{
	"id": "eea72bfd-745a-462f-9403-4bf89c91808c",
	"created_at": "2026-04-06T00:13:48.298096Z",
	"updated_at": "2026-04-10T03:34:57.912178Z",
	"deleted_at": null,
	"sha1_hash": "d188680eff339121bbbd3f81218a0bb42e31b5a3",
	"title": "Human-operated ransomware attacks: A preventable disaster | Microsoft Security Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1954411,
	"plain_text": "Human-operated ransomware attacks: A preventable disaster |\r\nMicrosoft Security Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2020-03-05 · Archived: 2026-04-05 16:27:02 UTC\r\nHuman-operated ransomware campaigns pose a significant and growing threat to businesses and represent one of\r\nthe most impactful trends in cyberattacks today. In these hands-on-keyboard attacks, which are different from\r\nauto-spreading ransomware like WannaCry or NotPetya, adversaries employ credential theft and lateral movement\r\nmethods traditionally associated with targeted attacks like those from nation-state actors. They exhibit extensive\r\nknowledge of systems administration and common network security misconfigurations, perform thorough\r\nreconnaissance, and adapt to what they discover in a compromised network.\r\nNews about ransomware attacks often focus on the downtimes they cause, the ransom payments, and the details of\r\nthe ransomware payload, leaving out details of the oftentimes long-running campaigns and preventable domain\r\ncompromise that allow these human-operated attacks to succeed.\r\nBased on our investigations, these campaigns appear unconcerned with stealth and have shown that they could\r\noperate unfettered in networks. Human operators compromise accounts with higher privileges, escalate privilege,\r\nor use credential dumping techniques to establish a foothold on machines and continue unabated in infiltrating\r\ntarget environments.\r\nHuman-operated ransomware campaigns often start with “commodity malware” like banking Trojans or\r\n“unsophisticated” attack vectors that typically trigger multiple detection alerts; however, these tend to be triaged\r\nas unimportant and therefore not thoroughly investigated and remediated. In addition, the initial payloads are\r\nfrequently stopped by antivirus solutions, but attackers just deploy a different payload or use administrative access\r\nto disable the antivirus without attracting the attention of incident responders or security operations centers\r\n(SOCs).\r\nSome well-known human-operated ransomware campaigns include REvil, Samas, Bitpaymer, and Ryuk.\r\nMicrosoft actively monitors these and other long-running human-operated ransomware campaigns, which have\r\noverlapping attack patterns. They take advantage of similar security weaknesses, highlighting a few key lessons in\r\nsecurity, notably that these attacks are often preventable and detectable.\r\nCombating and preventing attacks of this nature requires a shift in mindset, one that focuses on comprehensive\r\nprotection required to slow and stop attackers before they can succeed. Human-operated attacks will continue to\r\ntake advantage of security weaknesses to deploy destructive attacks until defenders consistently and aggressively\r\napply security best practices to their networks. In this blog, we will highlight case studies of human-operated\r\nransomware campaigns that use different entrance vectors and post-exploitation techniques but have\r\noverwhelming overlap in the security misconfigurations they abuse and the impact they have on organizations.\r\nPARINACOTA group: Smash-and-grab monetization campaigns\r\nhttps://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/\r\nPage 1 of 18\n\nOne actor that has emerged in this trend of human-operated attacks is an active, highly adaptive group that\r\nfrequently drops Wadhrama as payload. Microsoft has been tracking this group for some time, but now refers to\r\nthem as PARINACOTA, using our new naming designation for digital crime actors based on global volcanoes.\r\nPARINACOTA impacts three to four organizations every week and appears quite resourceful: during the 18\r\nmonths that we have been monitoring it, we have observed the group change tactics to match its needs and use\r\ncompromised machines for various purposes, including cryptocurrency mining, sending spam emails, or proxying\r\nfor other attacks. The group’s goals and payloads have shifted over time, influenced by the type of compromised\r\ninfrastructure, but in recent months, they have mostly deployed the Wadhrama ransomware.