Microsoft named them adaptable, resourceful, and persistent. They pose a significant and growing threat to businesses and represent one of the most impactful trends in cyberattacks today: Human Operated Ransomware Attacks. 

In these hands-on-keyboard attacks that focus on credential theft and lateral movement methods, attackers usually have comprehensive knowledge of systems administration, common network security misconfigurations and perform through reconnaissance. They quickly adapt to whatever they find in a compromised network, which makes these attacks particularly malicious. 

Investigations have shown that ransomware attack campaigns often appear in public and that attackers can operate in unrestricted networks.

Ransomware campaign examples: 

1. Ryuk 

History: According to IDG, Ryuk first appeared in August 2018 and developed from an older ransomware program called Hermes which was sold on underground cybercrime forums in 2017. 

How it works: Ryuk attackers use manual hacking techniques and open-source tools in combination with other malware to move laterally through private networks to access and control as many systems as possible before they start the file encryption.  

Success: A Florida beach town paid close to USD600,000 to recover the city's data which Ryuk attackers had encrypted.  

Targeted victims: Businesses, hospitals, and government organisations.  

2. REvil 

History: Sodinokibi, aka REvil (Ransomware Evil), first emerged in 2019. IBM reported that one in every three ransomware infections involved REvil/Sodinokibi. 

How it works: By exploiting holes in Oracle WebLogic servers or the Pulse Connect Secure VPNREvil spreads several ways. It targets Microsoft Windows systems and encrypts all files except configuration files. If the victims don't pay their ransom, they won't get their data back and, what's worse, the attackers will sell it on underground forums.  

Success: REvil was responsible for shutting down more than 22 small towns in Texas and forced the UK currency exchange service Travelex to its knees on New Year's Eve 2019. The REvil gang adjusts the ransom requests based on the annual revenue of the victim organisations (between USD1,500 and USD42 million).  

Targeted victims: A wide range of organisations globally. 

3. SamSam 

History: Since 2015, SamSam has been mainly targeting healthcare organisations. 

How it works: SamSam is a RaaS operation whose controllers examine pre-selected targets for weaknesses. SamSam attacks are critically damaging, as the attackers escalate privileges when they start encrypting files. 

Success: In 2018, both the Colorado Department of Transportation and the City of Atlanta suffered from ransomware attacks. In the latter case, a sizable part of the city's online services were down and cost more than USD2.6 million on recovery efforts.  

Targeted victims: US-based healthcare and government organisations . 

What can organisations do to prevent these attacks? 

Building an optimal organisational security posture is key to defending networks against human-operated attacks and other sophisticated threats. At The Missing Link, our end-to-end approach to security combines factual evidence and a strategic roadmap to improve your organisation's security posture. 

Our Security Controls Review is a workshop designed to help you achieve a more mature, secure IT environment. In the workshop, we perform a security posture assessment on your current IT environment to give your business a score in relation to our security maturity model. 

From here, we generate a report that outlines our recommendations and a roadmap to achieve your desired maturity. 

Need to get your troops in position? 

We can help protect your business against ransomware attacks by addressing your infrastructure's weaknesses. For a detailed look into your security controls, book a consultation with one of our IT specialists today. 


If you liked this article, you may also like:

Red Teaming: getting down to basics

Red Teaming and the origins of anonymous hacking

What do you do after a data breach


Taylor Cheetham

Campaign Manager