Maalmihii hore, haddii qof uu ku qasbo inuu afduubo kombiyuutarkaaga, badanaa waxay suurtogal ahayd in la qabto kombuyuutarkaaga adigoo jir ahaan halkaas jooga ama isticmaalaya meel fog. In kasta oo dunidu ay hore ugu dhaqaaqday automation-ka, amniga kumbuyuutarka ayaa la adkeeyay, hal shay oo aan isbeddelin ayaa ah khaladaadka aadanaha. Taasi waa halka ay ka soo galaan sawirka weerarrada Ransomware ee ay ku shaqeeyaan bini'aadamka . ^{(Human-operated Ransomware Attacks)}Kuwani waa weerarro gacan-ku-soo-saar ah oo ka helaya nuglaanshaha ama badbaadada kombuyuutarka oo si khaldan loo habeeyey oo la galo. Microsoft waxay la timid kiis kiis dhammaystiran oo soo gabagabeeyay in maamulka IT-gu uu yarayn karo weerarradan Ransomware^{(Ransomware attacks)} -ka ee bini'aadamka ku shaqeeyo .

Yaraynta Weerarada Ransomware-ku shaqeeyo ee bini'aadamka^{(Human-operated Ransomware Attacks)}

Sida laga soo xigtay Microsoft , habka ugu wanaagsan ee lagu dhimi karo noocyadan ransomware, iyo ololayaasha gacanta lagu sameeyay waa in la xannibo dhammaan xiriirka aan loo baahnayn ee u dhexeeya dhammaadka. Waxa kale oo aad muhiim u ah in la raaco hababka ugu wanaagsan ee loogu talagalay nadaafadda aqoonsiga sida Xaqiijinta Qodobbada Badan^{(Multi-Factor Authentication)} , la socodka isku dayga xoogga, rakibidda cusboonaysiinta amniga, iyo in ka badan. Halkan waxaa ah liis dhamaystiran oo ah tallaabooyinka difaaca ee la qaadayo:

• Hubi inaad isticmaasho dejinta qaabeynta Microsoft ee lagula taliyay^{(recommended configuration settings)} si loo ilaaliyo kombiyuutarada ku xiran intarneedka.
• Difaacaha ATP wuxuu bixiyaa maaraynta halista iyo nuglaanshaha^{(threat and vulnerability management)} . Waxaad u isticmaali kartaa inaad si joogto ah u xisaabiso mashiinada dayacanka, qaabaynta khaldan, iyo hawlaha laga shakiyo.
• Isticmaal albaabka laga galo MFA^{(MFA gateway)} sida Azure Multi-Factor Authentication ( MFA ) ama awood xaqiijinta heerka shabakada ( NLA ).
• Sii mudnaanta ugu yar akoonnada^{(least-privilege to accounts)} , oo awood geli gelida kaliya marka loo baahdo. Koontada kasta oo gelaysa heerka maamulka guud ee domain waa in ay ahaataa ugu yaraan ama eber.
• Aaladaha sida xalalka sirta ah ee maamulaha maxaliga ah ( LAPS ) waxa uu u habayn karaa furaha sirta ah ee gaarka ah ee xisaabaadka maamulka. Waxaad ku kaydin kartaa Tusaha Active^{(Active Directory)} (AD) oo waxaad ka ilaalin kartaa isticmaalka ACL .
• La soco isku dayga xoog-muquunis. Waa inaad ka nasataa, gaar ahaan haddii ay jiraan isku dayo xaqiijin oo badan oo fashilmay. ^{(failed authentication attempts. )}Sifee^(Filter) adigoo isticmaalaya aqoonsiga dhacdada 4625^{(ID 4625)} si aad u hesho gelitaannada noocaas ah.
• Weeraryahanadu waxay inta badan nadiifiyaan diiwaannada Dhacdada Amniga iyo Log Operational PowerShell^{(Security Event logs and PowerShell Operational log)} si ay meesha uga saaraan dhammaan raadkooda. Difaacayaasha Microsoft ATP^{(Microsoft Defender ATP)} waxay abuurtaa Aqoonsiga Dhacdada 1102^{(Event ID 1102)} marka tani dhacdo.
• Daar sifooyinka ilaalinta Tamper^{(Tamper protection)(Tamper protection)} si aad uga ilaaliso weeraryahanada inay damiyaan sifooyinka amniga.
• Baadh^{(Investigate)} dhacdada aqoonsiga 4624^{(ID 4624)} si aad u heshid meelaha koontooyinka leh mudnaanta sare ay ku jiraan. Haddii ay galaan shabakad ama kombuyuutar la jabiyay, markaa waxay noqon kartaa khatar aad u weyn.
• Daar ilaalinta daruurtu keentay^{(Turn on cloud-delivered protection)} iyo soo gudbinta muunada tooska ah ee Windows Defender Antivirus . Waxay kaa ilaalinaysaa hanjabaad aan la garanayn.
• Daar xeerarka dhimista dusha weerarka. Tan waxaa weheliya, awood u yeelashada xeerarka xannibaya xatooyada aqoonsiga, dhaqdhaqaaqa ransomware, iyo isticmaalka shakiga leh ee PsExec iyo WMI .
• Daar  AMSI for Office VBA  haddii aad leedahay Office 365.
• Kahortagga xidhiidhka RPC^{(Prevent RPC)} iyo SMB ee ka dhexeeya dhibcaha dhammaadka mar kasta oo ay suurtagal tahay.

Akhriso^(Read) : Ilaalinta Ransomware gudaha Windows 10^{(Ransomware protection in Windows 10)} .

Microsoft waxay soo bandhigtay kiis daraasad ah Wadhrama , Doppelpaymer , Ryuk , Samas , Revil.

• Wadhrama waxa lagu geeyaa iyada oo la adeegsanayo xoogaga caasinimada leh ee loo maro server-yada leh Desktop Fog^{(Remote Desktop)} . Caadi ahaan waxay ogaadaan habab aan la daboolin oo ay isticmaalaan baylahda qarsoon si ay u helaan galaangal bilow ah ama sare u qaadaan mudnaanta.
• Doppelpaymer waxa gacanta lagu faafiyaa iyada oo loo marayo shabakadaha la jabsaday iyada oo la isticmaalayo shahaadooyinka la xaday ee akoonnada mudnaanta leh. Taasi waa sababta ay lama huraan u tahay in la raaco habaynta habaynta lagu taliyay ee kombiyuutarada oo dhan.
• Ryuk waxay ku qaybisaa mushaharka emaylka ( Trickboat ) adoo khiyaamaynaya isticmaalaha ugu dambeeya wax kale. Dhawaan tuugadu waxay isticmaaleen cabsida Coronavirus si ay u khiyaaneeyaan isticmaalaha ugu dambeeya. Mid ka mid ah ayaa sidoo kale awooday inuu keeno culayska Emotet .

Waxyaabaha caadiga ah ee mid kasta oo iyaga ka mid ah^{(common thing about each of them)} ayaa ah inay ku dhisan yihiin xaalado. Waxay u muuqdaan inay sameynayaan xeelado gorilla ah halkaas oo ay uga guuraan hal mashiin una guuraan mashiinka kale si ay u gaarsiiyaan culeyska. Waa lagama maarmaan in maamulayaasha IT-da aysan kaliya ilaalin weerarka socda, xitaa haddii ay tahay mid yar, oo ay barayaan shaqaalaha sida ay gacan uga geysan karaan ilaalinta shabakadda.

Waxaan rajeynayaa in dhammaan maamulka IT-gu ay raaci karaan talada oo ay hubiyaan inay yareeyaan weerarrada Ransomware -ka ee bini'aadamka ku shaqeeyo .

Akhri wax la xidhiidha^{(Related read)} : Maxaa la sameeyaa ka dib marka Ransomware lagu weeraro kombayutarka Windows?^{(What to do after a Ransomware attack on your Windows computer?)}

How to mitigate Human-operated Ransomware Attacks: Infographic

In earlier days, if someone has to hijack yоur computer, it was usually possible by getting hold of yоur computer either by physically bеing thеre or using remote access. While the world has moved ahead with automation, computer security has tightеned, one thіng that hasn’t changеd is human mistakes.  That is whеre thе Human-operated Ransomware Attacks come into the picture. These are handcrafted attacks which find a vulnerability or a misconfigured security on the computer and gain access. Microsoft has come up with an exhaustive case study which concludes that IT admin can mitigate these human-operated Ransomware attacks by a significant margin.