\r\nThe group most often employs a smash-and-grab method, whereby they attempt to infiltrate a machine in a\r\nnetwork and proceed with subsequent ransom in less than an hour. There are outlier campaigns in which they\r\nattempt reconnaissance and lateral movement, typically when they land on a machine and network that allows\r\nthem to quickly and easily move throughout the environment.\r\nPARINACOTA’s attacks typically brute forces their way into servers that have Remote Desktop Protocol (RDP)\r\nexposed to the internet, with the goal of moving laterally inside a network or performing further brute-force\r\nactivities against targets outside the network. This allows the group to expand compromised infrastructure under\r\ntheir control. Frequently, the group targets built-in local administrator accounts or a list of common account\r\nnames. In other instances, the group targets Active Directory (AD) accounts that they compromised or have prior\r\nknowledge of, such as service accounts of known vendors.\r\nThe group adopted the RDP brute force technique that the older ransomware called Samas (also known as\r\nSamSam) infamously used. Other malware families like GandCrab, MegaCortext, LockerGoga, Hermes, and\r\nRobbinHood have also used this method in targeted ransomware attacks. PARINACOTA, however, has also been\r\nobserved to adapt to any path of least resistance they can utilize. For instance, they sometimes discover unpatched\r\nsystems and use disclosed vulnerabilities to gain initial access or elevate privileges.\r\nhttps://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/\r\nPage 2 of 18\n\nFigure 1. PARINACOTA infection chain\r\nWe gained insight into these attacks by investigating compromised infrastructure that the group often utilizes to\r\nproxy attacks onto their next targets. To find targets, the group scans the internet for machines that listen on RDP\r\nport 3389. The attackers do this from compromised machines using tools like Masscan.exe, which can find\r\nvulnerable machines on the entire internet in under six minutes.\r\nOnce a vulnerable target is found, the group proceeds with a brute force attack using tools like NLbrute.exe or\r\nForcerX, starting with common usernames like ‘admin’, ‘administrator’, ‘guest’, or ‘test’. After successfully\r\ngaining access to a network, the group tests the compromised machine for internet connectivity and processing\r\ncapacity. They determine if the machine meets certain requirements before using it to conduct subsequent RDP\r\nbrute force attacks against other targets. This tactic, which has not been observed being used by similar\r\nransomware operators, gives them access to additional infrastructure that is less likely to be blocked. In fact, the\r\ngroup has been observed leaving their tools running on compromised machines for months on end.\r\nOn machines that the group doesn’t use for subsequent RDP brute-force attacks, they proceed with a separate set\r\nof actions. This technique helps the attackers evade reputation-based detection, which may block their scanning\r\nboxes; it also preserves their command-and-control (C2) infrastructure. In addition, PARINACOTA utilizes\r\nadministrative privileges gained via stolen credentials to turn off or stop any running services that might lead to\r\nhttps://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/\r\nPage 3 of 18\n\ntheir detection. Tamper protection in Microsoft Defender ATP prevents malicious and unauthorized to settings,\r\nincluding antivirus solutions and cloud-based detection capabilities.\r\nAfter disabling security solutions, the group often downloads a ZIP archive that contains dozens of well-known\r\nattacker tools and batch files for credential theft, persistence, reconnaissance, and other activities without fear of\r\nthe next stages of the attack being prevented. With these tools and batch files, the group clears event logs\r\nusing wevutil.exe, as well as conducts extensive reconnaissance on the machine and the network, typically looking\r\nfor opportunities to move laterally using common network scanning tools. When necessary, the group elevates\r\nprivileges from local administrator to SYSTEM using accessibility features in conjunction with a batch file or\r\nexploit-laden files named after the specific CVEs they impact, also known as the “Sticky Keys” attack.\r\nThe group dumps credentials from the LSASS process, using tools like Mimikatz and ProcDump, to gain access to\r\nmatching local administrator passwords or service accounts with high privileges that may be used to start as a\r\nscheduled task or service, or even used interactively. PARINACOTA then uses the same remote desktop session to\r\nexfiltrate acquired credentials. The group also attempts to get credentials for specific banking or financial\r\nwebsites, using findstr.exe to check for cookies associated with these sites.\r\nFigure 2. Microsoft Defender ATP alert for credential theft\r\nhttps://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/\r\nPage 4 of 18\n\nWith credentials on hand, PARINACOTA establishes persistence using various methods, including:\r\nTo determine the type of payload to deploy, PARINACOTA uses tools like Process Hacker to identify active\r\nprocesses. The attackers don’t always install ransomware immediately; they have been observed installing coin\r\nminers and using massmail.exe to run spam campaigns, essentially using corporate networks as distributed\r\ncomputing infrastructure for profit. The group, however, eventually returns to the same machines after a few\r\nweeks to install ransomware.\r\nThe group performs the same general activities to deliver the ransomware payload:\r\nPlants a malicious HTA file (hta in many instances) using various autostart extensibility points (ASEPs),\r\nbut often the registry Run keys or the Startup folder. The HTA file displays ransom payment instructions.\r\nDeletes local backups using tools like exe to stifle recovery of ransomed files.\r\nStops active services that might interfere with encryption using exe, net.exe, or other tools.\r\nhttps://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/\r\nPage 5 of 18\n\nFigure 3. PARINACOTA stopping services and processes\r\nDrops an array of malware executables, often naming the files based on their intended behavior. If previous\r\nattempts to stop antivirus software have been unsuccessful, the group simply drops multiple variants of a\r\nmalware until they manage to execute one that is not detected, indicating that even when detections and\r\nalerts are occurring, network admins are either not seeing them or not reacting to them.\r\nAs mentioned, PARINACOTA has recently mostly dropped the Wadhrama ransomware, which leaves the\r\nfollowing ransom note after encrypting target files:\r\nhttps://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/\r\nPage 6 of 18\n\nFigure 4. Wadhrama ransom note\r\nIn several observed cases, targeted organizations that were able to resolve ransomware infections were unable to\r\nfully remove persistence mechanisms, allowing the group to come back and deploy ransomware again.\r\nFigure 5. Microsoft Defender ATP machine view showing reinfection by Wadhrama\r\nPARINACOTA routinely uses Monero coin miners on compromised machines, allowing them to collect uniform\r\nreturns regardless of the type of machine they access. Monero is popular among cybercriminals for its privacy\r\nbenefits: Monero not only restricts access to wallet balances, but also mixes in coins from other transactions to\r\nhelp hide the specifics of each transaction, resulting in transactions that aren’t as easily traceable by amount as\r\nother digital currencies.\r\nAs for the ransomware component, we have seen reports of the group charging anywhere from .5 to 2 Bitcoins per\r\ncompromised machine. This varies depending on what the attackers know about the organization and the assets\r\nhttps://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/\r\nPage 7 of 18\n\nthat they have compromised. The ransom amount is adjusted based on the likelihood the organization will pay due\r\nto impact to their company or the perceived importance of the target.\r\nDoppelpaymer: Ransomware follows Dridex\r\nDoppelpaymer ransomware recently caused havoc in several highly publicized attacks against various\r\norganizations around the world. Some of these attacks involved large ransom demands, with attackers asking for\r\nmillions of dollars in some cases.\r\nDoppelpaymer ransomware, like Wadhrama, Samas, LockerGoga, and Bitpaymer before it, does not have inherent\r\nworm capabilities. Human operators manually spread it within compromised networks using stolen credentials for\r\nprivileged accounts along with common tools like PsExec and Group Policy. They often abuse service accounts,\r\nincluding accounts used to manage security products, that have domain admin privileges to run native commands,\r\noften stopping antivirus software and other security controls.\r\nThe presence of banking Trojans like Dridex on machines compromised by Doppelpaymer point to the possibility\r\nthat Dridex (or other malware) is introduced during earlier attack stages through fake updaters, malicious\r\ndocuments in phishing email, or even by being delivered via the Emotet botnet.\r\nWhile Dridex is likely used as initial access for delivering Doppelpaymer on machines in affected networks, most\r\nof the same networks contain artifacts indicating RDP brute force. This is in addition to numerous indicators of\r\ncredential theft and the use of reconnaissance tools. Investigators have in fact found artifacts indicating that\r\naffected networks have been compromised in some manner by various attackers for several months before the\r\nransomware is deployed, showing that these attacks (and others) are successful and unresolved in networks where\r\ndiligence in security controls and monitoring is not applied.\r\nThe use of numerous attack methods reflects how attackers freely operate without disruption – even when\r\navailable endpoint detection and response (EDR) and endpoint protection platform (EPP) sensors already detect\r\ntheir activities. In many cases, some machines run without standard safeguards, like security updates and cloud-delivered antivirus protection. There is also the lack of credential hygiene, over-privileged accounts, predictable\r\nlocal administrator and RDP passwords, and unattended EDR alerts for suspicious activities.\r\nhttps://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/\r\nPage 8 of 18\n\nFigure 6. Sample Microsoft Defender ATP alert\r\nThe success of attacks relies on whether campaign operators manage to gain control over domain accounts with\r\nelevated privileges after establishing initial access. Attackers utilize various methods to gain access to privileged\r\naccounts, including common credential theft tools like Mimikatz and LaZagne. Microsoft has also observed the\r\nuse of the Sysinternals tool ProcDump to obtain credentials from LSASS process memory. Attackers might also\r\nuse LSASecretsView or a similar tool to access credentials stored in the LSA secrets portion of the registry.\r\nAccessible to local admins, this portion of the registry can reveal credentials for domain accounts used to run\r\nscheduled tasks and services.\r\nhttps://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/\r\nPage 9 of 18\n\nFigure 7. Doppelpaymer infection chain\r\nCampaign operators continually steal credentials, progressively gaining higher privileges until they control a\r\ndomain administrator-level account. In some cases, operators create new accounts and grant Remote Desktop\r\nprivileges to those accounts.\r\nApart from securing privileged accounts, attackers use other ways of establishing persistent access to\r\ncompromised systems. In several cases, affected machines are observed launching a base64-encoded PowerShell\r\nEmpire script that connects to a C2 server, providing attackers with persistent control over the machines. Limited\r\nevidence suggests that attackers set up WMI persistence mechanisms, possibly during earlier breaches, to launch\r\nPowerShell Empire.\r\nAfter obtaining adequate credentials, attackers perform extensive reconnaissance of machines and running\r\nsoftware to identify targets for ransomware delivery. They use the built-in command qwinsta to check for active\r\nRDP sessions, run tools that query Active Directory or LDAP, and ping multiple machines. In some cases, the\r\nattackers target high-impact machines, such as machines running systems management software. Attackers also\r\nidentify machines that they could use to stay persistent on the networks after deploying ransomware.\r\nhttps://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/\r\nPage 10 of 18\n\nAttackers use various protocols or system frameworks (WMI, WinRM, RDP, and SMB) in conjunction with\r\nPsExec to move laterally and distribute ransomware. Upon reaching a new device through lateral movement,\r\nattackers attempt to stop services that can prevent or stifle successful ransomware distribution and execution. As\r\nin other ransomware campaigns, the attackers use native commands to stop Exchange Server, SQL Server, and\r\nsimilar services that can lock certain files and disrupt attempts to encrypt them. They also stop antivirus software\r\nright before dropping the ransomware file itself.\r\nAttempts to bypass antivirus protection and deploy ransomware are particularly successful in cases where:\r\nAttackers already have domain admin privileges\r\nTamper protection is off\r\nCloud-delivered protection is off\r\nAntivirus software is not properly managed or is not in a healthy state\r\nMicrosoft Defender ATP generates alerts for many activities associated with these attacks. However, in many of\r\nthese cases, affected network segments and their associated alerts are not actively being monitored or responded\r\nto.