{ "id": "302dd4f3-f321-41fb-a133-ffec115601f9", "created_at": "2026-04-06T00:19:24.993376Z", "updated_at": "2026-04-10T03:35:13.815042Z", "deleted_at": null, "sha1_hash": "7556bbae29ee26c1b5abc6ba024b3c1b84d8140d", "title": "What is ransomware?", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 74540, "plain_text": "What is ransomware?\r\nBy kenwith\r\nArchived: 2026-04-05 22:41:30 UTC\r\nIn practice, a ransomware attack blocks access to your data until a ransom is paid.\r\nIn fact, ransomware is a type of malware or phishing cyber security attack that destroys or encrypts files and\r\nfolders on a computer, server, or device.\r\nOnce devices or files are locked or encrypted, cybercriminals can extort money from the business or device owner\r\nin exchange for a key to unlock the encrypted data. But even when paid, cybercriminals might never give the key\r\nto the business or device owner and stop access permanently.\r\nMicrosoft Security Copilot leverages AI to help mitigate ransomware attacks. For more Microsoft solutions to\r\nransomware, visit our Ransomware solutions library.\r\nRansomware can be automated or involve human hands on a keyboard - a human-operated attack, such as seen in\r\nrecent attacks using LockBit ransomware.\r\nHuman-operated ransomware attacks involve the following stages:\r\n1. Initial compromise - The threat actor first gains access to a system or environment following a period of\r\nreconnaissance to identify weaknesses in defense.\r\n2. Persistence and defense evasion - The threat actor establishes a foothold in the system or environment\r\nusing a backdoor or other mechanism that operates in stealth to avoid detection by incident response teams.\r\n3. Lateral movement - The threat actor uses the initial point of entry to migrate to other systems connected\r\nto the compromised device or network environment.\r\n4. Credential access - The threat actor uses a fake sign-in page to harvest user or system credentials.\r\n5. Data theft - The threat actor steals financial or other data from compromised users or systems.\r\n6. Impact - The affected user or organization might suffer material or reputational damage.\r\nMicrosoft Defender XDR - Microsoft Defender XDR includes powerful automated attack disruption\r\ncapabilities that can protect your environment from sophisticated, high-impact attacks, including human-operated ransomware.\r\nMicrosoft Sentinel - SIEM solution that stops a ransomware attack in its tracks by using machine learning\r\nto combine disparate data—network, identity, SaaS, and endpoints from both Microsoft and Partner data\r\nsources.\r\nSecurity Copilot - During an active ransomware attack, Security Copilot uses machine learning to provide\r\nthorough context so security professionals can share clear, concise, and comprehensive summaries of\r\nhttps://docs.microsoft.com/en-us/security/compass/human-operated-ransomware\r\nPage 1 of 5\n\nactive incidents. This gives targeted entities a deep understanding of the situation, even when an incident\r\noccurs after business hours.\r\nQakbot – Uses phishing to spread malicious links, malicious attachments, and to drop malicious payloads\r\nlike Cobalt Strike Beacon\r\nRyuk – Data encryptor typically targeting Windows\r\nTrickbot – Has targeted Microsoft applications such as Excel and Word. Trickbot was typically delivered\r\nvia email campaigns that used current events or financial lures to entice users to open malicious file\r\nattachments or click links to websites hosting the malicious files. Since 2022, Microsoft’s mitigation of\r\ncampaigns using this malware appears to have disrupted its usefulness.\r\nLockBit – Financially motivated ransomware-as-a-service (RaaS) campaign and most prolific ransomware\r\nthreat actor in the 2023-24 time period\r\nBlack Basta – Gains access through spear-phishing emails and uses PowerShell to launch an encryption\r\npayload\r\nStorm-1674 (DarkGate and ZLoader) - Storm-1674 is an access broker known for distributing DarkGate,\r\nSectopRAT, and Zloader and handing off access to threat actors like Storm-0506 and Sangria Tempest.