{"id":49155,"date":"2022-11-03T16:00:00","date_gmt":"2022-11-03T16:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=124506"},"modified":"2022-11-03T16:00:00","modified_gmt":"2022-11-03T16:00:00","slug":"stopping-c2-communications-in-human-operated-ransomware-through-network-protection","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/stopping-c2-communications-in-human-operated-ransomware-through-network-protection\/","title":{"rendered":"Stopping C2 communications in human-operated ransomware through network protection"},"content":{"rendered":"

Command-and-control (C2) servers are an essential part of ransomware, commodity, and nation-state attacks. They are used to control infected devices and perform malicious activities like downloading and launching payloads, controlling botnets, or commanding post-exploitation penetration frameworks to breach an organization as part of a ransomware attack. Blocking these communications can mitigate attacks, sometimes before they\u2019re even started.<\/p>\n

For example, one of the most impactful cyberattack trends today is human-operated ransomware<\/a> attacks, which succeed through a combination of components, including leveraging C2 infrastructure. To gain initial access, human-operated ransomware attacks are often delivered via spear-phishing with malicious attachments that, once launched by the target, typically reach out to a C2 server to download instructions and run payloads. These payloads persist on the device and periodically reach out to a (usually) separate set of C2s, awaiting instructions and takeover by a human operator as part of ransomware-as-a-service<\/a>. After the hands-on-keyboard transition, remote C2s are commonly used to control post-exploitation frameworks to initiate reconnaissance, elevate privileges, and move laterally within the network to achieve data exfiltration and mass file encryption.<\/p>\n

\"A
Figure 1. Example of C2 usage across the stages of a human-operated ransomware attack<\/figcaption><\/figure>\n

Ransomware has evolved from a pre-programmed commodity threat to a complex threat that\u2019s human-driven, adaptive, and focused on a larger scale. These days, ransomware attacks go beyond encryption and usually involve significant data theft as well to maximize the potential harm to the target, therefore increasing their chances of receiving a higher payout. Attackers engage in double extortion, demanding victims either pay the ransom or stolen confidential information is leaked and encrypted data remains inaccessible. As such, successful ransomware attacks can have lasting, damaging impacts on targets.<\/p>\n

As ransomware attacks continue to target various entities, including businesses, governments, critical infrastructure<\/a>, educational institutions<\/a>, and healthcare<\/a> facilities, organizations much be prepared to defend networks against human-operated attacks and other sophisticated threats. Microsoft Defender for Endpoint\u2019s updated network protection enables organizations to protect against these C2-based attacks by blocking any outbound traffic attempting to connect to malicious C2 servers, even if attackers manage to gain initial access to a device. Additionally, network protection is continuously informed by our integrated threat intelligence to identify active C2 infrastructure and uses machine learning models to quickly assess information on domains and IPs.<\/p>\n

This blog details how the new C2 blocking capability<\/a> in Microsoft Defender for Endpoint\u2019s network protection works. We show examples of how network protection functions with other technologies in Microsoft Defender for Endpoint to deliver comprehensive protection against C2-based attacks. Lastly, we discuss how our threat research and use of advanced machine learning models inform network protection to intelligently block ransomware and C2-based attacks before widespread impact.<\/p>\n

Network protection detecting C2 activity in various attacks<\/h2>\n

The following cases of human-operated ransomware attacks from our threat data and investigations show how the new C2 blocking capability in network protection stop attacks and, in some cases, could have prevented attacks much earlier.<\/p>\n

Disrupting the ransomware attack chain<\/h3>\n

In early October 2022, we observed an attack leveraging the Raspberry Robin worm<\/a> as the initial access vector. Upon launch by the user, the attack attempted to connect to the domain tddshht[.]com <\/em>via HTTP using msiexec.exe<\/em> to download a TrueBot payload. As part of these attacks, TrueBot is typically downloaded to a user\u2019s local application data directory where Windows Management Instrumentation (WMI) is used to run the TrueBot DLL using rundll32<\/em>. In this case, network protection was enabled in the environment and blocked the C2 communication from msiexec.exe<\/em> to tddshht[.]com<\/em>, which prevented TrueBot from being downloaded and launched, disrupting the attack.<\/p>\n

