Quickly deploy ransomware preventions

Note

This guidance will be updated as new information becomes available.

Providing ransomware protection and mitigating extortion attacks is a priority for organizations large and small because of the high impact of these attacks and rising likelihood an organization will experience one.

Note

If you need a ransomware definition, read the the overview here.

Set up ransomware protection now

Concrete instructions on how to best prepare your organization from many forms of ransomware and extortion.

This guidance is organized in prioritized phases. Each phase links to a separate article. The priority order is designed to ensure you reduce risk as fast as possible with each phase, building on an assumption of great urgency that will override normal security and IT priorities, in order to avoid or mitigate these devastating attacks.

It is vital to note that this guidance is structured as prioritized phases that you should follow in the prescribed order. To best adapt this guidance to your situation:

1. Stick with the recommended priorities

   Use the phases as a starting plan for what to do first, next, and later so you get the most impactful elements first. These recommendations have been prioritized using the Zero Trust principle of assuming a breach. This forces you to focus on minimizing business risk by assuming the attackers can successfully gain access to your environment through one or more methods.

2. Be proactive and flexible (but don’t skip important tasks)

   Scan through the implementation checklists for all sections of all three phases to see if there are any areas and tasks that you can quickly complete earlier (e.g. already have access to a cloud service that hasn’t been utilized but could be quickly and easily configured). As you look over the whole plan, be very careful that these later areas and tasks don’t delay completion of critically important areas like backups and privileged access!

3. Do some items in parallel

   Trying to do everything at once can be overwhelming, but some items can naturally be done in parallel. Staff on different teams can be working on tasks at the same time (e.g. backup team, endpoint team, identity team), while also driving for completion of the phases in priority order.

The items in the implementation checklists are in the recommended order of prioritization, not a technical dependency order. Use the checklists to confirm and modify your existing configuration as needed and in a way that works within your organization. For example, in the most important backup element, you backup some systems, but they may not be offline/immutable, or you may not test the full enterprise restore procedures, or you may not have backups of critical business systems or critical IT systems like Active Directory Domain Services (AD DS) domain controllers.

Note

See the 3 steps to prevent and recover from ransomware (September 2021) Microsoft security blog post for an additional summary of this process.

Phase 1. Prepare your recovery plan

This phase is designed to minimize the monetary incentive from ransomware attackers by making it:

• Much harder to access and disrupt systems or encrypt or damage key organization data.
• Easier for your organization to recover from an attack without paying the ransom.

Note

While restoring many or all enterprise systems is a difficult endeavor, the alternative of paying an attacker for a recovery key they may or may not deliver, and using tools written by the attackers to try to recover systems and data.

Phase 2. Limit the scope of damage

Make the attackers work a lot harder to gain access to multiple business critical systems through privileged access roles. Limiting the attacker’s ability to get privileged access makes it much harder to profit off of an attack on your organization, making it more likely they will give up and go elsewhere.

Phase 3. Make it hard to get in

This last set of tasks is important to raise friction for entry but will take time to complete as part of a larger security journey. The goal of this phase is to make the attackers' work much harder as they try to obtain access to your on-premises or cloud infrastructures at the various common points of entry. There are a lot of these tasks, so it’s important to prioritize your work here based on how fast you can accomplish these with your current resources.

While many of these will be familiar and easy to quickly accomplish, it’s critically important that your work on phase 3 should not slow down your progress on phases 1 and 2!

Ransomware protection at a glance

You can also see an overview of the phases and their implementation checklists as levels of protection against ransomware attackers with the Protect your organization from ransomware poster.

Next step

Start with Phase 1 to prepare your organization to recover from an attack without having to pay the ransom.

Additional ransomware resources

Key information from Microsoft:

• The growing threat of ransomware, Microsoft On the Issues blog post on July 20, 2021
• Human-operated ransomware
• 2021 Microsoft Digital Defense Report (see pages 10-19)
• Ransomware: A pervasive and ongoing threat threat analytics report in the Microsoft 365 Defender portal
• Microsoft's Detection and Response Team (DART) ransomware approach and case study

Microsoft 365:

• Deploy ransomware protection for your Microsoft 365 tenant
• Maximize Ransomware Resiliency with Azure and Microsoft 365
• Recover from a ransomware attack
• Malware and ransomware protection
• Protect your Windows 10 PC from ransomware
• Handling ransomware in SharePoint Online
• Threat analytics reports for ransomware in the Microsoft 365 Defender portal

Microsoft 365 Defender:

• Find ransomware with advanced hunting

Microsoft Azure:

• Azure Defenses for Ransomware Attack
• Maximize Ransomware Resiliency with Azure and Microsoft 365
• Backup and restore plan to protect against ransomware
• Help protect from ransomware with Microsoft Azure Backup (26 minute video)
• Recovering from systemic identity compromise
• Advanced multistage attack detection in Microsoft Sentinel
• Fusion Detection for Ransomware in Microsoft Sentinel

Microsoft Defender for Cloud Apps:

• Create anomaly detection policies in Defender for Cloud Apps

Microsoft Security team blog posts:

• 3 steps to prevent and recover from ransomware (September 2021)

• A guide to combatting human-operated ransomware: Part 1 (September 2021)

  Key steps on how Microsoft's Detection and Response Team (DART) conducts ransomware incident investigations.

• A guide to combatting human-operated ransomware: Part 2 (September 2021)

  Recommendations and best practices.

• Becoming resilient by understanding cybersecurity risks: Part 4—navigating current threats (May 2021)

  See the Ransomware section.

• Human-operated ransomware attacks: A preventable disaster (March 2020)

  Includes attack chain analyses of actual attacks.

• Ransomware response—to pay or not to pay? (December 2019)

• Norsk Hydro responds to ransomware attack with transparency (December 2019)