\r\nAttackers also employ a few other techniques to bypass protections and run ransomware code. In some cases, we\r\nfound artifacts indicating that they introduce a legitimate binary and use Alternate Data Streams to masquerade the\r\nexecution of the ransomware binary as legitimate binary.\r\nhttps://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/\r\nPage 11 of 18\n\nFigure 8. Command prompt dump output of the Alternate Data Stream\r\nThe Doppelpaymer ransomware binary used in many attacks are signed using what appears to be stolen\r\ncertificates from OFFERS CLOUD LTD, which might be trusted by various security solutions.\r\nDoppelpaymer encrypts various files and displays a ransom note. In observed cases, it uses a custom extension\r\nname for encrypted files using information about the affected environment. For example, it has\r\nused l33tspeak versions of company names and company phone numbers.\r\nNotably, Doppelpaymer campaigns do not fully infect compromised networks with ransomware. Only a subset of\r\nthe machines have the malware binary and a slightly smaller subset have their files encrypted. The attackers\r\nmaintain persistence on machines that don’t have the ransomware and appear intent to use these machines to come\r\nback to networks that pay the ransom or do not perform a full incident response and recovery.\r\nRyuk: Human-operated ransomware initiated from Trickbot infections\r\nhttps://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/\r\nPage 12 of 18\n\nRyuk is another active human-operated ransomware campaign that wreaks havoc on organizations, from corporate\r\nentities to local governments to non-profits by disrupting businesses and demanding massive ransom. Ryuk\r\noriginated as a ransomware payload distributed over email, and but it has since been adopted by human operated\r\nransomware operators.\r\nLike Doppelpaymer, Ryuk is one of possible eventual payloads delivered by human operators that enter networks\r\nvia banking Trojan infections, in this case Trickbot. At the beginning of a Ryuk infection, an existing Trickbot\r\nimplant downloads a new payload, often Cobalt Strike or PowerShell Empire, and begins to move laterally across\r\na network, activating the Trickbot infection for ransomware deployment. The use of Cobalt Strike beacon or a\r\nPowerShell Empire payload gives operators more maneuverability and options for lateral movement on a network.\r\nBased on our investigation, in some networks, this may also provide the added benefit to the attackers of blending\r\nin with red team activities and tools.\r\nIn our investigations, we found that this activation occurs on Trickbot implants of varying ages, indicating that the\r\nhuman operators behind Ryuk likely have some sort of list of check-ins and targets for deployment of the\r\nransomware. In many cases, however, this activation phase comes well after the initial Trickbot infection, and the\r\neventual deployment of a ransomware payload may happen weeks or even months after the initial infection.\r\nIn many networks, Trickbot, which can be distributed directly via email or as a second-stage payload to other\r\nTrojans like Emotet, is often considered a low-priority threat, and not remediated and isolated with the same\r\ndegree of scrutiny as other, more high-profile malware. This works in favor of attackers, allowing them to have\r\nlong-running persistence on a wide variety of networks. Trickbot, and the Ryuk operators, also take advantage of\r\nusers running as local administrators in environments and use these permissions to disable security tools that\r\nwould otherwise impede their actions.\r\nhttps://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/\r\nPage 13 of 18\n\nFigure 9. Ryuk infection chain\r\nOnce the operators have activated on a network, they utilize their Cobalt Strike or PowerShell tools to initiate\r\nreconnaissance and lateral movement on a network. Their initial steps are usually to use built-in commands such\r\nas net group to enumerate group membership of high-value groups like domain administrators and enterprise\r\nadministrators, and to identify targets for credential theft.\r\nRyuk operators then use a variety of techniques to steal credentials, including the LaZagne credential theft tool.