In similar attacks<\/a> on organizations originating from Raspberry Robin, we\u2019ve seen TrueBot lead to Cobalt Strike for post-exploitation human-operated ransomware attacks. After launching TrueBot, we observed various follow-on actions, such as reconnaissance, persistence via scheduled tasks, and ransomware deployment.<\/p>\n

\"Raspberry
Figure 2. Raspberry Robin incident disrupted by network protection  <\/figcaption><\/figure>\n

Stopping ransomware activity before it could wreak havoc<\/h3>\n

In another ransomware-related case from March 2022, Microsoft researchers discovered a LockBit ransomware attack that was successfully detected and blocked. LockBit is an encryptor payload leveraged by many different operators who specialize in the post-exploitation phase of the attack as part ransomware as a service. In this case, there were multiple security products in different segments of the environment, and we didn\u2019t have visibility of the initial access vector. As the attackers moved laterally within the network, we observed the operator using the Cobalt Strike framework for the post-exploitation stages of the attack, using Remote Desktop Protocol (RDP) with Rclone for data exfiltration, and LockBit at the final encryption stage. The encryption attempt followed the exfiltration stage by just two hours.<\/p>\n

Throughout the attack, Microsoft Defender for Endpoint proactively displayed repeated alerts for the targeted customer that an active hands-on-keyboard attacker was active on their network, as well as repeated Cobalt Strike activity alerts and suspicious behaviors. Microsoft Defender Antivirus\u2019s<\/a> behavior detections repeatedly alerted and blocked Cobalt Strike in addition to fully blocking the attack\u2019s LockBit encryptor payload, preventing impact on the subset of the network that had onboarded to Microsoft Defender for Endpoint.<\/p>\n

Prior to this attack, network protection had already flagged the Cobalt Strike C2 domain sikescomposites[.]com<\/em> as malicious. Had network protection C2 protection been enabled across the organization, then the Cobalt Strike C2 server would have been automatically blocked \u2013 further disrupting this attack earlier in the attack chain and potentially preventing or delaying the data exfiltration impact of the attack.<\/p>\n

The network protection intelligence on the C2 was sourced two weeks before the attack in February 2022 through expert intelligence from Microsoft Threat Intelligence Center (MSTIC) and also incriminated via Cobalt Strike configuration extraction monitoring. Microsoft Defender for Endpoint could have disrupted this LockBit attack much earlier had network protection been enabled. Moreover, even if the attacker used a different or new payload, network protection would have blocked the attack if it used the same C2 infrastructure. The diagram below illustrates the timeline of events in this ransomware incident.<\/p>\n

\"Two
Figure 3. LockBit ransomware incident timeline<\/figcaption><\/figure>\n

End-to-end protection against C2-based attacks<\/h2>\n

The range of protection capabilities in Microsoft Defender for Endpoint<\/a> ensure our customers are provided with synchronous protection, integrated remediation, and actionable alerts against these C2-based attacks. The combination of technologies and features within Defender for Endpoint assures customers that their assets are adequately protected.<\/p>\n

Network protection<\/a> blocks any outbound traffic when an application attempts to connect to known malicious C2 and informs customers of the block.<\/p>\n

\"The
Figure 4. Example of blocked C2 activity in the Microsoft 365 Defender portal<\/figcaption><\/figure>\n

Network protection then sends this intelligence to Microsoft Defender Antivirus<\/a>, which remediates the process against known malware that attempted the C2 connection. Customers are then notified of these actions on the Defender for Endpoint portal, where they can see the attack chain, follow remediation steps, or do further investigation.<\/p>\n

\"Diagram
Figure 5. Alerts for investigation in the Microsoft Defender for Endpoint portal are generated through a combination of technologies to protect against C2-based attacks<\/figcaption><\/figure>\n

Network protection uses a dynamic reputation database that stores information on IPs, domains, and URLs gathered from a wide range of sources including threat research, detonation, adversary tracking, memory scanning, and active C2 web scanning. These activities lead to identifying C2 servers operated by human-operated ransomware actors and botnet actors and discovering compromised IPs and domains associated with known nation-state actors.<\/p>\n

Network protection is aided by machine learning models that incriminate IP addresses used for C2 by inspecting network traffic telemetry. These models are trained on an extensive data set and use a diverse feature set, including DNS records, prevalence, location, and associations with compromised files or domains. Our threat experts\u2019 knowledge further helps refine these models, which are re-trained and redeployed daily to adapt to the ever-changing threat landscape.<\/p>\n

\"Training
Figure 6. Machine learning pipeline to generate new intelligence to protect customers from C2-based attacks<\/figcaption><\/figure>\n

Preventing C2-based attacks<\/h2>\n

Attackers often rely heavily on leveraging C2 communications to start and progress attacks, including human-operated ransomware attacks. C2 infrastructure enables attackers to control infected devices, perform malicious activities, and quickly adapt to their target environment in the pursuit of organizations\u2019 valuable data and assets.<\/p>\n

Breaking this link to C2 infrastructure disrupts attacks\u2014either by stopping it completely or delaying its progression, allowing more time for the SOC to investigate and mitigate the intrusion. Microsoft Defender for Endpoint\u2019s network protection<\/a> capability identifies and blocks connections to C2 infrastructure used in human-operated ransomware attacks, leveraging techniques like machine learning and intelligent indicators of compromise (IOC) identification.<\/p>\n

Microsoft customers can use the new C2 blocking capability to prevent malicious C2 IP and domain access by enabling network protection. Network protection examines network metadata to match them to threat-related patterns and determines the true nature of C2 connections. Enhanced by continuously fine-tuned machine learning models and constant threat intelligence updates, Microsoft Defender for Endpoint can take appropriate actions to block malicious C2 connections and stop malware from launching or propagating. Customers can also refer to our Tech community blog post<\/a> for guidance on validating functionality and more information on C2 detection and remediation.<\/p>\n

In addition to enabling network protection<\/a> C2 blocking, it\u2019s recommended to follow the general best practices to defend your network against human-operated ransomware attacks<\/a>.<\/p>\n

