{"id":90684,"date":"2020-03-05T09:00:31","date_gmt":"2020-03-05T17:00:31","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/?p=90684"},"modified":"2025-06-26T23:58:35","modified_gmt":"2025-06-27T06:58:35","slug":"human-operated-ransomware-attacks-a-preventable-disaster","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/03\/05\/human-operated-ransomware-attacks-a-preventable-disaster\/","title":{"rendered":"Human-operated ransomware attacks: A preventable disaster"},"content":{"rendered":"\n

Human-operated ransomware<\/a> campaigns pose a significant and growing threat to businesses and represent one of the most impactful trends in cyberattacks today. In these hands-on-keyboard attacks, which are different from auto-spreading ransomware like WannaCry or NotPetya, adversaries employ credential theft and lateral movement methods traditionally associated with targeted attacks like those from nation-state actors. They exhibit extensive knowledge of systems administration and common network security misconfigurations, perform thorough reconnaissance, and adapt to what they discover in a compromised network.<\/p>\n\n\n\n

\n
\n

These attacks are known to take
advantage of network configuration
weaknesses and vulnerable services
to deploy ransomware payloads. And
while ransomware is the very visible action taken in these attacks, human operators also deliver other malicious payloads, steal credentials, and access
and exfiltrate data from compromised networks.<\/p>\n<\/div>\n\n\n\n

Additional resources<\/em><\/strong> Protect your organization against ransomware:\u00a0<\/em>aka.ms\/ransomware<\/em><\/a>
earn how attackers operate:\u00a0<\/em>Ransomware groups continue to target healthcare, critical services; here\u2019s how to reduce risk<\/em><\/a><\/p>\n<\/div>\n\n\n\n

News about ransomware attacks often focus on the downtimes they cause, the ransom payments, and the details of the ransomware payload, leaving out details of the oftentimes long-running campaigns and preventable domain compromise that allow these human-operated attacks to succeed.<\/p>\n\n\n\n

Based on our investigations, these campaigns appear unconcerned with stealth and have shown that they could operate unfettered in networks. Human operators compromise accounts with higher privileges, escalate privilege, or use credential dumping techniques to establish a foothold on machines and continue unabated in infiltrating target environments.<\/p>\n\n\n\n

Human-operated ransomware campaigns often start with \u201ccommodity malware\u201d like banking Trojans or \u201cunsophisticated\u201d attack vectors that typically trigger multiple detection alerts; however, these tend to be triaged as unimportant and therefore not thoroughly investigated and remediated. In addition, the initial payloads are frequently stopped by antivirus solutions, but attackers just deploy a different payload or use administrative access to disable the antivirus without attracting the attention of incident responders or security operations centers (SOCs).<\/p>\n\n\n\n

Some well-known human-operated ransomware campaigns include REvil, Samas<\/a>, Bitpaymer, and Ryuk. Microsoft actively monitors these and other long-running human-operated ransomware campaigns, which have overlapping attack patterns. They take advantage of similar security weaknesses, highlighting a few key lessons in security, notably that these attacks are often preventable and detectable.<\/p>\n\n\n\n

Combating and preventing attacks of this nature requires a shift in mindset, one that focuses on comprehensive protection required to slow and stop attackers before they can succeed. Human-operated attacks will continue to take advantage of security weaknesses to deploy destructive attacks until defenders consistently and aggressively apply security best practices to their networks. In this blog, we will highlight case studies of human-operated ransomware campaigns that use different entrance vectors and post-exploitation techniques but have overwhelming overlap in the security misconfigurations they abuse and the impact they have on organizations.<\/p>\n\n\n\n

PARINACOTA group: Smash-and-grab monetization campaigns<\/h2>\n\n\n\n

One actor that has emerged in this trend of human-operated attacks is an active, highly adaptive group that frequently drops Wadhrama as payload. Microsoft has been tracking this group for some time, but now refers to them as PARINACOTA, using our new naming designation for digital crime actors based on global volcanoes.<\/p>\n\n\n\n

PARINACOTA impacts three to four organizations every week and appears quite resourceful: during the 18 months that we have been monitoring it, we have observed the group change tactics to match its needs and use compromised machines for various purposes, including cryptocurrency mining, sending spam emails, or proxying for other attacks. The group\u2019s goals and payloads have shifted over time, influenced by the type of compromised infrastructure, but in recent months, they have mostly deployed the Wadhrama ransomware.<\/p>\n\n\n\n

