Quickly protect your organization against ransomware attacks

Ransomware is a cyber attack type that cybercriminals use to extort organizations large and small.

Understanding how to protect against ransomware attacks and minimized damage is an important part of safeguarding your company. This article gives you practical guidance for how to quickly configure ransomware protection.

The guidance is organized into steps, starting with the most urgent actions to take.

Bookmark this page as your starting point for the steps.

Important

Read the ransomware prevention series, and make your organization hard to cyber attack.

Note

What is ransomware? See the ransomware definition here.

Important information about this article

Note

The order of these steps is designed to ensure you reduce risk as fast as possible, and built on an assumption of great urgency that overrides normal security and IT priorities, in order to avoid or mitigate devastating attacks.

The three steps to protecting against ransomware attacks

It is important to note this ransomware prevention guidance is structured as steps you should follow in the order shown. To best adapt this guidance to your situation:

  1. Stick with the recommended priorities

    Use the steps as a starting plan for what to do first, next, and later, so you get the most impactful elements first. These recommendations are prioritized using the Zero Trust principle of assuming a breach. This forces you to focus on minimizing business risk by assuming the attackers can successfully gain access to your environment through one or more methods.

  2. Be proactive and flexible (but don’t skip important tasks)

    Scan through the implementation checklists for all sections of all three steps to see if there are any areas and tasks that you can quickly complete earlier. In other words, things you can do faster because you already have access to a cloud service that hasn’t been used but could be quickly and easily configured. As you look over the whole plan, be careful that these later areas and tasks don’t delay completion of critically important areas like backups and privileged access!

  3. Do some items in parallel

    Trying to do everything at once can be overwhelming, but some items can naturally be done in parallel. Staff on different teams can be working on tasks at the same time (for example, backup team, endpoint team, identity team), while also driving for completion of the steps in priority order.

The items in the implementation checklists are in the recommended order of prioritization, not a technical dependency order.

Use the checklists to confirm and modify your existing configuration as needed and in a way that works in your organization. For example, in the most important backup element, you back up some systems, but they might not be offline or immutable, you might not test the full enterprise restore procedures, or you might not have backups of critical business systems or critical IT systems like Active Directory Domain Services (AD DS) domain controllers.

Note

See the 3 steps to prevent and recover from ransomware (September 2021) Microsoft security blog post for an additional summary of this process.

Set up your system to prevent ransomware right now

The steps are:

Step 1. Prepare your ransomware recovery plan

This step is designed to minimize the monetary incentive from ransomware attackers by making it:

  • Much harder to access and disrupt systems or encrypt or damage key organization data.
  • Easier for your organization to recover from an attack without paying the ransom.

Note

While restoring many or all enterprise systems is a difficult endeavor, the alternative of paying an attacker for a recovery key they might not deliver, and using tools written by the attackers to try to recover systems and data.

Step 2. Limit the scope of ransomware damage

Make the attackers work a lot harder to gain access to multiple business critical systems through privileged access roles. Limiting the attacker’s ability to get privileged access makes it much harder to profit off of an attack on your organization, making it more likely they'll give up and go elsewhere.

Step 3. Make it hard for cybercriminals to get in

This last set of tasks is important to raise friction for entry but will take time to complete as part of a larger security journey. The goal of this step is to make the attackers' work much harder as they try to obtain access to your on-premises or cloud infrastructures at the various common points of entry. There are many tasks, so it’s important to prioritize your work here based on how fast you can accomplish these with your current resources.

While many of these will be familiar and easy to quickly accomplish, it’s critically important that your work on step 3 should not slow down your progress on steps 1 and 2.

Ransomware protection at a glance

You can also see an overview of the steps and their implementation checklists as levels of protection against ransomware attackers with the Protect your organization from ransomware poster.

The "Protect your organization from ransomware" poster

Prioritize ransomware mitigation at the macro level. Configure your organization's environment to protect against ransomware.

Next step

step 1. Prepare your recovery plan

Start with step 1 to prepare your organization to recover from an attack without having to pay the ransom.

Additional ransomware resources

Key information from Microsoft:

Microsoft 365:

Microsoft Defender XDR:

Microsoft Azure:

Microsoft Defender for Cloud Apps:

Microsoft Security team blog posts: