internet hit 40 zettabytes, or 40 trillion gigabytes.1 RiskIQ found that every minute, 117,298 hosts and 613 domains2 add to the many interwoven threads making up the global attack surface’s intricate fabric. Each of these contains a set of elements, such as its underlying operating systems, frameworks, third-party applications, plugins, and tracking code. With each of these rapidly proliferating sites containing these nuts and bolts, the scope of the global attack surface increases exponentially.

Both legitimate organizations and threat actors contribute to this growth, which means cyber threats increase at scale with the rest of the internet. Sophisticated advanced persistent threats (APTs) and petty cybercriminals alike threaten businesses’ safety, targeting their data, brand, intellectual property, systems, and people.

In the first quarter of 2021, detected 611,877 unique phishing sites,3 with 32 domain-infringement events and 375 new total threats emerging per minute.2 These threats target organizations’ employees and customers with rogue assets, looking to fool them into clicking malicious links and phishing for sensitive data, all of which can erode brand confidence and consumer trust.





Download PDF

Ransomware-as-a-service: The new face of industrialized cybercrime

Cybercrime’s newest business model, human-operated attacks, emboldens criminals of varying ability.

May 25, 2022

Ransomware, one of the most persistent and pervasive cyber threats, continues to evolve, and its latest form presents a new menace to organizations worldwide. The evolution of ransomware doesn’t involve new advances in technology. Instead, it involves a new business model: ransomware-as-a-service (RaaS).

Ransomware-as-a-service (RaaS) is an arrangement between an operator, who develops and maintains the tools to power extortion operations, and an affiliate, who deploys the ransomware payload. When the affiliate conducts a successful ransomware and extortion attack, both parties profit.

The RaaS model lowers the barrier to entry for attackers who may not have the skill or technical wherewithal to develop their own tools but can manage ready-made penetration testing and sysadmin tools to perform attacks. These lower-level criminals can also just buy network access from a more sophisticated criminal group that has already breached a perimeter.

Although RaaS affiliates use ransomware payloads provided by more sophisticated operators, they are not part of the same ransomware “gang.” Rather, these their own distinct enterprises operating in the overall cybercriminal economy.

Advancing the capabilities of cybercriminals and growing the overall cybercriminal economy

The ransomware-as-a-service model has facilitated a rapid refinement and industrialization of what less capable criminals can accomplish. In the past, these less sophisticated criminals may have used commodity malware they either built or purchased to perform attacks that are limited in scope, but now they can get everything they need—from access to networks to ransomware payloads—from their RaaS operators (for a price, of course). Many RaaS programs further incorporate a suite of extortion support offerings, including leak site hosting and integration into ransom notes, as well as decryption negotiation, payment pressure, and cryptocurrency transaction services.

This means that the impact of a successful ransomware and extortion attack remains the same regardless of the attacker’s skills.

Discovering and exploiting network vulnerabilities…for a price

One way RaaS operators provide value to their affiliates is by providing access to compromised networks. Access brokers scan the internet for vulnerable systems, which they can compromise and reserve for later profit.

In order to be successful, attackers need credentials. Compromised credentials are so important to these attacks that when cybercriminals sell network access, in many instances, the price includes a guaranteed administrator account.

What the criminals do with their access once it has been achieved can vary wildly depending on the groups and their workloads or motivations. The time between initial access to a hands-on keyboard deployment can therefore range from minutes to days or longer, but when the circumstances permit, damage can be inflicted at breakneck speed. In fact, the time from initial access to full ransom (including handoff from an access broker to an RaaS affiliate) has been observed to take less than an hour.

Keeping the economy moving – persistent and sneaky access methods

Once attackers gain access to a network, they are loathe to leave—even after collecting their ransom. In fact, paying the ransom may not reduce the risk to an affected network and potentially only serves to fund cybercriminals, who will continue trying to monetize attacks with different malware or ransomware payloads until they are evicted.

The handoff that transpires between different attackers as transitions in the cybercriminal economy occur means that multiple activity groups may persist in an environment using various methods disparate from the tools used in a ransomware attack. For example, initial access gained by a banking trojan leads to a Cobalt Strike deployment, but the RaaS affiliate that purchased the access may choose to use a remote access tool such as TeamViewer to operate its campaign.

Using legitimate tools and settings to persist versus malware implants such as Cobalt Strike is a popular technique among ransomware attackers to avoid detection and remain resident in a network for longer.

Another popular attacker technique is to create new backdoor user accounts, whether local or in Active Directory, that can then be added to remote access tools such as a virtual private network (VPN) or Remote Desktop. Ransomware attackers have also been observed editing the settings on systems to enable Remote Desktop, reduce the protocol’s security, and add new users to the Remote Desktop Users group.

Facing the most elusive and cunning adversaries in the world

One of the qualities of RaaS that makes the threat so concerning is how it relies on human attackers who can make informed and calculated decisions and vary attack patterns based on what they find in the networks where they land, ensuring they meet their goals.