The group most often employs a smash-and-grab method, whereby they attempt to infiltrate a machine in a network and proceed with subsequent ransom in less than an hour. There are outlier campaigns in which they attempt reconnaissance and lateral movement, typically when they land on a machine and network that allows them to quickly and easily move throughout the environment.<\/p>\n\n\n\n

PARINACOTA\u2019s attacks typically brute forces their way into servers that have Remote Desktop Protocol (RDP) exposed to the internet, with the goal of moving laterally inside a network or performing further brute-force activities against targets outside the network. This allows the group to expand compromised infrastructure under their control. Frequently, the group targets built-in local administrator accounts or a list of common account names. In other instances, the group targets Active Directory (AD) accounts that they compromised or have prior knowledge of, such as service accounts of known vendors.<\/p>\n\n\n\n

The group adopted the RDP brute force technique that the older ransomware called Samas (also known as SamSam) infamously used. Other malware families like GandCrab, MegaCortext, LockerGoga, Hermes, and RobbinHood have also used this method in targeted ransomware attacks. PARINACOTA, however, has also been observed to adapt to any path of least resistance they can utilize. For instance, they sometimes discover unpatched systems and use disclosed vulnerabilities to gain initial access or elevate privileges.<\/p>\n\n\n\n

\"Wadhrama<\/figure>\n\n\n\n

Figure 1. PARINACOTA infection chain<\/em><\/p>\n\n\n\n

We gained insight into these attacks by investigating compromised infrastructure that the group often utilizes to proxy attacks onto their next targets. To find targets, the group scans the internet for machines that listen on RDP port 3389. The attackers do this from compromised machines using tools like Masscan.exe,<\/em> which can find vulnerable machines on the entire internet in under six minutes.<\/p>\n\n\n\n

Once a vulnerable target is found, the group proceeds with a brute force attack using tools like NLbrute.exe<\/em> or ForcerX, starting with common usernames like \u2018admin\u2019, \u2018administrator\u2019, \u2018guest\u2019, or \u2018test\u2019. After successfully gaining access to a network, the group tests the compromised machine for internet connectivity and processing capacity. They determine if the machine meets certain requirements before using it to conduct subsequent RDP brute force attacks against other targets. This tactic, which has not been observed being used by similar ransomware operators, gives them access to additional infrastructure that is less likely to be blocked. In fact, the group has been observed leaving their tools running on compromised machines for months on end.<\/p>\n\n\n\n

On machines that the group doesn\u2019t use for subsequent RDP brute-force attacks, they proceed with a separate set of actions. This technique helps the attackers evade reputation-based detection, which may block their scanning boxes; it also preserves their command-and-control (C2) infrastructure. In addition, PARINACOTA utilizes administrative privileges gained via stolen credentials to turn off or stop any running services that might lead to their detection. Tamper protection <\/a>in Microsoft Defender ATP prevents malicious and unauthorized to settings, including antivirus solutions and cloud-based detection capabilities.<\/p>\n\n\n\n

After disabling security solutions, the group often downloads a ZIP archive that contains dozens of well-known attacker tools and batch files for credential theft, persistence, reconnaissance, and other activities without fear of the next stages of the attack being prevented. With these tools and batch files, the group clears event logs using wevutil.exe<\/em>, as well as conducts extensive reconnaissance on the machine and the network, typically looking for opportunities to move laterally using common network scanning tools. When necessary, the group elevates privileges from local administrator to SYSTEM using accessibility features in conjunction with a batch file or exploit-laden files named after the specific CVEs they impact, also known as the \u201cSticky Keys\u201d attack.<\/p>\n\n\n\n

The group dumps credentials from the LSASS process, using tools like Mimikatz and ProcDump, to gain access to matching local administrator passwords or service accounts with high privileges that may be used to start as a scheduled task or service, or even used interactively. PARINACOTA then uses the same remote desktop session to exfiltrate acquired credentials. The group also attempts to get credentials for specific banking or financial websites, using findstr.exe<\/em> to check for cookies associated with these sites.<\/p>\n\n\n\n

\"Microsoft<\/figure>\n\n\n\n

Figure 2. Microsoft Defender ATP alert for credential theft<\/em><\/p>\n\n\n\n

With credentials on hand, PARINACOTA establishes persistence using various methods, including:<\/p>\n\n\n\n