Limit the impact of ransomware attacks

The next step to limit the impact of ransomware attacks is to protect privileged roles -- the kind of jobs where people handle a lot of privileged information in an organization.

This phase of ransomware prevention aims to prevent threat actors from getting a lot of access to your systems.

The more access a cybercriminal has to your organization and devices, the higher the potential damage to your data and systems.

Important

Read ransomware prevention series, and make your organization hard to cyber attack.

Create a ransomware privileged access strategy

You must apply a thorough and comprehensive strategy to reduce the risk of privileged access compromise.

Any other security control you apply can easily be invalidated by a threat actor with privileged access in your environment. Malicious actors can gain access using social engineering and even leverage AI to generate and render malicious code and URLs. Ransomware threat actors use privileged access as a quick path to control all critical assets in the organization for attack and subsequent extortion.

Who is accountable in the program or project

This table describes a privileged access strategy to prevent ransomware in terms of a sponsorship/program management/project management hierarchy to drive results.

Lead Implementor Accountability
CISO or CIO Executive sponsorship
Program lead Drive results and cross-team collaboration
IT and Security Architects Prioritize components integrate into architectures
Identity and Key Management Implement identity changes
Central IT Productivity / End User Team Implement changes to devices and Office 365 tenant
Security Policy and Standards Update standards and policy documents
Security Compliance Management Monitor to ensure compliance
User Education Team Update any password guidance

Ransomware privileged access strategy checklist

Build a multi-part strategy using the guidance at https://aka.ms/SPA that includes this checklist.

Done Task Description
Enforce end-to-end session security. Explicitly validates the trust of users and devices before allowing access to administrative interfaces (using Microsoft Entra Conditional Access).
Protect and monitor identity systems. Prevents privilege escalation attacks including directories, identity management, administrator accounts and groups, and consent grant configuration.
Mitigate lateral traversal. Ensures that compromising a single device does not immediately lead to control of many or all other devices using local account passwords, service account passwords, or other secrets.
Ensure rapid threat response. Limits an adversary's access and time in the environment. See Detection and Response for more information.

Implementation results and timelines

Try to achieve these results in 30-90 days:

  • 100% of admins are required to use secure workstations

  • 100% local workstation/server passwords are randomized

  • 100% privilege escalation mitigations are deployed

Ransomware detection and response

Your organization needs responsive detection and remediation of common attacks on endpoints, email, and identities. Minutes matter.

You must quickly remediate common attack entry points to limit the threat actor's time to laterally traverse your organization.

Who is accountable in the program or project

This table describes the improvement of your detection and response capability against ransomware in terms of a sponsorship/program management/project management hierarchy to determine and drive results.

Lead Implementor Accountability
CISO or CIO Executive sponsorship
Program lead from Security Operations Drive results and cross-team collaboration
Central IT Infrastructure Team Implement client and server agents/features
Security Operations Integrate any new tools into security operations processes
Central IT Productivity / End User Team Enable features for Defender for Endpoint, Defender for Office 365, Defender for Identity, and Defender for Cloud Apps
Central IT Identity Team Implement Microsoft Entra security and Defender for Identity
Security Architects Advise on configuration, standards, and tooling
Security Policy and Standards Update standards and policy documents
Security Compliance Management Monitor to ensure compliance

Ransomware detection and response checklist

Apply these best practices for improving your detection and response.

Done Task Description
Prioritize common entry points:

- Use integrated Extended Detection and Response (XDR) tools like Microsoft Defender XDR to provide high quality alerts and minimize friction and manual steps during response.

- Monitor for brute-force attempts like password spray.
Ransomware (and other) operators favor endpoint, email, identity, and RDP as entry points.
Monitor for an adversary disabling security (this is often part of an attack chain), such as:

- Event log clearing, especially the Security Event log and PowerShell Operational logs.

- Disabling of security tools and controls.
Threat actors target security detection facilities to continue their attack more safely.
Don’t ignore commodity malware. Ransomware threat actors regularly purchase access to target organizations from dark markets.
Integrate outside experts into processes to supplement expertise, such as the Microsoft Detection and Response Team (DART). Experience counts for detection and recovery.
Use Defender for Endpoint to rapidly isolate impacted devices. Windows 11 and 10 integration makes this easy.

Next step

Phase 3. Make it hard to get in

Continue with Phase 3 to make it hard for a threat actor to get into your environment by incrementally removing risks.

Additional ransomware resources

Key information from Microsoft:

Microsoft 365:

Microsoft Defender XDR:

Microsoft Azure:

Microsoft Defender for Cloud Apps:

Microsoft Security team blog posts on ransomware mitigation guidance: