During Mental Health Awareness Month, I can’t help but reflect on the impact COVID-19 has had on mental health and frontline worker burnout. Each year millions of people around the world face the reality of living with a mental illness, but during COVID-19 we saw many people overwhelmed by loneliness due to extreme isolation, grief over the loss of loved ones, and anxiety due to COVID-19 related factors. According to a World Health Organization report, the prevalence of anxiety and depression increased by 25 percent globally during the first year of COVID-19, with women and young people most profoundly impacted. Research published last year by the Boston University School of Public Health found that nearly one in three Americans are struggling with depression. Surveys1 show between 20 percent and 30 percent of frontline healthcare workers in the United States are considering leaving the profession, and there is a projected shortage2 of 18 million frontline healthcare workers worldwide by 2030. Many experts believe that we could be feeling the impacts of COVID-19 and the trauma it caused for a generation. It is critical that we make every effort to decrease barriers and stressors and increase collaboration and a sense of community at every touchpoint of healthcare delivery.
Mental health is an incredibly important part of a person’s overall health, especially how psychological and physical well-being play a role in every aspect of wellness. With a growing number of individuals experiencing mental health symptoms, technology can play a role to support patients, encouraging those with potential mental issues to seek professional help, and someday could help to reduce the stigma associated with mental health.
Improving patient experiences through virtual health
Driven by the COVID-19 crisis, the healthcare sector has had to quickly find new ways of safely providing quality care to patients. For many, the solution was to go digital—typically in the form of virtual health services, like virtual appointments or utilizing AI-powered chat assistants. Recent research has reflected the virtual trend as well: a RAND study found that the significant rise in telehealth use during the height of COVID-19 was driven more by people looking for mental health services than care for physical conditions. During COVID-19, Calgary Counselling Centre’s (CCC) needed a secure, easy-to-use solution to help them continue serving high-quality care to their patients. When in-office consultations were ruled out, staff already had ideas for best practices that could help keep services available, especially in light of heightened demand during these difficult times. The organization deployed Microsoft Teams Virtual Visits as an easy tool for clients and counselors from all cultural and economic backgrounds to use. Now a key tool in the Centre’s counseling and education practice, Teams helps CCC achieve successful treatment rates—higher than those measured during its pre-pandemic, in-person practice.
On March 23, 2020, the United Kingdom government announced a lockdown in response to COVID-19. The need to limit face-to-face contact for infection prevention and control was uppermost in the minds of senior leaders at Greater Manchester Mental Health NHS Foundation Trust (GMMH). Yet the needs of service users had to be met. Psychological therapy (IAPT) is GMMH’s largest service and it was most eager for remote working capabilities. It delivers talking therapy support for people with mild, moderate, and moderate to severe symptoms of anxiety or depression. Around 5,000 people were accessing face-to-face IAPT meetings in March when, almost overnight, the Trust found itself no longer able to offer those services. They moved from 10,000 in-person appointments per month to holding them all remotely via Microsoft Teams in two weeks. Even today, the Trust is able to offer more choices to its clients. The ability to access care without having to traverse the busy city region to reach a clinical location will make accessing support more comfortable for many service users battling anxiety-related issues, avoidance, or depression.
AI has the ability to increase equity and access to mental health services, eliminating barriers to convenience, access, or privacy. This allows healthcare systems to offer services available every day on demand, on different platforms and gives patients the space to have sensitive conversations—even more so for ones that might not feel comfortable having out loud in a face-to-face environment.
The rise of digital mental healthcare has also brought up the use of AI to triage patients, broaden access to, and availability of mental health services. If there is one chief benefit of using AI in clinical care, it’s the technology’s ability to obtain insights from massive amounts of data. Austrian mental health provider Anima Mentis has developed a ground-breaking solution that uses data and AI to prevent and treat mental illnesses. The idea is that by studying how a person reacts to different events and occasions, it’s possible to anticipate how they’ll react to similar events in the future—and therefore prepare them for any circumstance. Anima Mentis is doing this by collecting a broad range of biometric, medical, and contextual data both at and outside its center. With the help of innovation service provider Zühlke Austria, the organization is realizing a cloud-based AI platform that analyzes information to produce tailored recommendations for patients, who can use them to avoid burnout and train their mental strength.
Burnout and mental health among frontline healthcare workers
Workplace surveys and reports from the United States Bureau of Labor Statistics continue to signal a burnout-fueled professional exodus from healthcare.3 Frontline healthcare worker burnout has swelled to impact 55 percent of frontline healthcare workers at any given point in time.4 A recent survey5 found that nearly a third of frontline healthcare workers in the United States are now considering not simply moving on from their institution, but leaving the field altogether. But if the pandemic has overwhelmed these workers, it has also spurred a wealth of research into the causes of burnout and the ensuing fallout, from mental health impacts to national turnover rates clinicians. These studies and surveys also point toward concrete solutions—positive ways that the smart implementation of technology can help reduce clinician burnout.
Integrating AI and machine learning into the healthcare frontline processes allows for a variety of benefits, including easing workflows, and analyzing large data sets to deliver better healthcare faster, and at a lower cost. But it also has the power to help significantly reduce the overwhelming burden of administrative tasks that have made it so difficult for healthcare workers to do what inspired them to go into medicine in the first place.
The frontline healthcare worker “great resignation” and clinician burnout epidemic are two of the biggest challenges we have faced as an industry this decade. In collaboration with our trusted electronic healthcare record (EHR) partners and the broader healthcare ecosystem, Microsoft and Nuance will continue to bring the most advanced capabilities into the workflow of clinicians and frontline workers to help reduce the overwhelming burden of administrative tasks that have made it so difficult for them to do what inspired them to go into medicine in the first place.
The right tools can centralize communication, surface insights, facilitate file sharing, streamline workforce management, and integrate partner applications. And the right purpose-built devices can streamline engagement and boost productivity, keeping teams connected whether they’re several feet or many miles apart, and even track and support wellbeing.
Looking ahead
Mental Health Awareness Month is an observance meant to bring awareness to mental health issues and bring awareness to the issues faced by so many. While mental health will continue to be an evolving crisis, one thing remains true: mental health and well-being are about people caring for people. While technology may not be able to solve every problem, we can help ease the burden on the people who provide such vital care for patients and find new ways to extend mental health care to the people who need it most. If technology is going to make a difference, it will only be through deep partnerships across the care ecosystem, and by earning their trust and the trust of the people they serve. As part of our ongoing commitment to health and well-being, I know that every solution and advancement we bring to the market will be designed to create better experiences, insights, and care for all.
It’s been a long three years since we last invited you to join us at the manufacturer’s primary showcase event Hannover Messe in Germany, where we last mingled in person in 2019 with 220,000 of our manufacturing colleagues from around the world to share and explore the leadership and innovations on display.
In those three years, we’ve seen manufacturing leaders accelerate their digital transformation journeys as they strive with Microsoft and our industrial ecosystem to manufacture a more resilient and sustainable future for us all. So it’s fitting that as we converge on the home of Industry 4.0 in Hannover Germany, we’re pleased to be joining a community of around 2,200 industry exhibitors to showcase customer, partner, and Microsoft Cloud for Manufacturing solutions for this year’s key theme of “Digitalization and Sustainability.”
Engage with Microsoft at Hannover Messe 2022
So, what does Microsoft have in store for you at Hannover Messe 2022, from May 30 to June 2, 2022? Here are five things to put on your calendar and to-do list:
1. Register for Hannover Messe and visit the Microsoft booth Hall 4 Stand E34, where you can join guided tours, and book meetings with Microsoft executives and manufacturing experts on hand to discuss how Microsoft Cloud for Manufacturing brings together Microsoft Azure, Microsoft 365, Microsoft Dynamics 365, and Microsoft Power Platform capabilities that help:
Build more agile factories.
Transform your workforce.
Engage customers in new ways.
Create more resilient supply chains.
Unlock innovation and new services.
Secure manufacturing solutions from edge to cloud.
3. Join us at WomenPower on day four. Manufacturing is undergoing a huge transformation. And that transformation is opening a wealth of new opportunities to bring diversity to the industry. Learn why manufacturing is the place to be for diverse talent, and join our workshop session at WomenPower featuring women leaders from Microsoft, customers, and partners.
4. Meet Microsoft’s co-innovation partners. Addressing the industry’s need for a platform that enables co-innovation and collaboration, our incredible ecosystem of industry partners expands the value of the Microsoft Cloud for Manufacturing with additional solutions to address today’s most pressing challenges.
Joining us at Hannover Messe in 2022 are ABB, Ansys, Accenture, Avanade, AVEVA, Blue Yonder, Cognite, C3.ai, ICONICS, o9 Solutions, PwC, PROS, PTC, Rockwell Automation, Sight Machine, TCS, and Tulip.
5. Accelerate your sustainability journey. Join us at the Microsoft booth to learn how to manufacture a resilient and sustainable future. We’ll be showcasing how the Microsoft Cloud for Sustainability empowers manufacturers to accelerate sustainability progress and business growth. We’re partnering with our customers to advance their progress by bringing together a set of environmental, social, and governance capabilities across the Microsoft cloud portfolio in addition to providing solutions from our global ecosystem of partners, such as ABB, AVEVA, TCS, and Wienerberger, the MIMA winner for sustainability. These integrated capabilities allow manufacturers to gain the transparency and insights they need to manage their environmental footprint, embed sustainability throughout their organization and value chain, and create new value in a transforming landscape.
Our booth features several customers and partners advancing their sustainability efforts. We’ll also feature Microsoft Circular Centers’ use of the Microsoft Cloud for Sustainability and demonstrate how manufacturers can:
Unify data intelligence: Gain the visibility required to effectively drive sustainability reporting, sustainability efforts, and business transformation.