READ MORE HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Providing advanced protection against increasingly sophisticated human-operated ransomware, Microsoft Defender for Endpoint\u2019s network protection leverages threat intelligence and machine learning to block command-and-control (C2) communications.
\nThe post Stopping C2 communications in human-operated ransomware through network protection appeared first on Microsoft Security Blog. READ MORE HERE…<\/p>\n","protected":false},"author":2,"featured_media":49156,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[276],"tags":[1496,1497,347,8549,230,7221,10267,91,307],"class_list":["post-49155","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-microsoft-secure","tag-c2","tag-command-and-control","tag-cybersecurity","tag-human-operated-ransomware","tag-microsoft","tag-microsoft-security-intelligence","tag-network-protection","tag-ransomware","tag-security"],"yoast_head":"\nStopping C2 communications in human-operated ransomware through network protection 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/stopping-c2-communications-in-human-operated-ransomware-through-network-protection\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Stopping C2 communications in human-operated ransomware through network protection 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/stopping-c2-communications-in-human-operated-ransomware-through-network-protection\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2022-11-03T16:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/11\/Figure-1.-Example-of-C2-usage-across-the-stages-of-a-human-operated-ransomware-attack-1024x393.png\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/stopping-c2-communications-in-human-operated-ransomware-through-network-protection\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/stopping-c2-communications-in-human-operated-ransomware-through-network-protection\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Stopping C2 communications in human-operated ransomware through network protection\",\"datePublished\":\"2022-11-03T16:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/stopping-c2-communications-in-human-operated-ransomware-through-network-protection\/\"},\"wordCount\":1555,\"publisher\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/stopping-c2-communications-in-human-operated-ransomware-through-network-protection\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/11\/stopping-c2-communications-in-human-operated-ransomware-through-network-protection.png\",\"keywords\":[\"C2\",\"command and control\",\"Cybersecurity\",\"human-operated ransomware\",\"Microsoft\",\"Microsoft security intelligence\",\"Network protection\",\"ransomware\",\"Security\"],\"articleSection\":[\"Microsoft Secure\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/stopping-c2-communications-in-human-operated-ransomware-through-network-protection\/\",\"url\":\"https:\/\/www.threatshub.org\/blog\/stopping-c2-communications-in-human-operated-ransomware-through-network-protection\/\",\"name\":\"Stopping C2 communications in human-operated ransomware through network protection 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/stopping-c2-communications-in-human-operated-ransomware-through-network-protection\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/stopping-c2-communications-in-human-operated-ransomware-through-network-protection\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/11\/stopping-c2-communications-in-human-operated-ransomware-through-network-protection.png\",\"datePublished\":\"2022-11-03T16:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/stopping-c2-communications-in-human-operated-ransomware-through-network-protection\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.threatshub.org\/blog\/stopping-c2-communications-in-human-operated-ransomware-through-network-protection\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/stopping-c2-communications-in-human-operated-ransomware-through-network-protection\/#primaryimage\",\"url\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/11\/stopping-c2-communications-in-human-operated-ransomware-through-network-protection.png\",\"contentUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/11\/stopping-c2-communications-in-human-operated-ransomware-through-network-protection.png\",\"width\":1024,\"height\":393},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/stopping-c2-communications-in-human-operated-ransomware-through-network-protection\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.threatshub.org\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"C2\",\"item\":\"https:\/\/www.threatshub.org\/blog\/tag\/c2\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Stopping C2 communications in human-operated ransomware through network protection\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#website\",\"url\":\"https:\/\/www.threatshub.org\/blog\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\/\/www.threatshub.org\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Stopping C2 communications in human-operated ransomware through network protection 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/stopping-c2-communications-in-human-operated-ransomware-through-network-protection\/","og_locale":"en_US","og_type":"article","og_title":"Stopping C2 communications in human-operated ransomware through network protection 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/stopping-c2-communications-in-human-operated-ransomware-through-network-protection\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2022-11-03T16:00:00+00:00","og_image":[{"url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/11\/Figure-1.-Example-of-C2-usage-across-the-stages-of-a-human-operated-ransomware-attack-1024x393.png","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/stopping-c2-communications-in-human-operated-ransomware-through-network-protection\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/stopping-c2-communications-in-human-operated-ransomware-through-network-protection\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Stopping C2 communications in human-operated ransomware through network protection","datePublished":"2022-11-03T16:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/stopping-c2-communications-in-human-operated-ransomware-through-network-protection\/"},"wordCount":1555,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/stopping-c2-communications-in-human-operated-ransomware-through-network-protection\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/11\/stopping-c2-communications-in-human-operated-ransomware-through-network-protection.png","keywords":["C2","command and control","Cybersecurity","human-operated ransomware","Microsoft","Microsoft security intelligence","Network protection","ransomware","Security"],"articleSection":["Microsoft Secure"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/stopping-c2-communications-in-human-operated-ransomware-through-network-protection\/","url":"https:\/\/www.threatshub.org\/blog\/stopping-c2-communications-in-human-operated-ransomware-through-network-protection\/","name":"Stopping C2 communications in human-operated ransomware through network protection 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/stopping-c2-communications-in-human-operated-ransomware-through-network-protection\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/stopping-c2-communications-in-human-operated-ransomware-through-network-protection\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/11\/stopping-c2-communications-in-human-operated-ransomware-through-network-protection.png","datePublished":"2022-11-03T16:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/stopping-c2-communications-in-human-operated-ransomware-through-network-protection\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/stopping-c2-communications-in-human-operated-ransomware-through-network-protection\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/stopping-c2-communications-in-human-operated-ransomware-through-network-protection\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/11\/stopping-c2-communications-in-human-operated-ransomware-through-network-protection.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/11\/stopping-c2-communications-in-human-operated-ransomware-through-network-protection.png","width":1024,"height":393},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/stopping-c2-communications-in-human-operated-ransomware-through-network-protection\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"C2","item":"https:\/\/www.threatshub.org\/blog\/tag\/c2\/"},{"@type":"ListItem","position":3,"name":"Stopping C2 communications in human-operated ransomware through network protection"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/49155","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=49155"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/49155\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/49156"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=49155"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=49155"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=49155"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}