Microsoft coined the term human-operated ransomware to define this category of attacks as a chain of activity that culminates in a ransomware payload, not as a set of malware payloads to be blocked.

While most initial access campaigns rely on automated reconnaissance, once the attack shifts to the hands-on-keyboard phase, attackers will use their knowledge and skill to try to defeat the security products in the environment.

Ransomware attackers are motivated by easy profits, so adding to their cost via security hardening is key in disrupting the cybercriminal economy. This human decision-making means that even if security products detect specific attack stages, the attackers themselves don’t get fully evicted; they attempt to continue if not blocked by a security control. In many instances, if a tool or payload is detected and blocked by an antivirus product, attackers simply grab a different tool or modify their payload.

Attackers are also aware of security operations center (SOC) response times and the capabilities and limitations of detection tools. By the time the attack reaches the stage of deleting backups or shadow copies, it’d be minutes away from ransomware deployment. The adversary would likely have already performed harmful actions like the exfiltration of data. This knowledge is key for SOCs responding to ransomware: investigating detections like Cobalt Strike before the ransomware deployment stage and performing swift remediation actions and incident response (IR) procedures are critical for containing a human adversary.

Hardening security against threats while avoiding alert fatigue

A durable security strategy against determined human adversaries must include detection and mitigation goals. It’s not enough to rely on detection alone because 1) some infiltration events are practically undetectable (they look like multiple innocent actions), and 2) it’s not uncommon for ransomware attacks to become overlooked due to alert fatigue caused by multiple, disparate security product alerts.

Because attackers have multiple ways to evade and disable security products and are capable of mimicking benign admin behavior in order to blend in as much as possible, IT security teams and SOCs should back up their detection efforts with security hardening measures.

Ransomware attackers are motivated by easy profits, so adding to their cost via security hardening is key in disrupting the cybercriminal economy.

Here are some steps organizations can take to protect themselves:

Build credential hygiene: Develop a logical network segmentation based on privileges that can be implemented alongside network segmentation to limit lateral movement.

Audit credential exposure: Auditing credential exposure is critical in preventing ransomware attacks and cybercrime in general. IT security teams and SOCs can work together to reduce administrative privileges and understand the level at which their credentials are exposed.

Harden the cloud: As attackers move towards cloud resources, it’s important to secure cloud resources and identities as well as on-premises accounts. Security teams should focus on hardening security identity infrastructure, enforcing multifactor authentication (MFA) on all accounts, and treating cloud admins/tenant admins with the same level of security and credential hygiene as Domain Admins.

Close security blind spots: Organizations should verify that their security tools are running in optimum configuration and perform regular network scans to ensure a security product protects all systems.

Reduce the attack surface: Establish attack surface reduction rules to prevent common attack techniques used in ransomware attacks. In observed attacks from several ransomware-associated activity groups, organizations with clearly defined rules have been able to mitigate attacks in their initial stages while preventing hands-on-keyboard activity.

Evaluate the perimeter: Organizations must identify and secure perimeter systems that attackers might use to access the network. Public scanning interfaces, such as RiskIQ, can be used to augment data.

Harden internet-facing assets: Ransomware attackers and access brokers use unpatched vulnerabilities, whether already disclosed or zero-day, especially in the initial access stage. They also rapidly adopt new vulnerabilities. To further reduce exposure, organizations can use the threat and vulnerability management capabilities in endpoint detection and response products to discover, prioritize, and remediate vulnerabilities and misconfigurations.

Prepare for recovery: The best ransomware defense should include plans to recover quickly in the event of an attack. It will cost less to recover from an attack than to pay a ransom, so be sure conduct regular backups of your critical systems and protect those backups against deliberate erasure and encryption. If possible, store backups in online immutable storage or fully offline or off-site.

Further defense against ransomware attacks

The multi-faceted threat of the new ransomware economy and elusive nature of human-operated ransomware attacks require organizations to adopt a comprehensive approach to security.

The steps we outlined above help defend against common attack patterns and will go a long way in preventing ransomware attacks. To further stiffen defenses against traditional and human-operated ransomware and other threats, use security tools that can provide deep cross-domain visibility and unified investigation capabilities.

For an additional overview of ransomware complete with tips and best practices for prevention, detection, and remediation, see Protect your organization from ransomware, and for even more in-depth information on human-operated ransomware, read Senior Security Researcher Jessica Payne’s Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself.

Cyberthreat Minute: The scale and scope of worldwide cybercrime in 60 seconds

During a cyberattack, every second counts. To illustrate the scale and scope of worldwide cybercrime, we've condensed a year's worth of cybersecurity research into one 60-second window.

August 1, 2022

Cybercrime is big and growing bigger. As the threat landscape evolves and security perimeters expand, we aim to frame a macro problem on a micro scale. To illuminate the top threats organizations face in a year, we have broken down a year’s cybercrime research by the minute.