Build a sustainable IT infrastructure: Identify opportunities to replace tools, systems, or activities with cleaner options and add business value.
Reduce the environmental impact of operations: Minimize the environmental footprint of your operational systems and processes.
Create sustainable value chains: Facilitate greater transparency and accountability through your value chain, from sourcing materials through the end of use.
And if you can’t make it to Hannover Messe in person, visit the Microsoft Hannover Messe virtual booth where you can explore on-demand videos, showing how Microsoft is helping manufacturers create a more resilient and sustainable future with Microsoft Cloud for Manufacturing solutions.
Microsoft, NASA, and students from two HBCUs in the Reston/DC area have completed the maiden mission of a new Microsoft/NASA partnership, STEM Educational Project: AI looking for new Earths.
Using methodology developed by The Microsoft Garage over years of running hackathons, in just one month – and while completing their final exams – the student hackers learned and deployed several new technologies, and quite literally reached the stars by showing they could deploy code to the International Space Station.
According to Piali Ghose, Director of The Garage Reston/DC and host of the event, “This hackathon amplifies the cultural priorities closest to our hearts here at Microsoft and at The Garage because it allows us to continue fulfilling our stated commitments to making a difference, seeking diversity and being inclusive in our work, bringing multiple teams together as ‘One Microsoft’ while collaborating with federal and academic partners, and doing all of this with a growth mindset.”
Planning the mission
The partnership emerged from a shared goal of fostering the future STEM workforce by exposing university students to science, tools, and expertise “at the intersection of Space + Cloud.” By structuring the project as a month-long hackathon, participating students learned how real data scientists work as a team to ideate, develop, and validate their work with a proof of concept.
“Microsoft is in Reston to increase our ability to support government and commercial customers in the region,” Dr. Steve Scallen, Director of University Engagement at The Garage, explained. “The Garage Reston/DC programming creates opportunities for Reston employees to leverage their creativity and encourage collaboration with government customers, local communities, the broader DC tech industry, civic organizations, and education groups and institutions [like HBCUs].”
Microsoft provided “mission control” in the form of volunteer mentors from both the Azure Space and Data and AI teams, and students were also given access to experts at NASA, including Dr. Aprille Ericsson, Dr. Rebekah Hounsell, and Dr. Jon Jenkins. The whole mission was coordinated by The Garage Reston/DC, one of more than a dozen Garage locations at Microsoft campuses around the world, where Ghose worked with Azure Space’s Steve Kitay and Juan Carlos Lopez (formerly a NASA employee himself) to select students and design the mission.
Hackers and mentors from the NASA/Azure Space hackathon meet at NASA’s Goddard Space Flight Center. From left: Sr. Azure Specialist Jamal Wade; crew members Demario Asquitt and Mubarek Abdela; The Garage Director Piali Ghose; crew members Getaante Yilma, Anu Upadhyaya, and Hridweek Karki; Azure Space Sr. Director Stephen Kitay, Sr. Software Engineer Kevin Mack, Sr. Programming Manager Juan Carlos Lopez; UMBC’s Asst. Research Scientist Rebekah Hounsell
Kitay, Senior Director of Azure Space, praised the mission in a recent LinkedIn post and said using Microsoft technologies to do work in space is a natural extension of the company’s mission statement. “Microsoft’s mission is to ‘empower every person and organization on the planet to achieve more,’ and [the Azure Space team] has expanded that to empowering every person and organization on and off the planet to achieve more. That’s the purpose of Azure Space: being able to connect to the next generation and helping them be part of the excitement and the industry that we get to be part of, which is bringing space and cloud computing and new technologies together in innovative ways and sharing that with people – particularly people that might not otherwise have the opportunity.”
For Lopez, a Senior Software Engineer, it was also about paying it forward. As the first generation of his family to go to college, he said opportunities like this made a big difference in his own career trajectory. “I’m with Microsoft Azure Space but previously I worked at NASA for a number of years because of a student program similar to this one. So, to me it was about taking my new world at Microsoft and my old community at NASA and bringing them together to create opportunities for students in the same way that I was given those opportunities.”
Packing for the mission and determining launch window
Since 2018, NASA has been operating the Transiting Exoplanet Survey Satellite (TESS), charged with looking for earth-sized planets (exoplanets) orbiting bright stars outside the solar system. The Azure Space team realized that with access to some NASA data and SMEs, they had everything they needed to join the hunt for potential exoplanets, and to bring a few talented students along. Lopez joked that if they do find a planet, “Maybe we’ll call it Planet Azure.”
Dr. Ericsson acted as a mentor to the crew on the NASA side. She said the hackathon was a way not only to learn new skills, but also to learn about the space science industry in general. “I love TESS because it’s a terrestrial planet finder – what cool stuff, right? I think the students got excited about this data and how it fits into the NASA themes. They really are learning a lot more than just a programming application – they’re learning about the larger goals of our organizations.”
TESS observes from an elliptical high earth orbit to produce unobstructed, precise, and continuous measurements of the brightness of a star called lightcurves. About NASA’s TESS Mission: The Transiting Exoplanet Survey Satellite (TESS) is looking for earth-sized planets (exoplanets) orbiting bright stars outside the solar system. The mission will survey 200,000 of the brightest stars near the sun to search for these transiting exoplanets. TESS was launched in April 2018 aboard a SpaceX Falcon 9 rocket.
Mission control was comprised of Data and AI mentor Taylor Corbett, and Azure Space mentors David Weinstein, Steve Kitay, Kevin Mack, Brad Armstrong, and Tatyana Pearson. This team provided day-to-day and task-by-task guidance by way of regular checkpoints on Microsoft Teams, recorded for any crew members (students) who may have had a conflict with their studies. They also made themselves available after hours when necessary to accommodate the hackers’ school schedules.
Weinstein, the Azure Space team’s Principal Software Engineering Manager, said the space industry is on the verge of massive growth that will require a whole new cohort of computer scientists and other professionals to fill its ranks, both on Earth and in space. That wasn’t the case when he was a student. “In my generation, space was always on my mind, but it was not really a viable career for many people. But with this generation, with the space revolution that’s going on right now, there really is a solid opportunity for a much larger boom and many more career opportunities directly related to the space industry. That’s not on a lot of college students’ radar yet.”
Mack, a Senior Software Engineer with Azure Space, said TESS was a perfect choice for the hackathon format. “We wanted something interesting and compelling for the situation and for the space station, while also looking at something that was very achievable for [the students] in the timespan. The whole goal of this was to empower the students to succeed and empower them to literally reach the stars, so we wanted to make sure that it was something relevant to space, but also something that was attainable and doable.”
Armstrong, also a Senior Software Engineer, agreed, adding that all the data they were interested in is open source and accessible to the public from even a basic laptop. “This problem of trying to find exoplanets is something where the science is already fairly well established and the toolset around that is pretty performant, there’s simply a lot of data that has not been processed yet.”
Mission control pauses for a selfie. (Left photo) clockwise from left: Lopez, Kitay, Wade, Pearson, Mack, Azure Space Sr. Data Scientist Taylor Corbett; Ghose; Azure Space Principal Software Engineering Manager David Weinstein. (Right photo) from left: Piali Ghose, Juan Carlos Lopez, Steve Kitay, Dr. Rebekah Hounsell, Dr. Aprille Ericsson
Corbett, a Senior Data Scientist, said the hackathon was exactly the kind of thing he would have been interested in when he was a college student, or even before that. “I’ve been a space nerd my entire life. I still have photos of me at space camp in 6th grade and things like that, so the idea of being able to be part of something where conceivably we could find a new planet, like, who gets to do that?!” he said. “The amazing thing is that [the students] are working with data, models, and methods that weren’t around when I was born. And now here they are working with Microsoft, deploying code onto the cloud and onto the International Space Station.”
Lift-off!
Working with Dr. JiaJun Xu at University of the District of Columbia (UDC) and Dr. Michaela Amoo at Howard University, The Garage set out to identify students with a desire to “Participate in a student project combining Microsoft’s Azure Artificial Intelligence and data from NASA to explore the universe.” All that was required to apply was an intermediate knowledge of some basic coding languages (C#, Python, and Linux) and, of course, the spirit of an explorer.
Five students were selected as “crew members” for the hackathon: Anu Upadhyaya and Hridweek Karki from Howard; and Demario Asquitt, Mubarek Abdela, and Getaante Yilma from UDC.
While the students they selected all study at HBCUs in Washington, D.C., they all come originally from outside the U.S.
Upadhyaya, from Nepal, is a sophomore major in computer engineering at Howard who aspires to be a computer engineer. She was responsible for deploying the mock space station and equipping it with simulated constraints to mirror the environment in space. This included adding bandwidth and latency limits.
“Before this hackathon I had no experience with GitHub, and only a little experience with Python, so for me everything was really new – I learned so many things! We learned how to work with docker containers to create environments where our apps could work in any machine, and we learned about lightcurves and how to use the lightcurve data to create things like Target Pixel Files, periodograms, plots, BLS algorithms, and more. It showed me how things are actually done at NASA. I’m still exploring what I really want to do in my future, which is why I was so excited when Dr. Amoo came with this opportunity.”
By the time they got to their final presentation, however, they were all talking like space scientists. “Once we got the data downloaded and processed from Target Pixel Files to lightcurves, we use the BLS algorithm to transform and fold the lightcurves so they make sense to scientists, allowing them to conclude if a planet exists in a specific area,” said Asquitt, a computer science major in his last year at UDC, originally from Jamaica. “If there’s an inverted parabolic shape in the periodogram, the scientists can be pretty sure there’s a planet there. Basically, we wanted to mimic the environment in space, so we created a virtual machine in Azure that functions as our ground station for processing data sent from the mock space station to our ground station. As soon as we had access to both stations, I could start to run code.”
Yilma, from Ethiopia, is a senior in computer science at UDC and an aspiring software engineer. Part of his contribution was to write scripts to download lightcurve files and transform the data into various formats. He also defined the docker file for the container and deployed the container to the mock ground and space stations using scripts provided in the GitHub repo.
“It was great to learn the hard skills like lightcurve, but one of my biggest takeaways from this hackathon was learning how to take a big problem and break it into smaller chunks. It gave me exposure to what is possible with Azure and this kind of computing – it was a great experience,” Yilma said.
Crew members present their solution to mission control at the hackathon closing ceremony. From left: Demario Asquitt, Hridweek Karki, Anu Upadhyaya, Mubarek Abdela, Getaante Yilma
Measuring success and coming in for a landing
According to Mack, the crew completed their mission the moment they proved they could deploy their own code to a space station. “One of the goals of the [Azure] Space team is really to democratize space and make it easier for people to get there. And to me, there’s a big check box there of a student getting code to space – that is an example of how we’re making it easier and pushing the ‘art of the possible.’ Not only do we think it’s possible, but it didn’t take 16 PhDs to do it. It took five students that are about to graduate.”
Karki is originally from Nepal and studies computer engineering at Howard. Before this hackathon, he had been a member of his high school astronomy club but that’s as close as he had gotten to NASA, or to learning from working space scientists.
He summarized the experience and the crew’s learnings like this: “The hackathon really made a big impact on all of us, and definitely raised our interest about future opportunities in space. We now all have a knowledge base and a better understanding of the possibilities for us in astrophysics, TESS/Kepler data, and finding exoplanets or even life beyond Earth. It was really exciting to learn the science behind what we were doing, like why we were folding these lightcurves. The other big thing I learned from this was when to ask questions, and what to look for when you get stuck. This also gave me a greater appreciation of mentorship, so I want to thank [mission control] for being there for us.”
It wasn’t all smooth sailing – the crew had difficulty initially in setting up the virtual environments, connecting to the virtual machines, and in one case, finding that their downloaded target pixel files were corrupted.
Abdela, a senior computer science student at the University of DC also originally from Ethiopia, said it best: “We want to thank everyone that supported us through this journey. For providing us this opportunity in the first place, but also for making sure that we were supported every step of the way. And that also meant a lot of hours, even hours outside of working time. Kevin, Brad, and the whole team are just so amazing. They were able to meet us where we were, explaining a lot of complex things in a very simple way which is helpful for people that are just starting out. Being just a text away for any issues that we face – we really, really appreciated that.”
Lopez said he hopes the students will keep in touch, whether they are planning for a career at Microsoft, NASA, or elsewhere. “This is not a goodbye. We already have the Space Act agreement with NASA, so this is just the first of many hackathons that we’re going to run together. I would love for you all to come back next year as mentors for the students that will come after you so that you can continue your relationships and continue being connected.” All of the students were encouraged to connect and continue their discussions on LinkedIn, where Lopez also shared a post to mark the finale.
Ghose closed by inviting the students back to The Garage Reston/DC for its grand opening next month. You can see more of her thoughts about the hackathon on LinkedIn. She also thanked the many groups at Microsoft that coalesced to make the event a success behind the scenes, including Blacks at Microsoft (BAM), members of the Federal Accounts team, and Microsoft’s legal team.
Congratulations to the crew on a successful mission, and huge thanks to mission control and the countless mentors and support staff at both Microsoft and NASA that came together to make it possible for them to send code to the cosmos and reach the stars.
Meet Graham, a 12-year old with a neurological condition that makes him unable to read or write. With the help of Microsoft features like Windows text-to-speech and Immersive Reader, Graham went from being dependent on others to taking control of his education. He’s even running his own business.
Learn more about Graham and some of the ways teachers are using technology to help address inequity in the classroom on Microsoft Stories.
Meet Graham, a 12-year old with a neurological condition that makes him unable to read or write. With the help of Microsoft features like Windows text-to-speech and Immersive Reader, Graham went from being dependent on others to taking control of his education. He’s even running his own business.
Learn more about Graham and some of the ways teachers are using technology to help address inequity in the classroom on Microsoft Stories.
It has been three years since SAP Sapphire last occurred in person, and I was thrilled to meet with our customers and partners again this week. As SAP Sapphire comes to a close, I am taking a moment to reflect on how the world has changed since the pandemic. Many organizations were not prepared for the impact such a change would have on their business, and they were forced to adjust in real-time—realizing that the digital transformation conversations of the past now needed to be put into action and accelerated.
Fast forward to SAP Sapphire 2022 and a new world, where in-person and hybrid experiences came together in Orlando, Florida and virtually across the globe. Microsoft and SAP are celebrating the one-year anniversary of RISE with SAP on the Microsoft Cloud, which helps organizations of all sizes modernize their SAP solutions in the cloud. We have made great progress on the various aspects of our product innovation, delivering new service offerings, frameworks, and tools, that have helped our customers and partners simplify and further accelerate their SAP modernization journey. We have summarized the most recent product announcements here: SAP on Azure Product Announcements Summary—SAP Sapphire 2022.
SAP Sapphire 2022 gave us an opportunity to reconnect with customers and partners—celebrating our joint success, discussing new business priorities, and identifying areas where Microsoft can further help accelerate their growth. We were honored to see many customers and colleagues at Microsoft on stage to share their experiences and best practices. It is most rewarding and humbling to see the level of trust that SAP, our customers, and partners place on our technology platform and to see its impact across various industries and customer scenarios. Below are several session highlights in case you missed them.
The National Basketball Association (NBA) wanted to eliminate limitations of its on-premises data centers and moved its SAP applications and other IT resources to the cloud. The NBA’s Puneet Toteja, AVP, Business Systems Lead, discussed how using RISE with SAP with the AI, data warehouse, and personalization capabilities of Microsoft Azure has enabled the NBA to merge business, game, and fan data to deliver enhanced fan experiences. Learn more about the NBA’s journey with Microsoft and SAP.
David Durdan, Senior Director, Global Enterprise Architecture for Walgreens Company shares how the pharmacy chain embarked on a retail and finance transformation to deliver benefits to both customers and employees, using the SAP S/4HANA Retail solution and other SAP solutions hosted on Microsoft Azure. Learn more about Walgreens’ journey with Microsoft and SAP.
Microsoft’s Dhaval Desai, Principal Lead, SAP Supply Chain Engineering shared how Microsoft embraced RISE with SAP on Microsoft Cloud to transform its supply chain to a collaborative, digitally connected network that helps it sense and respond to demand changes quickly. Results from this joint Microsoft and SAP initiative include reduced latency in information sharing, improved forecast accuracy, and increased supply chain visibility, including visibility of supplier commitments.
Exelon-owned Electric Power Company, PEPCO, provides electricity and gas to two million customers. In this session featuring Exelon’s Manager of Customer Projects and System Support Walter Stefy and Accenture Managing Director Muthu Maran, discover how they designed and executed a journey to cloud transformation and upgraded to SAP S/4HANA on Microsoft Azure in just eighteen months using Accenture’s Smart field approach.
Microsoft’s Dhaval Desai, Principal Lead, SAP Supply Chain Engineering joined a panel of industry leaders from Blue Diamond Growers, Varidesk and SAP to share how their organizations have addressed diverse supply chain resiliency issues with SAP solutions, including the SAP Integrated Business Planning for Supply Chain solution.
Merck and Co.’s Ann Wallach, Director of SAP Delivery will share how this global pharmaceutical company modernized and automated its vaccine ordering process, which was previously handled through fax and phone and required manual entry of sales orders. Merck was able to modernize by leveraging the scalability of SAP Commerce Cloud on Microsoft Azure to improve the customer experience and payment-card industry compliance.
Learn more
I hope you’ve enjoyed SAP Sapphire in-person or virtually as much as we did. To learn more, check out the SAP on Azure Product Announcements Summary. My team and I look forward to continuing our discussion and meeting many of you around the world as we hit the road with SAP visiting eight cities in the remaining 2022!
Srinivas Prasad Sugasani: It’s such fun to connect with you on Asian and Pacific Islander Heritage Month. As Asians and Pacific Islanders, I feel that we have so much to celebrate. At the same time, as we think about some of the events and realities that we have navigated recently, I’m curious from your perspective, Jane, what do you feel is different about this past year?
Jane Hesmondhalgh: We’ve continued on our journey of working to create an inclusive culture at Microsoft. And there is still a gap between our aspired culture and everyone’s lived experiences today. For some, that gap may be small; for others it may be larger. But the fact that at Microsoft we have this value system we’re aspiring to is, I think, very much aligned to the Asian and Pacific Islander communities.
We’re consistently working toward respect, accountability and high integrity at Microsoft. I would say that our continued work to make progress is not so much different this year, but that we’re focusing even more effort on it.
Unfortunately, this past year we have seen the continued trend of acts of hate toward Asians globally. But the fact that Microsoft is strongly supporting the community in the face of those is super critical for the community. And that much-needed support is not a one-time event where we say something and then we’re on to the next thing. It’s the ongoing recognition that acts against violence, injustice and inequities across the world are unacceptable.
SPS: That’s right. We’ve also been focused on community education in the wake of this alarming rise in acts of hate and violence — how the community can leverage safety practices, and how can we work with the local government communities to increase safety.
JH: Our Inclusion Council has also been really engaged in these discussions. Other examples of sustained commitment to the community include the events we’ve done to engage with external experts in ongoing learning such as Microsoft Include, and of course the support of our Asians at Microsoft Employee Resources Group (ERG). I have heard from the community specifically that one of the most powerful things they’ve attended this year are our community calls, where people have had the opportunity to talk through how they’re feeling with others who may have experienced similar things.
SPS: Based on what we heard from our community, we’ve also been increasingly focused on how we strengthen and support the advancement of the ERG and its members at the company. I am really proud of how we’ve been working with outside experts on leadership development across the company, all the way from entry-level employees to the most senior in the company. This is the kind of year-round investment that is directly benefiting the community.
JH: I’m so passionate about this piece — the leadership education for Asians and Pacific Islanders. When I started as the sponsor for the Asians ERG, that was the No. 1 feedback, that the community wanted unique and tailored leadership education.
As we know, there are 4.7 billion people in this broad community across the world. Asians and Pacific Islanders make up 60% of the world population. That really strikes me. Because within that, there are so many different perspectives. So, a question for you is, how do we ensure that different types of conversations and perspectives from the entire community are brought in?
SPS: As you said — 60% of the global population! And we are trying to represent diversity within the community at that scale. It’s actually one of our strategic pillars in our ERG — including all community members. I think we’re doing a really good job with that. The leadership team has ensured that we include many voices, and as a result of that diversity of thought, we’ve seen new steps and actions being taken. For example, we had an Asians ERG art exhibition. We had a day of remembrance where people could talk about their practices, cultures, ancestors. We had a stand-up comedy event. And we’ve focused specifically on women inventors. Those are just a few examples.
So, focusing on the many dimensions of identity within our global community ensures that we can all share our experiences and learn from each other.
JH: This leads me to reflect on the word “community” and what does that mean? With a global team located all over the world, how do we bring everybody together in a sense of community? At Microsoft the community is a combination of people, cultures and beliefs. So, I think that community piece is our connection to the history across the Asia Pacific region. Within this vast land mass, we can appreciate and understand the differences and uniqueness of the people in the sub-communities and societies. We talked earlier about Microsoft’s culture and values. I think one thing that helps us is that Asian values around integrity and respect are very similar to the company’s. And then of course we go beyond respect to actually celebrating our cultures. Each of our ERG chapters and groups, each culture, is a contribution that is valuable to the world.
And these values are actually critical for the work ahead, right? This year, next year and beyond, we want to tackle the biggest problems that divide us as a society. And we’ve got that microcosm of society within our Asian and Pacific Islander community. We can play a huge role in landing the mindset of interconnectivity and learning both within and outside the company. Each person must be committed to driving positive change, be more intentionally inclusive in the workplace and build our empathy. With this, we can build momentum to meet the challenges of the world.
SPS: Well said Jane. As you’re speaking, I’m thinking about my own personal journey as well. Part of my life I lived on a farm in a small village. I experienced a community there where everybody looked like me, spoke like me with a very similar kind of language. When I lived in various cities, that was the first time I’d experienced people looking like me but speaking different dialects.
And then when I started working on a multinational level, I encountered people who had such a range of cultural differences from me. What I’ve learned is whether it is living in a village, in a small community or at the global level, human values remain the same. I’ve realized more recently that as things become more complex, more turbulent, and we do not know what future will hold, the constant is the values that we all stand for. And that is true across the Asian and Pacific Islander communities, and all across Microsoft and our nine ERGs and many dimensions of identities.
JH: You know, I never thought about it in this way but because you shared a little bit about your own background, I’ll share something about when we moved from the U.S. back to the U.K. In his new school, my son felt left out, and suddenly struggled with questions around “I am British, but do they think I am American or Chinese?” He didn’t feel that sense of belonging, and all these new questions of identity came up which he held to himself. Things did get better, but it reminds me that it’s all of our responsibility to help each other understand that while people are different, everybody has something to offer. People need to feel like they’re valued and that they can contribute without being judged.
SPS: It is so true. Thank you for sharing that. Are there any misperceptions about the Asian and Pacific Islander community that you would like to address?
JH: I’ve heard people say things like, gosh Asians are good at math and science, and they have an easier entry to STEM fields and occupations. I don’t know that I would ever categorize it as easier or not easier. There are many Asians who are not good at math and science, right? It’s a generalization, and there are a lot of these.
Another misconception is that because the Asian population is large, there are a lot of Asian leaders. But actually, the statistics have shown that we’re the least likely of all racial groups to become managers and executives. We need more role models and pathways to that senior level, which is where those development efforts we spoke about earlier come in. And of course, some other misconceptions came up during the pandemic around Chinese people.
So again, what combats these types of misconceptions and harmful stereotypes is learning and building our understanding and empathy for one another.
SPS: I absolutely agree. We will continue this work with the Microsoft communities and our leadership. I look forward to the impact we will make in the coming year. Thank you so much, Jane, for the chance to have this conversation. I look forward to our celebrations and recognition this month!
Every day, we must do our part to protect our planet from the impacts of climate change, and technology has an important role to play.
This Earth Day, like every Earth Day, I am taking the time to reflect on what we all need to do to protect and sustain Earth’s natural systems. What is unique this year is that I am doing it in person with my team for the first time in a long time.
Collaboration is an essential part of solving our climate crisis: sharing data, creating space for the connections that lead to innovations, and rallying around a common mission and goal. At Microsoft, it is something we are keenly focused on with our employees, our customers, and our partners.
Today, my team is together, and we will take a breath of fresh air, and continue the hard work needed to fulfill our commitments of being carbon negative, water positive and zero waste by 2030 all while protecting more land than we use and building a Planetary Computer.
We strive to make classroom tools accessible to every student, helping them feel supported regardless of any challenges they may face. With the latest updates to Microsoft Teams, we continue our work to empower students with solutions designed for their diverse needs and situations. We’ve highlighted our favorite updates below:
Ukrainian language support for auto-detect in Reading Progress
As educators welcome students who have fled Ukraine, finding ways to ensure their inclusion and continued learning is essential. We are proud to announce that we have globally rolled out auto-detect speech detection for the Ukrainian language in Reading Progress. This brings our total number of supported languages and locales to 105.
Reading Progress, a free tool that supports educators in building students’ reading fluency, allows you to translate passages into any supported language right in Microsoft Word. You can use the auto-detect feature in Reading Progress to mark the student’s reading accuracy and fluency in any of our 105 supported languages, allowing them to continue developing fluency in their native language while also providing some context to help them engage in content learning with their classmates in a novel language.
This means that with auto-detect in Ukrainian, educators who do not speak Ukrainian can still get a sense of a student’s reading level and adapt to support individual student growth. In addition, Reading Progress recordings allow educators to check students’ progress more regularly while freeing up time for relationship building and providing the differentiated support that students in crisis need.
Immersive Reader and Microsoft Translator also support for learning in the Ukrainian language and are available in tools across Microsoft 365, helping educators to differentiate and providing an entry point for displaced Ukrainian students no matter the reading level. With Immersive Reader, we support Ukrainian read aloud, as well as Ukrainian translation between 100+ languages.
Read Aloud support for Somali and Zulu in Immersive Reader
We are excited to announce that Read Aloud for the much-requested languages of Somali and Zulu is now rolled out globally in Immersive Reader.
Microsoft processes 24 trillion signals every 24 hours, and we have blocked billions of attacks in the last year alone. Microsoft Security tracks more than 35 unique ransomware families and 250 unique threat actors across observed nation-state, ransomware, and criminal activities.
That depth of signal intelligence gathered from various domains—identity, email, data, and cloud—provides us with insight into the gig economy that attackers have created with tools designed to lower the barrier for entry for other attackers, who in turn continue to pay dividends and fund operations through the sale and associated “cut” from their tool’s success.
The cybercriminal economy is a continuously evolving connected ecosystem of many players with different techniques, goals, and skillsets. In the same way our traditional economy has shifted toward gig workers for efficiency, criminals are learning that there’s less work and less risk involved by renting or selling their tools for a portion of the profits than performing the attacks themselves. This industrialization of the cybercrime economy has made it easier for attackers to use ready-made penetration testing and other tools to perform their attacks.
Within this category of threats, Microsoft has been tracking the trend in the ransomware-as-a-service (RaaS) gig economy, called human-operated ransomware, which remains one of the most impactful threats to organizations. We coined the industry term “human-operated ransomware” to clarify that these threats are driven by humans who make decisions at every stage of their attacks based on what they find in their target’s network.
Unlike the broad targeting and opportunistic approach of earlier ransomware infections, attackers behind these human-operated campaigns vary their attack patterns depending on their discoveries—for example, a security product that isn‘t configured to prevent tampering or a service that’s running as a highly privileged account like a domain admin. Attackers can use those weaknesses to elevate their privileges to steal even more valuable data, leading to a bigger payout for them—with no guarantee they’ll leave their target environment once they’ve been paid. Attackers are also often more determined to stay on a network once they gain access and sometimes repeatedly monetize that access with additional attacks using different malware or ransomware payloads if they aren’t successfully evicted.
Ransomware attacks have become even more impactful in recent years as more ransomware-as-a-service ecosystems have adopted the double extortion monetization strategy. All ransomware is a form of extortion, but now, attackers are not only encrypting data on compromised devices but also exfiltrating it and then posting or threatening to post it publicly to pressure the targets into paying the ransom. Most ransomware attackers opportunistically deploy ransomware to whatever network they get access to, and some even purchase access to networks from other cybercriminals. Some attackers prioritize organizations with higher revenues, while others prefer specific industries for the shock value or type of data they can exfiltrate.
All human-operated ransomware campaigns—all human-operated attacks in general, for that matter—share common dependencies on security weaknesses that allow them to succeed. Attackers most commonly take advantage of an organization’s poor credential hygiene and legacy configurations or misconfigurations to find easy entry and privilege escalation points in an environment.