\r\nThe attackers also save various registry hives to extract credentials from Local Accounts and the LSA Secrets\r\nportion of the registry that stores passwords of service accounts, as well as Scheduled Tasks configured to auto\r\nstart with a defined account. In many cases, services like security and systems management software are\r\nconfigured with privileged accounts, such as domain administrator; this makes it easy for Ryuk operators to\r\nmigrate from an initial desktop to server-class systems and domain controllers. In addition, in many environments\r\nsuccessfully compromised by Ryuk, operators are able to utilize the built-in administrator account to move\r\nlaterally, as these passwords are matching and not randomized.\r\nhttps://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/\r\nPage 14 of 18\n\nOnce they have performed initial basic reconnaissance and credential theft, the attackers in some cases utilize the\r\nopen source security audit tool known as BloodHound to gather detailed information about the Active Directory\r\nenvironment and probable attack paths. This data and associated stolen credentials are accessed by the attacker\r\nand likely retained, even after the ransomware portion is ended.\r\nThe attackers then continue to move laterally to higher value systems, inspecting and enumerating files of interest\r\nto them as they go, possibly exfiltrating this data. The attackers then elevate to domain administrator and utilize\r\nthese permissions to deploy the Ryuk payload.\r\nThe ransomware deployment often occurs weeks or even months after the attackers begin activity on a network.\r\nThe Ryuk operators use stolen Domain Admin credentials, often from an interactive logon session on a domain\r\ncontroller, to distribute the Ryuk payload. They have been seen doing this via Group Policies, setting a startup\r\nitem in the SYSVOL share, or, most commonly in recent attacks, via PsExec sessions emanating from the domain\r\ncontroller itself.\r\nImproving defenses to stop human-operated ransomware\r\nIn human-operated ransomware campaigns, even if the ransom is paid, some attackers remain active on affected\r\nnetworks with persistence via PowerShell Empire and other malware on machines that may seem unrelated to\r\nransomware activities. To fully recover from human-powered ransomware attacks, comprehensive incident\r\nresponse procedures and subsequent network hardening need to be performed.\r\nAs we have learned from the adaptability and resourcefulness of attackers, human-operated campaigns are intent\r\non circumventing protections and cleverly use what’s available to them to achieve their goal, motivated by profit.\r\nThe techniques and methods used by the human-operated ransomware attacks we discussed in this blog highlight\r\nthese important lessons in security:\r\n1. IT pros play an important role in security\r\nSome of the most successful human-operated ransomware campaigns have been against servers that have antivirus\r\nsoftware and other security intentionally disabled, which admins may do to improve performance. Many of the\r\nobserved attacks leverage malware and tools that are already detected by antivirus. The same servers also often\r\nlack firewall protection and MFA, have weak domain credentials, and use non-randomized local admin passwords.\r\nOftentimes these protections are not deployed because there is a fear that security controls will disrupt operations\r\nor impact performance. IT pros can help with determining the true impact of these settings and collaborate with\r\nsecurity teams on mitigations.\r\nAttackers are preying on settings and configurations that many IT admins manage and control. Given the key role\r\nthey play, IT pros should be part of security teams.\r\n2. Seemingly rare, isolated, or commodity malware alerts can indicate new attacks unfolding and offer the\r\nbest chance to prevent larger damage\r\nHuman-operated attacks involve a fairly lengthy and complex attack chain before the ransomware payload is\r\ndeployed. The earlier steps involve activities like commodity malware infections and credential theft that\r\nMicrosoft Defender ATP detects and raises alerts on. If these alerts are immediately prioritized, security operations\r\nhttps://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/\r\nPage 15 of 18\n\nteams can better mitigate attacks and prevent the ransomware payload. Commodity malware infections like\r\nEmotet, Dridex, and Trickbot should be remediated and treated as a potential full compromise of the system,\r\nincluding any credentials present on it.\r\n3. Truly mitigating modern attacks requires addressing the infrastructure weakness that let attackers in\r\nHuman-operated ransomware groups routinely hit the same targets multiple times. This is typically due to failure\r\nto eliminate persistence mechanisms, which allow the operators to go back and deploy succeeding rounds of\r\npayloads, as targeted organizations focus on working to resolve the ransomware infections.\r\nOrganizations should focus less on resolving alerts in the shortest possible time and more on investigating the\r\nattack surface that allowed the alert to happen. This requires understanding the entire attack chain, but more\r\nimportantly, identifying and fixing the weaknesses in the infrastructure to keep attackers out.\r\nWhile Wadhrama, Doppelpaymer, Ryuk, Samas, REvil, and other human-operated attacks require a shift in\r\nmindset, the challenges they pose are hardly unique.\r\nRemoving the ability of attackers to move laterally from one machine to another in a network would make the\r\nimpact of human-operated ransomware attacks less impactful and make the network more resilient against all\r\nkinds of cyberattacks. The top recommendations for mitigating ransomware and other human-operated campaigns\r\nare to practice credential hygiene and stop unnecessary communication between endpoints.\r\nHere are relevant mitigation actions that enterprises can apply to build better security posture and be more\r\nresistant against cyberattacks in general:\r\nHarden internet-facing assets and ensure they have the latest security updates. Use threat and vulnerability\r\nmanagement to audit these assets regularly for vulnerabilities, misconfigurations, and suspicious activity.\r\nSecure Remote Desktop Gateway using solutions like Azure Multi-Factor Authentication (MFA). If you\r\ndon’t have an MFA gateway, enable network-level authentication (NLA).\r\nPractice the principle of least-privilege and maintain credential hygiene. Avoid the use of domain-wide,\r\nadmin-level service accounts. Enforce strong randomized, just-in-time local administrator passwords. Use\r\ntools like LAPS.\r\nMonitor for brute-force attempts. Check excessive failed authentication attempts (Windows security event\r\nID 4625).\r\nMonitor for clearing of Event Logs, especially the Security Event log and PowerShell Operational logs.\r\nMicrosoft Defender ATP raises the alert “Event log was cleared” and Windows generates an Event ID 1102\r\nwhen this occurs.\r\nTurn on tamper protection features to prevent attackers from stopping security services.\r\nDetermine where highly privileged accounts are logging on and exposing credentials. Monitor and\r\ninvestigate logon events (event ID 4624) for logon type attributes. Domain admin accounts and other\r\naccounts with high privilege should not be present on workstations.\r\nTurn on cloud-delivered protection and automatic sample submission on Windows Defender Antivirus.\r\nThese capabilities use artificial intelligence and machine learning to quickly identify and stop new and\r\nunknown threats.\r\nhttps://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/\r\nPage 16 of 18\n\nTurn on attack surface reduction rules, including rules that block credential theft, ransomware activity, and\r\nsuspicious use of PsExec and WMI. To address malicious activity initiated through weaponized Office\r\ndocuments, use rules that block advanced macro activity, executable content, process creation, and process\r\ninjection initiated by Office applications. To assess the impact of these rules, deploy them in audit mode.\r\nTurn on AMSI for Office VBA if you have Office 365.\r\nUtilize the Windows Defender Firewall and your network firewall to prevent RPC and SMB\r\ncommunication among endpoints whenever possible. This limits lateral movement as well as other attack\r\nactivities.\r\nFigure 10. Improving defenses against human-operated ransomware\r\nHow Microsoft empowers customers to combat human-operated attacks\r\nThe rise of adaptable, resourceful, and persistent human-operated attacks characterizes the need for advanced\r\nprotection on multiple attack surfaces. Microsoft Threat Protection delivers comprehensive protection for\r\nidentities, endpoints, data, apps, and infrastructure. Through built-intelligence, automation, and integration,\r\nMicrosoft Threat Protection combines and orchestrates into a single solution the capabilities of Microsoft\r\nDefender Advanced Threat Protection (ATP), Office 365 ATP, Azure ATP, and Microsoft Cloud App Security,\r\nproviding customers integrated security and unparalleled visibility across attack vectors.