Today’s threat landscape

In any given 60-second window, the following malicious activity is happening.

The new threat infrastructure detections insight comes from internal RiskIQ data. Microsoft acquired RiskIQ in 2021 to help organizations assess the security of their entire digital enterprise.

Microsoft security data

Microsoft operates global services at a massive scale, allowing us to see, aggregate, and correlate threat signals across the globe and from a variety of industries. Our diverse spectrum of threat data from endpoints, identities, applications, and the cloud are reasoned over by our security researchers, who help to generate a high-fidelity picture of the current state of the threat landscape.

Cost of cybercrime

Cybercrime is a disruptive and economically corrosive force that causes trillions of dollars in damages every year. The cost of cybercrime comes from damage done to data and property, stolen assets—including intellectual property—and the disruption of business systems and productivity.

The expanding internet

As the internet continues to expand, opportunities for cybercrime expand too. And the same applies to organizations. The cloud migration, new digital initiatives, and shadow IT increase the size of the attack surface, and at the enterprise level, that can mean a vast estate spanning multiple clouds and massively complex ecosystems. Meanwhile, flourishing cheap infrastructure and flourishing cybercrime economies grow the threat landscape that organizations must track.


The threat landscape is dynamic, and Microsoft has an unparalleled view. We track more than 24 trillion signals every day to develop dynamic, hyper-relevant threat intelligence that evolves with the attack surface and helps us to detect and respond to threats rapidly.

We also offer this intelligence directly to customers, giving them a deep and unique view of the threat landscape, a 360-degree understanding of their exposure to it, and tools to mitigate and respond.

Download PDF

6 RiskIQ internal data
14 RiskIQ internal data
23 RiskIQ internal data
25 RiskIQ internal data

Anatomy of an external attack surface

April 19, 2022

Traditionally, the security strategy of most organizations has been a defense-in-depth approach starting at the perimeter and layering back to the assets that should be protected. However, there are disconnects between that kind of strategy and the attack surface, as presented in this report. In today’s world of digital engagement, users sit outside the perimeter—as do an increasing number of exposed corporate digital assets and many of the malicious actors. Applying Zero Trust principles across corporate resources can help secure today’s workforce—protecting people, devices, applications, and data no matter their location or the scale of threats faced. Microsoft Security offers a series of targeted evaluation tools to help you assess the Zero Trust maturity stage of your organization.

Download PDF

Threat infrastructure is more than what’s on the network

The global attack surface is a part of an organization’s attack surface, too

Today’s global internet attack surface has transformed dramatically into a dynamic, all-encompassing, and completely entwined ecosystem that we’re all a part of. If you have an internet presence, you interconnect with everyone else, including those that want to do you harm. For this reason, tracking threat infrastructure is just as important as tracking your own infrastructure.

Different threat groups will recycle and share infrastructure—IPs, domains, and certificates—and And with the rise of economies that sell crimeware-as-a-service and other cybercrime commodities, threat infrastructure can transcend threat actors and groups.

More than 560,000 new pieces of malware are detected every day, and the number of phishing kits advertised on underground cybercrime marketplaces doubled between 2018 and 2019. RiskIQ now detects a Cobalt Strike C2 server every 49 minutes.




Download PDF

The mobile attack surface goes beyond major mobile app stores

App stores across the world contain apps targeting organizations and their customers

Each year, businesses invest more in mobile as the average consumer’s lifestyle becomes more mobile-centric. Americans now spend more time on mobile than watching live TV, and social distancing caused them to migrate more of their physical needs to mobile, such as shopping and education. App Annie shows that mobile spending grew to a staggering $170 billion in 2021, a year over year growth of 19 percent.12

This demand for mobile creates a massive proliferation of mobile apps. Users downloaded 218 billion apps in 2020. Meanwhile, RiskIQ noted a 33 percent overall growth in mobile apps available in 2020, with 23 appearing every minute.2

For organizations, these apps drive business outcomes. However, they can be a double-edged sword. The app landscape is a significant portion of an enterprise’s overall attack surface that exists beyond the firewall, where security teams often suffer from a critical lack of visibility. Threat actors have made a living taking advantage of this myopia to produce “rogue apps” that mimic well-known brands or otherwise purport to be something they’re not, purpose-built to fool customers into downloading them. Once an unsuspecting user downloads these malicious apps, threat actors can have their way, phishing for sensitive information or uploading malware to devices. RiskIQ blocklists a malicious mobile app every five minutes.

These rogue apps appear in official stores on rare occasions, even breaching the major app stores’ robust defenses. However, hundreds of less reputable app stores represent a murky mobile underworld outside of the relative safety of reputed stores. Apps in these stores are far less regulated than official app stores, and some are so overrun with malicious apps that they outnumber their safe offerings.




Download PDF