In this blog, we detail several of the ransomware ecosystems using the RaaS model, the importance of cross-domain visibility in finding and evicting these actors, and best practices organizations can use to protect themselves from this increasingly popular style of attack. We also offer security best practices on credential hygiene and cloud hardening, how to address security blind spots, harden internet-facing assets to understand your perimeter, and more. Here’s a quick table of contents:
How RaaS redefines our understanding of ransomware incidents
With ransomware being the preferred method for many cybercriminals to monetize attacks, human-operated ransomware remains one of the most impactful threats to organizations today, and it only continues to evolve. This evolution is driven by the “human-operated” aspect of these attacks—attackers make informed and calculated decisions, resulting in varied attack patterns tailored specifically to their targets and iterated upon until the attackers are successful or evicted.
In the past, we’ve observed a tight relationship between the initial entry vector, tools, and ransomware payload choices in each campaign of one strain of ransomware. The RaaS affiliate model, which has allowed more criminals, regardless of technical expertise, to deploy ransomware built or managed by someone else, is weakening this link. As ransomware deployment becomes a gig economy, it has become more difficult to link the tradecraft used in a specific attack to the ransomware payload developers.
Reporting a ransomware incident by assigning it with the payload name gives the impression that a monolithic entity is behind all attacks using the same ransomware payload and that all incidents that use the ransomware share common techniques and infrastructure. However, focusing solely on the ransomware stage obscures many stages of the attack that come before, including actions like data exfiltration and additional persistence mechanisms, as well as the numerous detection and protection opportunities for network defenders.
We know, for example, that the underlying techniques used in human-operated ransomware campaigns haven’t changed very much over the years—attacks still prey on the same security misconfigurations to succeed. Securing a large corporate network takes disciplined and sustained focus, but there’s a high ROI in implementing critical controls that prevent these attacks from having a wider impact, even if it’s only possible on the most critical assets and segments of the network.
Without the ability to steal access to highly privileged accounts, attackers can’t move laterally, spread ransomware widely, access data to exfiltrate, or use tools like Group Policy to impact security settings. Disrupting common attack patterns by applying security controls also reduces alert fatigue in security SOCs by stopping the attackers before they get in. This can also prevent unexpected consequences of short-lived breaches, such as exfiltration of network topologies and configuration data that happens in the first few minutes of execution of some trojans.
In the following sections, we explain the RaaS affiliate model and disambiguate between the attacker tools and the various threat actors at play during a security incident. Gaining this clarity helps surface trends and common attack patterns that inform defensive strategies focused on preventing attacks rather than detecting ransomware payloads. Threat intelligence and insights from this research also enrich our solutions like Microsoft 365 Defender, whose comprehensive security capabilities help protect customers by detecting RaaS-related attack attempts.
The RaaS affiliate model explained
The cybercriminal economy—a connected ecosystem of many players with different techniques, goals, and skillsets—is evolving. The industrialization of attacks has progressed from attackers using off-the-shelf tools, such as Cobalt Strike, to attackers being able to purchase access to networks and the payloads they deploy to them. This means that the impact of a successful ransomware and extortion attack remains the same regardless of the attacker’s skills.
RaaS is an arrangement between an operator and an affiliate. The RaaS operator develops and maintains the tools to power the ransomware operations, including the builders that produce the ransomware payloads and payment portals for communicating with victims. The RaaS program may also include a leak site to share snippets of data exfiltrated from victims, allowing attackers to show that the exfiltration is real and try to extort payment. Many RaaS programs further incorporate a suite of extortion support offerings, including leak site hosting and integration into ransom notes, as well as decryption negotiation, payment pressure, and cryptocurrency transaction services
RaaS thus gives a unified appearance of the payload or campaign being a single ransomware family or set of attackers. However, what happens is that the RaaS operator sells access to the ransom payload and decryptor to an affiliate, who performs the intrusion and privilege escalation and who is responsible for the deployment of the actual ransomware payload. The parties then split the profit. In addition, RaaS developers and operators might also use the payload for profit, sell it, and run their campaigns with other ransomware payloads—further muddying the waters when it comes to tracking the criminals behind these actions.
Figure 1. How the RaaS affiliate model enables ransomware attacks
Access for sale and mercurial targeting
A component of the cybercriminal economy is selling access to systems to other attackers for various purposes, including ransomware. Access brokers can, for instance, infect systems with malware or a botnet and then sell them as a “load”. A load is designed to install other malware or backdoors onto the infected systems for other criminals. Other access brokers scan the internet for vulnerable systems, like exposed Remote Desktop Protocol (RDP) systems with weak passwords or unpatched systems, and then compromise them en masse to “bank” for later profit. Some advertisements for the sale of initial access specifically cite that a system isn’t managed by an antivirus or endpoint detection and response (EDR) product and has a highly privileged credential such as Domain Administrator associated with it to fetch higher prices.
Most ransomware attackers opportunistically deploy ransomware to whatever network they get access to. Some attackers prioritize organizations with higher revenues, while some target specific industries for the shock value or type of data they can exfiltrate (for example, attackers targeting hospitals or exfiltrating data from technology companies). In many cases, the targeting doesn’t manifest itself as specifically attacking the target’s network, instead, the purchase of access from an access broker or the use of existing malware infection to pivot to ransomware activities.
In some ransomware attacks, the affiliates who bought a load or access may not even know or care how the system was compromised in the first place and are just using it as a “jump server” to perform other actions in a network. Access brokers often list the network details for the access they are selling, but affiliates aren’t usually interested in the network itself but rather the monetization potential. As a result, some attacks that seem targeted to a specific industry might simply be a case of affiliates purchasing access based on the number of systems they could deploy ransomware to and the perceived potential for profit.
“Human-operated” means human decisions
Microsoft coined the term “human-operated ransomware” to clearly define a class of attacks driven by expert human intelligence at every step of the attack chain and culminate in intentional business disruption and extortion. Human-operated ransomware attacks share commonalities in the security misconfigurations of which they take advantage and the manual techniques used for lateral movement and persistence. However, the human-operated nature of these actions means that variations in attacks—including objectives and pre-ransom activity—evolve depending on the environment and the unique opportunities identified by the attackers.
These attacks involve many reconnaissance activities that enable human operators to profile the organization and know what next steps to take based on specific knowledge of the target. Many of the initial access campaigns that provide access to RaaS affiliates perform automated reconnaissance and exfiltration of information collected in the first few minutes of an attack.
After the attack shifts to a hands-on-keyboard phase, the reconnaissance and activities based on this knowledge can vary, depending on the tools that come with the RaaS and the operator’s skill. Frequently attackers query for the currently running security tools, privileged users, and security settings such as those defined in Group Policy before continuing their attack. The data discovered via this reconnaissance phase informs the attacker’s next steps.
If there’s minimal security hardening to complicate the attack and a highly privileged account can be gained immediately, attackers move directly to deploying ransomware by editing a Group Policy. The attackers take note of security products in the environment and attempt to tamper with and disable these, sometimes using scripts or tools provided with RaaS purchase that try to disable multiple security products at once, other times using specific commands or techniques performed by the attacker.
This human decision-making early in the reconnaissance and intrusion stages means that even if a target’s security solutions detect specific techniques of an attack, the attackers may not get fully evicted from the network and can use other collected knowledge to attempt to continue the attack in ways that bypass security controls. In many instances, attackers test their attacks “in production” from an undetected location in their target’s environment, deploying tools or payloads like commodity malware. If these tools or payloads are detected and blocked by an antivirus product, the attackers simply grab a different tool, modify their payload, or tamper with the security products they encounter. Such detections could give SOCs a false sense of security that their existing solutions are working. However, these could merely serve as a smokescreen to allow the attackers to further tailor an attack chain that has a higher probability of success. Thus, when the attack reaches the active attack stage of deleting backups or shadow copies, the attack would be minutes away from ransomware deployment. The adversary would likely have already performed harmful actions like the exfiltration of data. This knowledge is key for SOCs responding to ransomware: prioritizing investigation of alerts or detections of tools like Cobalt Strike and performing swift remediation actions and incident response (IR) procedures are critical for containing a human adversary before the ransomware deployment stage.
Exfiltration and double extortion
Ransomware attackers often profit simply by disabling access to critical systems and causing system downtime. Although that simple technique often motivates victims to pay, it is not the only way attackers can monetize their access to compromised networks. Exfiltration of data and “double extortion,” which refers to attackers threatening to leak data if a ransom hasn’t been paid, has also become a common tactic among many RaaS affiliate programs—many of them offering a unified leak site for their affiliates. Attackers take advantage of common weaknesses to exfiltrate data and demand ransom without deploying a payload.
This trend means that focusing on protecting against ransomware payloads via security products or encryption, or considering backups as the main defense against ransomware, instead of comprehensive hardening, leaves a network vulnerable to all the stages of a human-operated ransomware attack that occur before ransomware deployment. This exfiltration can take the form of using tools like Rclone to sync to an external site, setting up email transport rules, or uploading files to cloud services. With double extortion, attackers don’t need to deploy ransomware and cause downtime to extort money. Some attackers have moved beyond the need to deploy ransomware payloads and are shifting straight to extortion models or performing the destructive objectives of their attacks by directly deleting cloud resources. One such extortion attackers is DEV-0537 (also known as LAPSUS$), which is profiled below.
Persistent and sneaky access methods
Paying the ransom may not reduce the risk to an affected network and potentially only serves to fund cybercriminals. Giving in to the attackers’ demands doesn’t guarantee that attackers ever “pack their bags” and leave a network. Attackers are more determined to stay on a network once they gain access and sometimes repeatedly monetize attacks using different malware or ransomware payloads if they aren’t successfully evicted.
The handoff between different attackers as transitions in the cybercriminal economy occur means that multiple attackers may retain persistence in a compromised environment using an entirely different set of tools from those used in a ransomware attack. For example, initial access gained by a banking trojan leads to a Cobalt Strike deployment, but the RaaS affiliate that purchased the access may choose to use a less detectable remote access tool such as TeamViewer to maintain persistence on the network to operate their broader series of campaigns. Using legitimate tools and settings to persist versus malware implants such as Cobalt Strike is a popular technique among ransomware attackers to avoid detection and remain resident in a network for longer.