Mitigating Human-operated Ransomware Attacks

According to Microsoft, the best way to mitigate these kinds of ransomware, and handcrafted campaigns is to block all unnecessary communication between endpoints. It is also equally important to follow best practices for credential hygiene such as Multi-Factor Authentication, monitoring brute force attempts, installing the latest security updates, and more. Here is the complete list of defense measures to be taken:

• Make sure to apply Microsoft recommended configuration settings to protect computers connected to the internet.
• Defender ATP offers threat and vulnerability management. You can use it to audit machines regularly for vulnerabilities, misconfigurations, and suspicious activity.
• Use MFA gateway such as Azure Multi-Factor Authentication (MFA) or enable network-level authentication (NLA).
• Offer least-privilege to accounts, and only enable access when required. Any account with domain-wide admin-level access should be at the minimum or zero.
• Tools like Local Administrator Password Solution (LAPS) tool can configure unique random passwords for admin accounts. You can store them in Active Directory (AD) and protect using ACL.
• Monitor for brute-force attempts. You should be alarmed, especially if there is a lot of failed authentication attempts. Filter using event ID 4625 to find such entries.
• Attackers usually clear the Security Event logs and PowerShell Operational log to remove all their footprints. Microsoft Defender ATP generates an Event ID 1102 when this occurs.
• Turn on Tamper protection features to prevent attackers from turning off security features.
• Investigate event ID 4624 to find where accounts with high privileges are logging on. If they get into a network or a computer that is compromised, then it can be a more significant threat.
• Turn on cloud-delivered protection and automatic sample submission on Windows Defender Antivirus. It secures you from unknown threats.
• Turn on attack surface reduction rules. Along with this, enable rules that block credential theft, ransomware activity, and suspicious use of PsExec and WMI.
• Turn on AMSI for Office VBA if you have Office 365.
• Prevent RPC and SMB communication among endpoints whenever possible.

Read: Ransomware protection in Windows 10.

Microsoft has put up a case study of Wadhrama, Doppelpaymer, Ryuk, Samas, REvil

• Wadhrama is delivered using brute forces their way into servers that have Remote Desktop. They usually discover unpatched systems and use disclosed vulnerabilities to gain initial access or elevate privileges.
• Doppelpaymer is manually spread through compromised networks using stolen credentials for privileged accounts. That’s why it is essential to follow the recommended configuration settings for all computers.
• Ryuk distributes payload over email (Trickboat) by tricking the end-user about something else. Recently hackers used the Coronavirus scare to trick the end-user. One of them was also able to deliver the Emotet payload.

The common thing about each of them is they are built based on situations. They seem to be performing gorilla-tactics where they move from one machine to another machine to deliver the payload. It is essential that IT admins not only keep a tab on the ongoing attack, even if it’s on a small scale, and educate employees about how they can help to protect the network.

I hope all IT admins can follow the suggestion and make sure to mitigate human-operated Ransomware attacks.

Related read: What to do after a Ransomware attack on your Windows computer?

Related posts

• Weerarada Ransomware, Qeexid, Tusaalayaal, Ilaalinta, Bixinta

• Anti-Ransomware software bilaash ah oo loogu talagalay kombiyuutarada Windows

• Abuur sharciyada iimaylka si aad uga hortagto Ransomware gudaha Microsoft 365 Business

• Daar oo ku habbee Ilaalinta Ransomware ee Difaaca Windows

• Ilaalinta Ransomware gudaha Windows 11/10

• Liiska Qalabka Decryption Ransomware ee bilaashka ah si loo furo faylasha

• Ransomware Response Playbook wuxuu tusayaa sida loola tacaalo malware-ka

• Weerarada Xoogaga Caadiga ah - Qeexida iyo Kahortagga

• Weerarada Cyber ​​- Qeexid, Noocyada, Ka Hortagga

• Tallaalka CyberGhost wuxuu kaa caawin doonaa ka hortagga weerarrada ransomware

• Sida looga ilaaliyo loogana hortago weerarada Ransomware & caabuqyada

• DDoS Qaybsan Diidmada Adeegga Weerarada: Ilaalinta, Ka Hortagga

• Miyaan ka warbixiyaa Ransomware? Halkeen ka warramaa Ransomware?

• Maxaa la sameeyaa ka dib marka Ransomware lagu weeraro kombiyuutarkaaga Windows?

• Weerarada Nuglaanta Afduubka DLL, Kahortagga & Ogaanshaha

• Sidee Looga Fogaadaa Khayaanada Khiyaamada iyo Weerarada?

• Weerarada Malware-ka aan fileyn, Ilaalinta iyo Ogaanshaha

• McAfee Ransomware Recover (Mr2) ayaa kaa caawin kara furista faylasha

• Waa maxay Diidmada Madaxfurashada (RDoS)? Ka-hortagga iyo taxaddarrada