\r\nMeanwhile, Storm-1811 is a threat actor known for social engineering attacks leading to the deployment of\r\nBlackBasta using Qakbot and other malware. In late October to early November, Storm-1811 was observed\r\nflooding target email addresses with spam (email bombing attack) before posing as help desk personnel offering to\r\nhelp with the spam problem. In this new campaign, Storm-1811 was observed deploying a new malware loader\r\ncalled ReedBed.\r\nMicrosoft Defender data shows that the most widespread ransomware variants in the last quarter of 2024 were\r\nAkira, FOG, Qilin, Lynx, and the aforementioned RansomHub and BlackBasta. This period also saw the new\r\nransomware variants SafePay and Hellcat. March 2025 has seen the resurface of Qilin ransomware through threat\r\nactor Moonstone Sleet.\r\nTo help mitigate in-progress ransomware attacks, Microsoft Incident Response can leverage and deploy Microsoft\r\nDefender for Identity — a cloud-based security solution that helps detect and respond to identity-related threats.\r\nBringing identity monitoring into incident response early supports the affected organization's security operations\r\nteam to regain control. Microsoft Incident response uses Defender for Identity to help identify the incident scope\r\nand impacted accounts, protect critical infrastructure, and evict the threat actor. The response team then brings in\r\nMicrosoft Defender for Endpoint to trace the threat actor’s movements and disrupt their attempts to use\r\ncompromised accounts to reenter the environment. After containing the incident andregaining and full\r\nadministrative control over the environment, Microsoft Incident Response collaborates with the customer to help\r\nprevent future cyberattacks.\r\nCommodity ransomware attacks are often automated. These cyber attacks can spread like a virus, infect devices\r\nthrough methods like email phishing and malware delivery, and require malware remediation.\r\nTherefore, you can safeguard your email system using Microsoft Defender for Office 365 that protects against\r\nmalware and phishing delivery. Microsoft Defender for Endpoint works alongside Defender for Office 365 to\r\nhttps://docs.microsoft.com/en-us/security/compass/human-operated-ransomware\r\nPage 2 of 5\n\nautomatically detect and block suspicious activity on your devices, while Microsoft Defender XDR detects\r\nmalware and phishing attempts early.\r\nHuman-operated ransomware is the result of an active attack by cybercriminals that infiltrate an organization's\r\non-premises or cloud IT infrastructure, elevate their privileges, and deploy ransomware to critical data.\r\nThese \"hands-on-keyboard\" attacks usually target organizations rather than a single device.\r\nHuman-operated also means there's a human threat actor using their insights into common system and security\r\nmisconfigurations. They aim to infiltrate the organization, navigate the network, and adapt to the environment and\r\nits weaknesses.\r\nHallmarks of these human-operated ransomware attacks typically include credential theft and lateral movement\r\nwith an elevation of the privileges in stolen accounts.\r\nActivities might take place during maintenance windows and involve security configuration gaps discovered by\r\ncybercriminals. The goal is the deployment of a ransomware payload to whatever high business impact\r\nresources the threat actors choose.\r\nImportant\r\nThese attacks can be catastrophic to business operations and are difficult to clean up, requiring complete\r\nadversary eviction to protect against future attacks. Unlike commodity ransomware that usually only requires\r\nmalware remediation, human-operated ransomware will continue to threaten your business operations after\r\nthe initial encounter.\r\nTip\r\nFor Azure-specific protection strategies and native capabilities to defend against ransomware in cloud\r\nenvironments, see Ransomware protection in Azure.\r\nThe impact and likelihood that human-operated ransomware attacks will continue\r\nFirst, prevent phishing and malware delivery with Microsoft Defender for Office 365 to protect against malware\r\nand phishing delivery, Microsoft Defender for Endpoint to automatically detect and block suspicious activity on\r\nyour devices, and Microsoft Defender XDR to detect to malware and phishing attempts early.\r\nFor a comprehensive view of ransomware and extortion and how to protect your organization, use the information\r\nin the Human-Operated Ransomware Mitigation Project Plan PowerPoint presentation.\r\n1. Assess the situation by analyzing the suspicious activity that alerted your team to the attack.\r\n2. What time/date did you first learn of the incident? What logs are available and is there any indication that\r\nthe actor is currently accessing systems?\r\n3. Identify the affected line-of-business (LOB) applications, and get any impacted systems back online. Does\r\nthe affected application require an identity that might have been compromised?\r\nhttps://docs.microsoft.com/en-us/security/compass/human-operated-ransomware\r\nPage 3 of 5\n\n4. Are backups of the application, configuration, and data available and regularly verified using a restore\r\nexercise?\r\n5. Determine the compromise recovery (CR) process to remove the threat actor from the environment.\r\nThe summary of the guidance in the Human-Operated Ransomware Mitigation Project Plan\r\nThe stakes of ransomware and extortion-based attacks are high.\r\nHowever, the attacks have weaknesses that can reduce your likelihood of being attacked.\r\nThere are three steps to configuring your infrastructure to exploit attack weaknesses.\r\nFor the three steps to exploit attack weaknesses, see the Protect your organization against ransomware and\r\nextortion solution to quickly configure your IT infrastructure for the best protection:\r\n1. Prepare your organization to recover from an attack without having to pay the ransom.\r\n2. Limit the scope of damage of a ransomware attack by protecting privileged roles.\r\n3. Make it harder for a threat actor to access your environment by incrementally removing risks.\r\nThe three steps to protecting against ransomware and extortion\r\nDownload the Protect your organization from ransomware poster for an overview of the three phases as layers of\r\nprotection against ransomware attacks.\r\nThe \"Protect your organization from ransomware\" poster\r\nKey information from Microsoft:\r\nThe latest ransomware trends from Microsoft, Microsoft latest ransomware blog\r\n2024 Microsoft Digital Defense Report Microsoft 365:\r\nDeploy ransomware protection for your Microsoft 365 tenant\r\nMicrosoft Defender XDR:\r\nFind ransomware with advanced hunting\r\nMicrosoft Defender for Cloud Apps:\r\nCreate anomaly detection policies in Defender for Cloud Apps\r\nMicrosoft Azure:\r\nAzure Defenses for Ransomware Attack\r\nRansomware protection in Azure\r\nMicrosoft Copilot for Security:\r\nDefend against human-operated ransomware attacks with Microsoft Copilot for Security\r\nhttps://docs.microsoft.com/en-us/security/compass/human-operated-ransomware\r\nPage 4 of 5\n\nOpenAI key ransomware mitigation strategies, in ChatGPT’s own words, include:\r\n1. Training data curation\r\n2. Safety layers and filters\r\n3. Empirical testing and red teaming\r\n4. Continuous monitoring\r\n5. Alignment and safety research\r\n6. Community reporting and feedback\r\n7. Partnerships and policies\r\nFor more detailed information, refer to OpenAI's official documentation on their approach to AI safety and misuse\r\nmitigation.\r\nMicrosoft Security ransomware mitigation resources:\r\nSee the latest list of ransomware articles in the Microsoft Security Blog.\r\nNavigating recent ransomware threats (June 2024)\r\nSource: https://docs.microsoft.com/en-us/security/compass/human-operated-ransomware\r\nhttps://docs.microsoft.com/en-us/security/compass/human-operated-ransomware\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://docs.microsoft.com/en-us/security/compass/human-operated-ransomware" ], "report_names": [ "human-operated-ransomware" ], "threat_actors": [ { "id": "1b1271d2-e9a2-4fc5-820b-69c9e4cfb312", "created_at": "2024-06-07T02:00:03.998431Z", "updated_at": "2026-04-10T02:00:03.64336Z", "deleted_at": null, "main_name": "RansomHub", "aliases": [], "source_name": "MISPGALAXY:RansomHub", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a602818a-34da-445f-9bac-715cc9b47a3d", "created_at": "2025-07-12T02:04:58.190857Z", "updated_at": "2026-04-10T02:00:03.850831Z", "deleted_at": null, "main_name": "GOLD PUMPKIN", "aliases": [ "HellCat" ], "source_name": "Secureworks:GOLD PUMPKIN", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "8c8fea8c-c957-4618-99ee-1e188f073a0e", "created_at": "2024-02-02T02:00:04.086766Z", "updated_at": "2026-04-10T02:00:03.563647Z", "deleted_at": null, "main_name": "Storm-1567", "aliases": [ "Akira", "PUNK SPIDER", "GOLD SAHARA" ], "source_name": "MISPGALAXY:Storm-1567", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "910b38e9-07fe-4b47-9cf4-e190a07b1b84", "created_at": "2024-04-24T02:00:49.516358Z", "updated_at": "2026-04-10T02:00:05.309426Z", "deleted_at": null, "main_name": "Akira", "aliases": [ "Akira", "GOLD SAHARA", "PUNK SPIDER", "Howling Scorpius" ], "source_name": "MITRE:Akira", "tools": [ "Mimikatz", "PsExec", "AdFind", "Akira _v2", "Akira", "Megazord", "LaZagne", "Rclone" ], "source_id": "MITRE", "reports": null }, { "id": "f994aa54-3581-460a-9c1f-5ca6b1af4aa1", "created_at": "2024-08-20T02:00:04.537819Z", "updated_at": "2026-04-10T02:00:03.686083Z", "deleted_at": null, "main_name": "Storm-0506", "aliases": [], "source_name": "MISPGALAXY:Storm-0506", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "45e6e2b3-43fe-44cd-8025-aea18a7f488f", "created_at": "2024-06-20T02:02:09.897489Z", "updated_at": "2026-04-10T02:00:04.769917Z", "deleted_at": null, "main_name": "Moonstone Sleet", "aliases": [ "Storm-1789", "Stressed Pungsan" ], "source_name": "ETDA:Moonstone Sleet", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "908cf62e-45cd-492b-bf12-d0902e12fece", "created_at": "2024-08-20T02:00:04.543947Z", "updated_at": "2026-04-10T02:00:03.68848Z", "deleted_at": null, "main_name": "UNC4393", "aliases": [ "Storm-1811", "CURLY SPIDER", "STAC5777" ], "source_name": "MISPGALAXY:UNC4393", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "28523c53-1944-4ff0-bbdc-89b06e4e3c84", "created_at": "2024-11-01T02:00:52.752463Z", "updated_at": "2026-04-10T02:00:05.359782Z", "deleted_at": null, "main_name": "Moonstone Sleet", "aliases": [ "Moonstone Sleet", "Storm-1789" ], "source_name": "MITRE:Moonstone Sleet", "tools": [ "Qilin" ], "source_id": "MITRE", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "fa806f03-ec33-42db-99ee-59db37666ee0", "created_at": "2024-02-02T02:00:04.090714Z", "updated_at": "2026-04-10T02:00:03.566756Z", "deleted_at": null, "main_name": "Storm-1674", "aliases": [], "source_name": "MISPGALAXY:Storm-1674", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "6bc98fce-5e1c-46d8-9d1a-64b5cb5febc3", "created_at": "2025-04-23T02:00:55.20526Z", "updated_at": "2026-04-10T02:00:05.307504Z", "deleted_at": null, "main_name": "Storm-1811", "aliases": [ "Storm-1811" ], "source_name": "MITRE:Storm-1811", "tools": [ "Black Basta", "Cobalt Strike", "Quick Assist", "BITSAdmin", "PsExec", "Impacket", "QakBot" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434764, "ts_updated_at": 1775792113, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7556bbae29ee26c1b5abc6ba024b3c1b84d8140d.pdf", "text": "https://archive.orkl.eu/7556bbae29ee26c1b5abc6ba024b3c1b84d8140d.txt", "img": "https://archive.orkl.eu/7556bbae29ee26c1b5abc6ba024b3c1b84d8140d.jpg" } }