Some of the common enterprise tools and techniques for persistence that Microsoft has observed being used include:
AnyDesk
Atera Remote Management
ngrok.io
Remote Manipulator System
Splashtop
TeamViewer
Another popular technique attackers perform once they attain privilege access is the creation of new backdoor user accounts, whether local or in Active Directory. These newly created accounts can then be added to remote access tools such as a virtual private network (VPN) or Remote Desktop, granting remote access through accounts that appear legitimate on the network. Ransomware attackers have also been observed editing the settings on systems to enable Remote Desktop, reduce the protocol’s security, and add new users to the Remote Desktop Users group.
The time between initial access to a hands-on keyboard deployment can vary wildly depending on the groups and their workloads or motivations. Some activity groups can access thousands of potential targets and work through these as their staffing allows, prioritizing based on potential ransom payment over several months. While some activity groups may have access to large and highly resourced companies, they prefer to attack smaller companies for less overall ransom because they can execute the attack within hours or days. In addition, the return on investment is higher from companies that can’t respond to a major incident. Ransoms of tens of millions of dollars receive much attention but take much longer to develop. Many groups prefer to ransom five to 10 smaller targets in a month because the success rate at receiving payment is higher in these targets. Smaller organizations that can’t afford an IR team are often more likely to pay tens of thousands of dollars in ransom than an organization worth millions of dollars because the latter has a developed IR capability and is likely to follow legal advice against paying. In some instances, a ransomware associate threat actor may have an implant on a network and never convert it to ransom activity. In other cases, initial access to full ransom (including handoff from an access broker to a RaaS affiliate) takes less than an hour.
Figure 2. Human-operated ransomware targeting and rate of success, based on a sampling of Microsoft data over six months between 2021 and 2022
The human-driven nature of these attacks and the scale of possible victims under control of ransomware-associated threat actors underscores the need to take targeted proactive security measures to harden networks and prevent these attacks in their early stages.
Threat actors and campaigns deep dive: Threat intelligence-driven response to human-operated ransomware attacks
For organizations to successfully respond to evict an active attacker, it’s important to understand the active stage of an ongoing attack. In the early attack stages, such as deploying a banking trojan, common remediation efforts like isolating a system and resetting exposed credentials may be sufficient. As the attack progresses and the attacker performs reconnaissance activities and exfiltration, it’s important to implement an incident response process that scopes the incident to address the impact specifically. Using a threat intelligence-driven methodology for understanding attacks can assist in determining incidents that need additional scoping.
In the next sections, we provide a deep dive into the following prominent ransomware threat actors and their campaigns to increase community understanding of these attacks and enable organizations to better protect themselves:
Microsoft threat intelligence directly informs our products as part of our commitment to track adversaries and protect customers. Microsoft 365 Defender customers should prioritize alerts titled “Ransomware-linked emerging threat activity group detected”. We also add the note “Ongoing hands-on-keyboard attack” to alerts that indicate a human attacker is in the network. When these alerts are raised, it’s highly recommended to initiate an incident response process to scope the attack, isolate systems, and regain control of credentials attackers may be in control of.
A note on threat actor naming: as part of Microsoft’s ongoing commitment to track both nation-state and cybercriminal threat actors, we refer to the unidentified threat actors as a “development group”. We use a naming structure with a prefix of “DEV” to indicate an emerging threat group or unique activity during investigation. When a nation-state group moves out of the DEV stage, we use chemical elements (for example, PHOSPHOROUS and NOBELIUM) to name them. On the other hand, we use volcano names (such as ELBRUS) for ransomware or cybercriminal activity groups that have moved out of the DEV state. In the cybercriminal economy, relationships between groups change very rapidly. Attackers are known to hire talent from other cybercriminal groups or use “contractors,” who provide gig economy-style work on a limited time basis and may not rejoin the group. This shifting nature means that many of the groups Microsoft tracks are labeled as DEV, even if we have a concrete understanding of the nature of the activity group.
DEV-0193 cluster (Trickbot LLC): The most prolific ransomware group today
A vast amount of the current cybercriminal economy connects to a nexus of activity that Microsoft tracks as DEV-0193, also referred to as Trickbot LLC. DEV-0193 is responsible for developing, distributing, and managing many different payloads, including Trickbot, Bazaloader, and AnchorDNS. In addition, DEV-0193 managed the Ryuk RaaS program before the latter’s shutdown in June 2021, and Ryuk’s successor, Conti as well as Diavol. Microsoft has been tracking the activities of DEV-0193 since October 2020 and has observed their expansion from developing and distributing the Trickbot malware to becoming the most prolific ransomware-associated cybercriminal activity group active today.
DEV-0193’s actions and use of the cybercriminal gig economy means they often add new members and projects and utilize contractors to perform various parts of their intrusions. As other malware operations have shut down for various reasons, including legal actions, DEV-0193 has hired developers from these groups. Most notable are the acquisitions of developers from Emotet, Qakbot, and IcedID, bringing them to the DEV-0193 umbrella.
A subgroup of DEV-0193, which Microsoft tracks as DEV-0365, provides infrastructure-as-a-service for cybercriminals. Most notably, DEV-0365 provides Cobalt Strike Beacon-as-a-service. These DEV-0365 Beacons have replaced unique C2 infrastructure in many active malware campaigns. DEV-0193 infrastructure has also been implicated in attacks deploying novel techniques, including exploitation of CVE-2021-40444.
The leaked chat files from a group publicly labeled as the “Conti Group” in February 2022 confirm the wide scale of DEV-0193 activity tracked by Microsoft. Based on our telemetry from 2021 and 2022, Conti has become one of the most deployed RaaS ecosystems, with multiple affiliates concurrently deploying their payload—even as other RaaS ecosystems (DarkSide/BlackMatter and REvil) ceased operations. However, payload-based attribution meant that much of the activity that led to Conti ransomware deployment was attributed to the “Conti Group,” even though many affiliates had wildly different tradecraft, skills, and reporting structures. Some Conti affiliates performed small-scale intrusions using the tools offered by the RaaS, while others performed weeks-long operations involving data exfiltration and extortion using their own techniques and tools. One of the most prolific and successful Conti affiliates—and the one responsible for developing the “Conti Manual” leaked in August 2021—is tracked as DEV-0230. This activity group also developed and deployed the FiveHands and HelloKitty ransomware payloads and often gained access to an organization via DEV-0193’s BazaLoader infrastructure.
ELBRUS: (Un)arrested development
ELBRUS, also known as FIN7, has been known to be in operation since 2012 and has run multiple campaigns targeting a broad set of industries for financial gain. ELBRUS has deployed point-of-sale (PoS) and ATM malware to collect payment card information from in-store checkout terminals. They have also targeted corporate personnel who have access to sensitive financial data, including individuals involved in SEC filings.
In 2018, this activity group made headlines when three of its members were arrested. In May 2020, another arrest was made for an individual with alleged involvement with ELBRUS. However, despite law enforcement actions against suspected individual members, Microsoft has observed sustained campaigns from the ELBRUS group itself during these periods.
ELBRUS is responsible for developing and distributing multiple custom malware families used for persistence, including JSSLoader and Griffon. ELBRUS has also created fake security companies called “Combi Security” and “Bastion Security” to facilitate the recruitment of employees to their operations under the pretense of working as penetration testers.
In 2020 ELBRUS transitioned from using PoS malware to deploying ransomware as part of a financially motivated extortion scheme, specifically deploying the MAZE and Revil RaaS families. ELBRUS developed their own RaaS ecosystem named DarkSide. They deployed DarkSide payloads as part of their operations and recruited and managed affiliates that deployed the DarkSide ransomware. The tendency to report on ransomware incidents based on payload and attribute it to a monolithic gang often obfuscates the true relationship between the attackers, which is very accurate of the DarkSide RaaS. Case in point, one of the most infamous DarkSide deployments wasn’t performed by ELBRUS but by a ransomware-as-a-service affiliate Microsoft tracks as DEV-0289.
ELBRUS retired the DarkSide ransomware ecosystem in May 2021 and released its successor, BlackMatter, in July 2021. Replicating their patterns from DarkSide, ELBRUS deployed BlackMatter themselves and ran a RaaS program for affiliates. The activity group then retired the BlackMatter ransomware ecosystem in November 2021.
While they aren’t currently publicly observed to be running a RaaS program, ELBRUS is very active in compromising organizations via phishing campaigns that lead to their JSSLoader and Griffon malware. Since 2019, ELBRUS has partnered with DEV-0324 to distribute their malware implants. DEV-0324 acts as a distributor in the cybercriminal economy, providing a service to distribute the payloads of other attackers through phishing and exploit kit vectors. ELBRUS has also been abusing CVE-2021-31207 in Exchange to compromise organizations in April of 2022, an interesting pivot to using a less popular authenticated vulnerability in the ProxyShell cluster of vulnerabilities. This abuse has allowed them to target organizations that patched only the unauthenticated vulnerability in their Exchange Server and turn compromised low privileged user credentials into highly privileged access as SYSTEM on an Exchange Server.
DEV-0504: Shifting payloads reflecting the rise and fall of RaaS programs
An excellent example of how clustering activity based on ransomware payload alone can lead to obfuscating the threat actors behind the attack is DEV-0504. DEV-0504 has deployed at least six RaaS payloads since 2020, with many of their attacks becoming high-profile incidents attributed to the “REvil gang” or “BlackCat ransomware group”. This attribution masks the actions of the set of the attackers in the DEV-0504 umbrella, including other REvil and BlackCat affiliates. This has resulted in a confusing story of the scale of the ransomware problem and overinflated the impact that a single RaaS program shutdown can have on the threat environment.
