Quickly deploy ransomware preventions

Note

This guidance will be updated as new information becomes available.

Providing ransomware protection and mitigating extortion attacks is a priority for organizations large and small because of the high impact of these attacks and rising likelihood an organization will experience one.

Note

If you need a ransomware definition, read the the overview here.

Set up ransomware protection now

Concrete instructions on how to best prepare your organization from many forms of ransomware and extortion.

This guidance is organized in prioritized phases. Each phase links to a separate article. The priority order is designed to ensure you reduce risk as fast as possible with each phase, building on an assumption of great urgency that will override normal security and IT priorities, in order to avoid or mitigate these devastating attacks.

The three phases to protecting against ransomware

It is vital to note that this guidance is structured as prioritized phases that you should follow in the prescribed order. To best adapt this guidance to your situation:

  1. Stick with the recommended priorities

    Use the phases as a starting plan for what to do first, next, and later so you get the most impactful elements first. These recommendations have been prioritized using the Zero Trust principle of assuming a breach. This forces you to focus on minimizing business risk by assuming the attackers can successfully gain access to your environment through one or more methods.

  2. Be proactive and flexible (but don’t skip important tasks)

    Scan through the implementation checklists for all sections of all three phases to see if there are any areas and tasks that you can quickly complete earlier (e.g. already have access to a cloud service that hasn’t been utilized but could be quickly and easily configured). As you look over the whole plan, be very careful that these later areas and tasks don’t delay completion of critically important areas like backups and privileged access!

  3. Do some items in parallel

    Trying to do everything at once can be overwhelming, but some items can naturally be done in parallel. Staff on different teams can be working on tasks at the same time (e.g. backup team, endpoint team, identity team), while also driving for completion of the phases in priority order.

The items in the implementation checklists are in the recommended order of prioritization, not a technical dependency order. Use the checklists to confirm and modify your existing configuration as needed and in a way that works within your organization. For example, in the most important backup element, you backup some systems, but they may not be offline/immutable, or you may not test the full enterprise restore procedures, or you may not have backups of critical business systems or critical IT systems like Active Directory Domain Services (AD DS) domain controllers.

Note

See the 3 steps to prevent and recover from ransomware (September 2021) Microsoft security blog post for an additional summary of this process.

Phase 1. Prepare your recovery plan

This phase is designed to minimize the monetary incentive from ransomware attackers by making it:

  • Much harder to access and disrupt systems or encrypt or damage key organization data.
  • Easier for your organization to recover from an attack without paying the ransom.

Note

While restoring many or all enterprise systems is a difficult endeavor, the alternative of paying an attacker for a recovery key they may or may not deliver, and using tools written by the attackers to try to recover systems and data.

Phase 2. Limit the scope of damage

Make the attackers work a lot harder to gain access to multiple business critical systems through privileged access roles. Limiting the attacker’s ability to get privileged access makes it much harder to profit off of an attack on your organization, making it more likely they will give up and go elsewhere.

Phase 3. Make it hard to get in

This last set of tasks is important to raise friction for entry but will take time to complete as part of a larger security journey. The goal of this phase is to make the attackers' work much harder as they try to obtain access to your on-premises or cloud infrastructures at the various common points of entry. There are a lot of these tasks, so it’s important to prioritize your work here based on how fast you can accomplish these with your current resources.

While many of these will be familiar and easy to quickly accomplish, it’s critically important that your work on phase 3 should not slow down your progress on phases 1 and 2!

Ransomware protection at a glance

You can also see an overview of the phases and their implementation checklists as levels of protection against ransomware attackers with the Protect your organization from ransomware poster.

The "Protect your organization from ransomware" poster

Next step

Phase 1. Prepare your recovery plan

Start with Phase 1 to prepare your organization to recover from an attack without having to pay the ransom.

Additional ransomware resources

Key information from Microsoft:

Microsoft 365:

Microsoft 365 Defender:

Microsoft Azure:

Microsoft Defender for Cloud Apps:

Microsoft Security team blog posts: