Hands-on-keyboard (HOK) attacks: How ransomware gangs attack in real-time
Ransomware defense is a ‘battle of the keyboards’.
A ransomware gang has just broken into your environment and begins typing out malicious commands in real-time. What do you do?
If this scenario sounds like something straight out of a bad NCIS scene, then you’d be right. But unfortunately, these types of attacks—known as hands-on-keyboard (HOK)—happen in real life as well, and with big consequences.
As opposed to more automated attacks using pre-written scripts, hands-on-keyboard attacks involve a human attacker actively controlling the system in real-time.
The direct nature of HOK attacks are what makes them so dangerous: by adjusting their tactics, techniques, and procedures (TTPs) based on the environment at hand, attackers can evade detection more effectively and exploit weaknesses overlooked by more automated approaches.
Since almost every ransomware attack today involves HOK activity, understanding the intersection of these two threats is crucial for effective defense.
Let’s explore how ransomware gangs leverage HOK attacks and how you can stop them.
How ransomware gangs use HOK attacks
Hands-on-keyboard (HOK) activity is often flagged by endpoint detection and response (EDR) systems like ThreatDown EDR as manual command executions, system modifications, or process initiations that stand out from typical processes.
EDR alerts of HOK activity are usually accompanied by timestamps showing a sequence of deliberate actions—such as disabling security protections, scanning networks, or deploying ransomware payloads.
Below are real-world examples from the ThreatDown MDR team that illustrate what HOK activity looks like in the context of ransomware attacks.
Example one: RansomHub
The RansomHub ransomware gang has tallied 226 confirmed victims since entering the scene in March 2024. Below are two instance of HOK activity from a recent incident which we wrote about here.
| Action | Command | Description | How it’s HOK |
|---|---|---|---|
| TDSSKiller execution attempt | tdsskiller.exe -dcsvc |
Multiple attempts to run TDSSKiller from temporary directory, showing dynamic filenames. | Manually crafted paths and commands to disable specific security services. |
| LaZagne execution | LaZagne.exe database |
Logs showed file writes, followed by manual deletion to cover tracks. | Manually executed to harvest credentials from databases, followed by cleaning traces. |
Example 2: Akira
The Akira ransomware gang has tallied 161 confirmed victims so far in 2024. Below are three instance of HOK activity the ThreatDown MDR team observed, from an incident which we wrote about here.
| Action | Command | Description | How it’s HOK |
|---|---|---|---|
| Cloudflare tunnel setup | Cloudflare.exe tunnel run --token [REDACTED] |
Manual creation of Cloudflare tunnel, flagged by EDR due to unusual invocation. | Manually established remote access tunnel to evade security. |
| Advanced IP Scanner execution | "advanced_ip_scanner.exe" /portable |
Multiple systems scanned within a short time frame. | Manually executed network scans to identify vulnerable systems. |
| WIN.EXE ransomware deployment | "win.exe" -s=C:\\Users\\path2.txt -n=20 -remote |
Customized parameters and file paths revealing real-time coordination. | Tailored parameters to attempt to deploy ransomware. |
Example 3: Medusa
The Medusa ransomware gang has tallied 138 confirmed victims so far in 2024. Below are two instance of HOK activity the ThreatDown MDR team observed, from an incident which we wrote about here.
| Action | Command | Indicators | How it’s HOK |
|---|---|---|---|
| PowerShell execution to disable monitoring | powershell.exe -ep bypass |
Attempt to bypass execution policies, flagged as unusual PowerShell command. | Manually executed PowerShell commands to attempt to disable defenses. |
| PDQ Deploy execution | "PDQDeployRunner-1.exe" -deploy |
Abnormal number of deployments, flagged due to manual target selection and unscanned endpoints. | Attempts to manually deploy ransomware to multiple endpoints. |
A “battle of the keyboards”
As the examples above show, once ransomware gangs gain access to your systems, their manual commands are often flagged by EDRs. At that point, dealing with a ransomware attack becomes a “battle of the keyboards” where speed and precision are critical.
If you’re an analyst spotting an attack like this—often occurring between 1-5 a.m., as we’ve discussed before—responding to HOK attacks by ransomware gangs typically involves detecting suspicious commands, isolating compromised machines, and killing malicious processes in real-time.
Take the Medusa case, for instance. Analysts immediately spotted PowerShell commands that bypassed security policies and quickly intervened to block further execution.
Likewise, in the Akira incident, ThreatDown MDR analysts recognized network scanning activity and ransomware deployment, isolating the infected endpoints before the damage could escalate.
These cases show exactly why quick, decisive action matters when you’re up against an HOK attack—the only thing that can stop a bad guy with a keyboard, after all, is a good guy with a keyboard.
24×7 security monitoring and threat hunting for your organization
When it comes to hands-on-keyboard attacks, speed and expertise are everything.
With round-the-clock, real-time monitoring, ThreatDown MDR ensures that your organization has the expertise and rapid response needed to counter HOK attacks the moment they occur. They handle the investigation, cross-check details, and reach out when needed to confirm whether the activity is legitimate or a potential threat.
Get in touch with ThreatDown MDR today here and make sure your network is protected every hour of the day.