Figure 3. Ransomware payloads distributed by DEV-0504 between 2020 and April 2022
DEV-0504 shifts payloads when a RaaS program shuts down, for example the deprecation of REvil and BlackMatter, or possibly when a program with a better profit margin appears. These market dynamics aren’t unique to DEV-0504 and are reflected in most RaaS affiliates. They can also manifest in even more extreme behavior where RaaS affiliates switch to older “fully owned” ransomware payloads like Phobos, which they can buy when a RaaS isn’t available, or they don’t want to pay the fees associated with RaaS programs.
DEV-0504 appears to rely on access brokers to enter a network, using Cobalt Strike Beacons they have possibly purchased access to. Once inside a network, they rely heavily on PsExec to move laterally and stage their payloads. Their techniques require them to have compromised elevated credentials, and they frequently disable antivirus products that aren’t protected with tamper protection.
DEV-0504 was responsible for deploying BlackCat ransomware in companies in the energy sector in January 2022. Around the same time, DEV-0504 also deployed BlackCat in attacks against companies in the fashion, tobacco, IT, and manufacturing industries, among others.
DEV-0237: Prolific collaborator
Like DEV-0504, DEV-0237 is a prolific RaaS affiliate that alternates between different payloads in their operations based on what is available. DEV-0237 heavily used Ryuk and Conti payloads from Trickbot LLC/DEV-0193, then Hive payloads more recently. Many publicly documented Ryuk and Conti incidents and tradecraft can be traced back to DEV-0237.
After the activity group switched to Hive as a payload, a large uptick in Hive incidents was observed. Their switch to the BlackCat RaaS in March 2022 is suspected to be due to public discourse around Hive decryption methodologies; that is, DEV-0237 may have switched to BlackCat because they didn’t want Hive’s decryptors to interrupt their business. Overlap in payloads has occurred as DEV-0237 experiments with new RaaS programs on lower-value targets. They have been observed to experiment with some payloads only to abandon them later.
Figure 4. Ransomware payloads distributed by DEV-0237 between 2020 and April 2022
Beyond RaaS payloads, DEV-0237 uses the cybercriminal gig economy to also gain initial access to networks. DEV-0237’s proliferation and success rate come in part from their willingness to leverage the network intrusion work and malware implants of other groups versus performing their own initial compromise and malware development.
Figure 5. Examples of DEV-0237’s relationships with other cybercriminal activity groups
Like all RaaS operators, DEV-0237 relies on compromised, highly privileged account credentials and security weaknesses once inside a network. DEV-0237 often leverages Cobalt Strike Beacon dropped by the malware they have purchased, as well as tools like SharpHound to conduct reconnaissance. The group often utilizes BITSadmin /transfer to stage their payloads. An often-documented trademark of Ryuk and Conti deployments is naming the ransomware payload xxx.exe, a tradition that DEV-0237 continues to use no matter what RaaS they are deploying, as most recently observed with BlackCat. In late March of 2022, DEV-0237 was observed to be using a new version of Hive again.
DEV-0206 and DEV-0243: An “evil” partnership
Malvertising, which refers to taking out a search engine ad to lead to a malware payload, has been used in many campaigns, but the access broker that Microsoft tracks as DEV-0206 uses this as their primary technique to gain access to and profile networks. Targets are lured by an ad purporting to be a browser update, or a software package, to download a ZIP file and double-click it. The ZIP package contains a JavaScript file (.js), which in most environments runs when double-clicked. Organizations that have changed the settings such that script files open with a text editor by default instead of a script handler are largely immune from this threat, even if a user double clicks the script.
Once successfully executed, the JavaScript framework, also referred to SocGholish, acts as a loader for other malware campaigns that use access purchased from DEV-0206, most commonly Cobalt Strike payloads. These payloads have, in numerous instances, led to custom Cobalt Strike loaders attributed to DEV-0243. DEV-0243 falls under activities tracked by the cyber intelligence industry as “EvilCorp,” The custom Cobalt Strike loaders are similar to those seen in publicly documented Blister malware’s inner payloads. In DEV-0243’s initial partnerships with DEV-0206, the group deployed a custom ransomware payload known as WastedLocker, and then expanded to additional DEV-0243 ransomware payloads developed in-house, such as PhoenixLocker and Macaw.
Around November 2021, DEV-0243 started to deploy the LockBit 2.0 RaaS payload in their intrusions. The use of a RaaS payload by the “EvilCorp” activity group is likely an attempt by DEV-0243 to avoid attribution to their group, which could discourage payment due to their sanctioned status.
Figure 6. The handover from DEV-0206 to DEV-0243
DEV-0401: China-based lone wolf turned LockBit 2.0 affiliate
Differing from the other RaaS developers, affiliates, and access brokers profiled here, DEV-0401 appears to be an activity group involved in all stages of their attack lifecycle, from initial access to ransomware development. Despite this, they seem to take some inspiration from successful RaaS operations with the frequent rebranding of their ransomware payloads. Unique among human-operated ransomware threat actors tracked by Microsoft, DEV-0401 is confirmed to be a China-based activity group.
DEV-0401 differs from many of the attackers who rely on purchasing access to existing malware implants or exposed RDP to enter a network. Instead, the group heavily utilizes unpatched vulnerabilities to access networks, including vulnerabilities in Exchange, Manage Engine AdSelfService Plus, Confluence, and Log4j 2. Due to the nature of the vulnerabilities they preferred, DEV-0401 gains elevated credentials at the initial access stage of their attack.
Once inside a network, DEV-0401 relies on standard techniques such as using Cobalt Strike and WMI for lateral movement, but they have some unique preferences for implementing these behaviors. Their Cobalt Strike Beacons are frequently launched via DLL search order hijacking. While they use the common Impacket tool for WMI lateral movement, they use a customized version of the wmiexec.py module of the tool that creates renamed output files, most likely to evade static detections. Ransomware deployment is ultimately performed from a batch file in a share and Group Policy, usually written to the NETLOGON share on a Domain Controller, which requires the attackers to have obtained highly privileged credentials like Domain Administrator to perform this action.
Figure 7. Ransomware payloads distributed by DEV-0401 between 2021 and April 2022
Because DEV-0401 maintains and frequently rebrands their own ransomware payloads, they can appear as different groups in payload-driven reporting and evade detections and actions against them. Their payloads are sometimes rebuilt from existing for-purchase ransomware tools like Rook, which shares code similarity with the Babuk ransomware family. In February of 2022, DEV-0401 was observed deploying the Pandora ransomware family, primarily via unpatched VMware Horizon systems vulnerable to the Log4j 2 CVE-2021-44228 vulnerability.
Like many RaaS operators, DEV-0401 maintained a leak site to post exfiltrated data and motivate victims to pay, however their frequent rebranding caused these systems to sometimes be unready for their victims, with their leak site sometimes leading to default web server landing pages when victims attempt to pay. In a notable shift—possibly related to victim payment issues—DEV-0401 started deploying LockBit 2.0 ransomware payloads in April 2022.
DEV-0537: From extortion to destruction
An example of a threat actor who has moved to a pure extortion and destruction model without deploying ransomware payloads is an activity group that Microsoft tracks as DEV-0537, also known as LAPSUS$. Microsoft has detailed DEV-0537 actions taken in early 2022 in this blog. DEV-0537 started targeting organizations mainly in Latin America but expanded to global targeting, including government entities, technology, telecom, retailers, and healthcare. Unlike more opportunistic attackers, DEV-0537 targets specific companies with an intent. Their initial access techniques include exploiting unpatched vulnerabilities in internet-facing systems, searching public code repositories for credentials, and taking advantage of weak passwords. In addition, there is evidence that DEV-0537 leverages credentials stolen by the Redline password stealer, a piece of malware available for purchase in the cybercriminal economy. The group also buys credentials from underground forums which were gathered by other password-stealing malware.
Once initial access to a network is gained, DEV-0537 takes advantage of security misconfigurations to elevate privileges and move laterally to meet their objectives of data exfiltration and extortion. While DEV-0537 doesn’t possess any unique technical capabilities, the group is especially cloud-aware. They target cloud administrator accounts to set up forwarding rules for email exfiltration and tamper with administrative settings on cloud environments. As part of their goals to force payment of ransom, DEV-0537 attempts to delete all server infrastructure and data to cause business disruption. To further facilitate the achievement of their goals, they remove legitimate admins and delete cloud resources and server infrastructure, resulting in destructive attacks.
DEV-0537 also takes advantage of cloud admin privileges to monitor email, chats, and VOIP communications to track incident response efforts to their intrusions. DEV-0537 has been observed on multiple occasions to join incident response calls, not just observing the response to inform their attack but unmuting to demand ransom and sharing their screens while they delete their victim’s data and resources.
Defending against ransomware: Moving beyond protection by detection
A durable security strategy against determined human adversaries must include the goal of mitigating classes of attacks and detecting them. Ransomware attacks generate multiple, disparate security product alerts, but they could easily get lost or not responded to in time. Alert fatigue is real, and SOCs can make their lives easier by looking at trends in their alerts or grouping alerts into incidents so they can see the bigger picture. SOCs can then mitigate alerts using hardening capabilities like attack surface reduction rules. Hardening against common threats can reduce alert volume and stop many attackers before they get access to networks.
Attackers tweak their techniques and have tools to evade and disable security products. They are also well-versed in system administration and try to blend in as much as possible. However, while attacks have continued steadily and with increased impact, the attack techniques attackers use haven’t changed much over the years. Therefore, a renewed focus on prevention is needed to curb the tide.