\r\nBuilding an optimal organizational security posture is key to defending networks against human-operated attacks\r\nand other sophisticated threats. Microsoft Secure Score assesses and measures an organization’s security posture\r\nand provides recommended improvement actions, guidance, and control. Using a centralized dashboard in\r\nhttps://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/\r\nPage 17 of 18\n\nMicrosoft 365 security center, organizations can compare their security posture with benchmarks and establish key\r\nperformance indicators (KPIs).\r\nOn endpoints, Microsoft Defender ATP provides unified protection, investigation, and response capabilities.\r\nDurable machine learning and behavior-based protections detect human-operated campaigns at multiple points in\r\nthe attack chain, before the ransomware payload is deployed. These advanced detections raise alerts on the\r\nMicrosoft Defender Security Center, enabling security operations teams to immediately respond to attacks using\r\nthe rich capabilities in Microsoft Defender ATP.\r\nThe Threat and Vulnerability Management capability uses a risk-based approach to the discovery, prioritization,\r\nand remediation of misconfigurations and vulnerabilities on endpoints. Notably, it allows security administrators\r\nand IT administrators to collaborate seamlessly to remediate issues. For example, through Microsoft Defender\r\nATP’s integration with Microsoft Intune and System Center Configuration Manager (SCCM), security\r\nadministrators can create a remediation task in Microsoft Intune with one click.\r\nMicrosoft experts have been tracking multiple human operated ransomware groups. To further help customers, we\r\nreleased a Microsoft Defender ATP Threat Analytics report on the campaigns and mitigations against the attack.\r\nThrough Threat Analytics, customers can see indicators of Wadhrama, Doppelpaymer, Samas, and other campaign\r\nactivities in their environments and get details and recommendations that are designed to help security operations\r\nteams to investigate and respond to attacks. The reports also include relevant advanced hunting queries that can\r\nfurther help security teams look for signs of attacks in their network.\r\nCustomers subscribed to Microsoft Threat Experts, the managed threat hunting service in Microsoft Defender\r\nATP, get targeted attack notification on emerging ransomware campaigns that our experts find during threat\r\nhunting. The email notifications are designed to inform customers about threats that they need to prioritize, as well\r\nas critical information like timeline of events, affected machines, and indicators of compromise, which help in\r\ninvestigating and mitigating attacks. Additionally, with experts on demand, customers can engage directly with\r\nMicrosoft security analysts to get guidance and insights to better understand, prevent, and respond to human-operated attacks and other complex threats.\r\nMicrosoft Threat Protection Intelligence Team\r\nTalk to us\r\nQuestions, concerns, or insights on this story? Join discussions at the Microsoft Threat Protection and Microsoft\r\nDefender ATP tech communities.\r\nRead all Microsoft security intelligence blog posts.\r\nFollow us on Twitter @MsftSecIntel.\r\nSource: https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/\r\nhttps://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/\r\nPage 18 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA",
		"MISPGALAXY"
	],
	"references": [
		"https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/"
	],
	"report_names": [
		"human-operated-ransomware-attacks-a-preventable-disaster"
	],
	"threat_actors": [
		{
			"id": "b774174f-aeca-4ea8-8f2a-b4a70a2a0b85",
			"created_at": "2023-01-06T13:46:39.451474Z",
			"updated_at": "2026-04-10T02:00:03.333575Z",
			"deleted_at": null,
			"main_name": "PARINACOTA",
			"aliases": [
				"Wine Tempest"
			],
			"source_name": "MISPGALAXY:PARINACOTA",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "703c2493-d713-4697-a691-4c2e09c032e9",
			"created_at": "2022-10-25T16:07:24.53647Z",
			"updated_at": "2026-04-10T02:00:05.025223Z",
			"deleted_at": null,
			"main_name": "Parinacota",
			"aliases": [
				"Wine Tempest"
			],
			"source_name": "ETDA:Parinacota",
			"tools": [
				"Mimikatz",
				"ProcDump",
				"Wadhrama"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434428,
	"ts_updated_at": 1775792097,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d188680eff339121bbbd3f81218a0bb42e31b5a3.pdf",
		"text": "https://archive.orkl.eu/d188680eff339121bbbd3f81218a0bb42e31b5a3.txt",
		"img": "https://archive.orkl.eu/d188680eff339121bbbd3f81218a0bb42e31b5a3.jpg"
	}
}