Quickly protect your organization against ransomware attacks

Ransomware is a cyber attack type that cybercriminals use to extort organizations large and small.

Understanding how to protect against ransomware attacks and minimized damage is an important part of safeguarding your company. This article gives you practical guidance for how to quickly configure ransomware protection.

The guidance is organized into steps, starting with the most urgent actions to take.

Bookmark this page as your starting point for the steps.

Important

Read the ransomware prevention series, and make your organization hard to cyber attack.

• Have a recovery plan
• A plan to limit the harm done
• Make it hard to get in

Note

What is ransomware? See the ransomware definition here.

Important information about this article

Note

The order of these steps is designed to ensure you reduce risk as fast as possible, and built on an assumption of great urgency that overrides normal security and IT priorities, in order to avoid or mitigate devastating attacks.

It is important to note this ransomware prevention guidance is structured as steps you should follow in the order shown. To best adapt this guidance to your situation:

1. Stick with the recommended priorities

   Use the steps as a starting plan for what to do first, next, and later, so you get the most impactful elements first. These recommendations are prioritized using the Zero Trust principle of assuming a breach. This forces you to focus on minimizing business risk by assuming the attackers can successfully gain access to your environment through one or more methods.

2. Be proactive and flexible (but don’t skip important tasks)

   Scan through the implementation checklists for all sections of all three steps to see if there are any areas and tasks that you can quickly complete earlier. In other words, things you can do faster because you already have access to a cloud service that hasn’t been used but could be quickly and easily configured. As you look over the whole plan, be careful that these later areas and tasks don’t delay completion of critically important areas like backups and privileged access!

3. Do some items in parallel

   Trying to do everything at once can be overwhelming, but some items can naturally be done in parallel. Staff on different teams can be working on tasks at the same time (for example, backup team, endpoint team, identity team), while also driving for completion of the steps in priority order.

The items in the implementation checklists are in the recommended order of prioritization, not a technical dependency order.

Use the checklists to confirm and modify your existing configuration as needed and in a way that works in your organization. For example, in the most important backup element, you back up some systems, but they might not be offline or immutable, you might not test the full enterprise restore procedures, or you might not have backups of critical business systems or critical IT systems like Active Directory Domain Services (AD DS) domain controllers.

Note

See the 3 steps to prevent and recover from ransomware (September 2021) Microsoft security blog post for an additional summary of this process.

Set up your system to prevent ransomware right now

The steps are:

Step 1. Prepare your ransomware recovery plan

This step is designed to minimize the monetary incentive from ransomware attackers by making it:

• Much harder to access and disrupt systems or encrypt or damage key organization data.
• Easier for your organization to recover from an attack without paying the ransom.

Note

While restoring many or all enterprise systems is a difficult endeavor, the alternative of paying an attacker for a recovery key they might not deliver, and using tools written by the attackers to try to recover systems and data.

Step 2. Limit the scope of ransomware damage

Make the attackers work a lot harder to gain access to multiple business critical systems through privileged access roles. Limiting the attacker’s ability to get privileged access makes it much harder to profit off of an attack on your organization, making it more likely they'll give up and go elsewhere.

Step 3. Make it hard for cybercriminals to get in

This last set of tasks is important to raise friction for entry but will take time to complete as part of a larger security journey. The goal of this step is to make the attackers' work much harder as they try to obtain access to your on-premises or cloud infrastructures at the various common points of entry. There are many tasks, so it’s important to prioritize your work here based on how fast you can accomplish these with your current resources.

While many of these will be familiar and easy to quickly accomplish, it’s critically important that your work on step 3 should not slow down your progress on steps 1 and 2.

Ransomware protection at a glance

You can also see an overview of the steps and their implementation checklists as levels of protection against ransomware attackers with the Protect your organization from ransomware poster.

Prioritize ransomware mitigation at the macro level. Configure your organization's environment to protect against ransomware.

Next step

Start with step 1 to prepare your organization to recover from an attack without having to pay the ransom.

Additional ransomware resources

Key information from Microsoft:

• The growing threat of ransomware, Microsoft On the Issues blog post on July 20, 2021
• Human-operated ransomware
• 2021 Microsoft Digital Defense Report (see pages 10-19)
• Ransomware: A pervasive and ongoing threat threat analytics report in the Microsoft Defender portal
• Microsoft Incident Response team (formerly DART/CRSP) ransomware approach and case study

Microsoft 365:

• Deploy ransomware protection for your Microsoft 365 tenant
• Maximize Ransomware Resiliency with Azure and Microsoft 365
• Recover from a ransomware attack
• Malware and ransomware protection
• Protect your Windows 10 PC from ransomware
• Handling ransomware in SharePoint Online
• Threat analytics reports for ransomware in the Microsoft Defender portal

Microsoft Defender XDR:

• Built in protection against ransomware
• Find ransomware with advanced hunting

Microsoft Azure:

• Azure Defenses for Ransomware Attack
• Maximize Ransomware Resiliency with Azure and Microsoft 365
• Backup and restore plan to protect against ransomware
• Help protect from ransomware with Microsoft Azure Backup (26 minute video)
• Recovering from systemic identity compromise
• Advanced multistage attack detection in Microsoft Sentinel
• Fusion Detection for Ransomware in Microsoft Sentinel

Microsoft Defender for Cloud Apps:

• Create anomaly detection policies in Defender for Cloud Apps

Microsoft Security team blog posts:

• 3 steps to prevent and recover from ransomware (September 2021)

• A guide to combatting human-operated ransomware: Part 1 (September 2021)

  Key steps on how Microsoft Incident Response conducts ransomware incident investigations.

• A guide to combatting human-operated ransomware: Part 2 (September 2021)

  Recommendations and best practices.

• Becoming resilient by understanding cybersecurity risks: Part 4—navigating current threats (May 2021)

  See the Ransomware section.

• Human-operated ransomware attacks: A preventable disaster (March 2020)

  Includes attack chain analyses of actual attacks.

• Ransomware response—to pay or not to pay? (December 2019)

• Norsk Hydro responds to ransomware attack with transparency (December 2019)