Ransomware attackers are motivated by easy profits, so adding to their cost via security hardening is key in disrupting the cybercriminal economy.
Building credential hygiene
More than malware, attackers need credentials to succeed in their attacks. In almost all attacks where ransomware deployment was successful, the attackers had access to a domain admin-level account or local administrator passwords that were consistent throughout the environment. Deployment then can be done through Group Policy or tools like PsExec (or clones like PAExec, CSExec, and WinExeSvc). Without the credentials to provide administrative access in a network, spreading ransomware to multiple systems is a bigger challenge for attackers. Compromised credentials are so important to these attacks that when cybercriminals sell ill-gotten access to a network, in many instances, the price includes a guaranteed administrator account to start with.
Credential theft is a common attack pattern. Many administrators know tools like Mimikatz and LaZagne, and their capabilities to steal passwords from interactive logons in the LSASS process. Detections exist for these tools accessing the LSASS process in most security products. However, the risk of credential exposure isn’t just limited to a domain administrator logging in interactively to a workstation. Because attackers have accessed and explored many networks during their attacks, they have a deep knowledge of common network configurations and use it to their advantage. One common misconfiguration they exploit is running services and scheduled tasks as highly privileged service accounts.
Too often, a legacy configuration ensures that a mission-critical application works by giving the utmost permissions possible. Many organizations struggle to fix this issue even if they know about it, because they fear they might break applications. This configuration is especially dangerous as it leaves highly privileged credentials exposed in the LSA Secrets portion of the registry, which users with administrative access can access. In organizations where the local administrator rights haven’t been removed from end users, attackers can be one hop away from domain admin just from an initial attack like a banking trojan. Building credential hygiene is developing a logical segmentation of the network, based on privileges, that can be implemented alongside network segmentation to limit lateral movement.
Here are some steps organizations can take to build credential hygiene:
Aim to run services as Local System when administrative privileges are needed, as this allows applications to have high privileges locally but can’t be used to move laterally. Run services as Network Service when accessing other resources.
Use tools like LUA Buglight to determine the privileges that applications really need.
Look for events with EventID 4624 where the logon type is 2, 4, 5, or 10 and the account is highly privileged like a domain admin. This helps admins understand which credentials are vulnerable to theft via LSASS or LSA Secrets. Ideally, any highly privileged account like a Domain Admin shouldn’t be exposed on member servers or workstations.
Monitor for EventID 4625 (Logon Failed events) in Windows Event Forwarding when removing accounts from privileged groups. Adding them to the local administrator group on a limited set of machines to keep an application running still reduces the scope of an attack as against running them as Domain Admin.
Randomize Local Administrator passwords with a tool like Local Administrator Password Solution (LAPS) to prevent lateral movement using local accounts with shared passwords.
Use a cloud-based identity security solution that leverages on-premises Active Directory signals get visibility into identity configurations and to identify and detect threats or compromised identities
Auditing credential exposure
Auditing credential exposure is critical in preventing ransomware attacks and cybercrime in general. BloodHound is a tool that was originally designed to provide network defenders with insight into the number of administrators in their environment. It can also be a powerful tool in reducing privileges tied to administrative account and understanding your credential exposure. IT security teams and SOCs can work together with the authorized use of this tool to enable the reduction of exposed credentials. Any teams deploying BloodHound should monitor it carefully for malicious use. They can also use this detection guidance to watch for malicious use.
Microsoft has observed ransomware attackers also using BloodHound in attacks. When used maliciously, BloodHound allows attackers to see the path of least resistance from the systems they have access, to highly privileged accounts like domain admin accounts and global administrator accounts in Azure.
Prioritizing deployment of Active Directory updates
Security patches for Active Directory should be applied as soon as possible after they are released. Microsoft has witnessed ransomware attackers adopting authentication vulnerabilities within one hour of being made public and as soon as those vulnerabilities are included in tools like Mimikatz. Ransomware activity groups also rapidly adopt vulnerabilities related to authentication, such as ZeroLogon and PetitPotam, especially when they are included in toolkits like Mimikatz. When unpatched, these vulnerabilities could allow attackers to rapidly escalate from an entrance vector like email to Domain Admin level privileges.
Cloud hardening
As attackers move towards cloud resources, it’s important to secure cloud resources and identities as well as on-premises accounts. Here are ways organizations can harden cloud environments:
Cloud identity hardening
Multifactor authentication (MFA)
Enforce MFA on all accounts, remove users excluded from MFA, and strictly require MFA from all devices, in all locations, at all times.
Enable passwordless authentication methods (for example, Windows Hello, FIDO keys, or Microsoft Authenticator) for accounts that support passwordless. For accounts that still require passwords, use authenticator apps like Microsoft Authenticator for MFA. Refer to this article for the different authentication methods and features.
Ensure that users are properly educated on not accepting unexpected two-factor authentication (2FA).
For MFA that uses authenticator apps, ensure that the app requires a code to be typed in where possible, as many intrusions where MFA was enabled (including those by DEV-0537) still succeeded due to users clicking “Yes” on the prompt on their phones even when they were not at their computers. Refer to this article for an example.
In almost every observed ransomware incident, at least one system involved in the attack had a misconfigured security product that allowed the attacker to disable protections or evade detection. In many instances, the initial access for access brokers is a legacy system that isn’t protected by antivirus or EDR solutions. It’s important to understand that the lack security controls on these systems that have access to highly privileged credentials act as blind spots that allow attackers to perform the entire ransomware and exfiltration attack chain from a single system without being detected. In some instances, this is specifically advertised as a feature that access brokers sell.
Organizations should review and verify that security tools are running in their most secure configuration and perform regular network scans to ensure appropriate security products are monitoring and protecting all systems, including servers. If this isn’t possible, make sure that your legacy systems are either physically isolated through a firewall or logically isolated by ensuring they have no credential overlap with other systems.
For Microsoft 365 Defender customers, the following checklist eliminates security blind spots:
Turn on cloud-delivered protection in Microsoft Defender Antivirus to cover rapidly evolving attacker tools and techniques, block new and unknown malware variants, and enhance attack surface reduction rules and tamper protection.
Turn on tamper protection features to prevent attackers from stopping security services.
Run EDR in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when a non-Microsoft antivirus doesn’t detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode also blocks indicators identified proactively by Microsoft Threat Intelligence teams.
Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet.
Enable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches.
Use device discovery to increase visibility into the network by finding unmanaged devices and onboarding them to Microsoft Defender for Endpoint.
Protect user identities and credentials using Microsoft Defender for Identity, a cloud-based security solution that leverages on-premises Active Directory signals to monitor and analyze user behavior to identify suspicious user activities, configuration issues, and active attacks.
Reducing the attack surface
Microsoft 365 Defender customers can turn on attack surface reduction rules to prevent common attack techniques used in ransomware attacks. These rules, which can be configured by all Microsoft Defender Antivirus customers and not just those using the EDR solution, offer significant hardening against attacks. In observed attacks from several ransomware-associated activity groups, Microsoft customers who had the following rules enabled were able to mitigate the attack in the initial stages and prevented hands-on-keyboard activity:
Common entry vectors:
Ransomware deployment and lateral movement stage (in order of impact based on the stage in attack they prevent):
Hardening internet-facing assets and understanding your perimeter
Organizations must identify and secure perimeter systems that attackers might use to access the network. Public scanning interfaces, such as RiskIQ, can be used to augment data. Some systems that should be considered of interest to attackers and therefore need to be hardened include:
Secure Remote Desktop Protocol (RDP) or Windows Virtual Desktop endpoints with MFA to harden against password spray or brute force attacks.
Block Remote IT management tools such as Teamviewer, Splashtop, Remote Manipulator System, Anydesk, Atera Remote Management, and ngrok.io via network blocking such as perimeter firewall rules if not in use in your environment. If these systems are used in your environment, enforce security settings where possible to implement MFA.
Ransomware attackers and access brokers also use unpatched vulnerabilities, whether already disclosed or zero-day, especially in the initial access stage. Even older vulnerabilities were implicated in ransomware incidents in 2022 because some systems remained unpatched, partially patched, or because access brokers had established persistence on a previously compromised systems despite it later being patched.
Some observed vulnerabilities used in campaigns between 2020 and 2022 that defenders can check for and mitigate include:
Ransomware attackers also rapidly adopt new vulnerabilities. To further reduce organizational exposure, Microsoft Defender for Endpoint customers can use the threat and vulnerability management capability to discover, prioritize, and remediate vulnerabilities and misconfigurations.
Microsoft 365 Defender: Deep cross-domain visibility and unified investigation capabilities to defend against ransomware attacks
The multi-faceted threat of ransomware requires a comprehensive approach to security. The steps we outlined above defend against common attack patterns and will go a long way in preventing ransomware attacks. Microsoft 365 Defender is designed to make it easy for organizations to apply many of these security controls.
Microsoft 365 Defender’s industry-leading visibility and detection capabilities, demonstrated in the recent MITRE Engenuity ATT&CK® Evaluations, automatically stop most common threats and attacker techniques. To equip organizations with the tools to combat human-operated ransomware, which by nature takes a unique path for every organization, Microsoft 365 Defender provides rich investigation features that enable defenders to seamlessly inspect and remediate malicious behavior across domains.
In line with the recently announced expansion into a new service category called Microsoft Security Experts, we’re introducing the availability of Microsoft Defender Experts for Hunting for public preview. Defender Experts for Hunting is for customers who have a robust security operations center but want Microsoft to help them proactively hunt for threats across Microsoft Defender data, including endpoints, Office 365, cloud applications, and identity.
Join our research team at the Microsoft Security Summit digital event on May 12 to learn what developments Microsoft is seeing in the threat landscape, as well as how we can help your business mitigate these types of attacks. Ask your most pressing questions during the live chat Q&A. Register today.
