# Human-operated ransomware **[docs.microsoft.com/en-us/security/compass/human-operated-ransomware](https://docs.microsoft.com/en-us/security/compass/human-operated-ransomware)** Article 02/19/2022 3 minutes to read ### In this article Ransomware is a type of extortion attack that destroys or encrypts files and folders, preventing access to critical data. Commodity ransomware typically spreads like a virus that infects devices and only requires malware remediation. Human-operated ransomware is the result of an active attack by cybercriminals that infiltrate an organization’s on-premises or cloud IT infrastructure, elevate their privileges, and deploy ransomware to critical data. These “hands-on-keyboard” attacks target an organization rather than a single device and leverage human attackers’ knowledge of common system and security misconfigurations to infiltrate the organization, navigate the enterprise network, and adapt to the environment and its weaknesses as they go. Hallmarks of these human-operated ransomware attacks typically include credential theft and lateral movement and can result in deployment of a ransomware payload to high business impact resources the attackers choose. ----- These attacks can be catastrophic to business operations and are difficult to clean up, requiring complete adversary eviction to protect against future attacks. Unlike commodity ransomware that only requires malware remediation, human-operated ransomware will continue to threaten your business operations after the initial encounter. This figure shows how this extortion-based attack that uses maintenance and security configuration gaps and privileged access is growing in impact and likelihood. ## Protect your organization against ransomware and extortion For a comprehensive view of ransomware and extortion and how to protect your organization, use the information in the Human-Operated Ransomware Mitigation Project **Plan PowerPoint presentation.** Here's a summary of the guidance: ----- The stakes of ransomware and extortion-based attacks are high. However, the attacks have weaknesses that can mitigate your likelihood of being attacked. There are three phases to configure your infrastructure to exploit attack weaknesses. For the three phases to exploit attack weaknesses, see the Protect your organization against ransomware and extortion solution to quickly configure your IT infrastructure for the best protection: 1. Prepare your organization to recover from an attack without having to pay the ransom. 2. Limit the scope of damage of an attack by protecting privileged roles. 3. Make it harder for an attacker to get into your environment by incrementally removing risks. [Download the Protect your organization from ransomware poster for an overview of the three](https://download.microsoft.com/download/5/e/3/5e37cbff-9a7a-45b2-8b95-6d3cc5426301/protect-your-organization-from-ransomware.pdf) phases as layers of protection against ransomware attackers. ----- ## Additional ransomware resources Key information from Microsoft: [The growing threat of ransomware, Microsoft On the Issues blog post on July 20, 2021](https://blogs.microsoft.com/on-the-issues/2021/07/20/the-growing-threat-of-ransomware/) [Rapidly protect against ransomware and extortion](https://docs.microsoft.com/en-us/security/compass/protect-against-ransomware) [2021 Microsoft Digital Defense Report (see pages 10-19)](https://www.microsoft.com/security/business/microsoft-digital-defense-report) [Ransomware: A pervasive and ongoing threat threat analytics report in the Microsoft](https://security.microsoft.com/threatanalytics3/05658b6c-dc62-496d-ad3c-c6a795a33c27/overview) 365 Defender portal Microsoft's Detection and Response Team (DART) ransomware approach and best practices and [case study](https://docs.microsoft.com/en-us/security/compass/dart-ransomware-case-study) Microsoft 365: [Deploy ransomware protection for your Microsoft 365 tenant](https://docs.microsoft.com/en-us/microsoft-365/solutions/ransomware-protection-microsoft-365) [Maximize Ransomware Resiliency with Azure and Microsoft 365](https://azure.microsoft.com/resources/maximize-ransomware-resiliency-with-azure-and-microsoft-365/) [Recover from a ransomware attack](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/recover-from-ransomware) [Malware and ransomware protection](https://docs.microsoft.com/en-us/compliance/assurance/assurance-malware-and-ransomware-protection) ----- [Protect your Windows 10 PC from ransomware](https://support.microsoft.com//windows/protect-your-pc-from-ransomware-08ed68a7-939f-726c-7e84-a72ba92c01c3) [Handling ransomware in SharePoint Online](https://docs.microsoft.com/en-us/sharepoint/troubleshoot/security/handling-ransomware-in-sharepoint-online) [Threat analytics reports for ransomware in the Microsoft 365 Defender portal](https://security.microsoft.com/threatanalytics3?page_size=30&filters=tags%3DRansomware&ordering=-lastUpdatedOn&fields=displayName,alertsCount,impactedEntities,reportType,createdOn,lastUpdatedOn,tags,flag) Microsoft 365 Defender: [Find ransomware with advanced hunting](https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-find-ransomware) Microsoft Defender for Cloud Apps: [Create anomaly detection policies in Defender for Cloud Apps](https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy) Microsoft Azure: Microsoft Security team blog posts: [3 steps to prevent and recover from ransomware (September 2021)](https://www.microsoft.com/security/blog/2021/09/07/3-steps-to-prevent-and-recover-from-ransomware/) [A guide to combatting human-operated ransomware: Part 1 (September 2021)](https://www.microsoft.com/security/blog/2021/09/20/a-guide-to-combatting-human-operated-ransomware-part-1/) Key steps on how Microsoft's Detection and Response Team (DART) conducts ransomware incident investigations. [A guide to combatting human-operated ransomware: Part 2 (September 2021)](https://www.microsoft.com/security/blog/2021/09/27/a-guide-to-combatting-human-operated-ransomware-part-2/) Recommendations and best practices. Becoming resilient by understanding cybersecurity risks: Part 4—navigating current threats (May 2021) See the Ransomware section. [Human-operated ransomware attacks: A preventable disaster (March 2020)](https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/) Includes attack chain analyses of actual attacks. [Ransomware response—to pay or not to pay? (December 2019)](https://www.microsoft.com/security/blog/2019/12/16/ransomware-response-to-pay-or-not-to-pay/) [Norsk Hydro responds to ransomware attack with transparency (December 2019)](https://www.microsoft.com/security/blog/2019/12/17/norsk-hydro-ransomware-attack-transparency/) -----