Quickly protect your organization against ransomware attacks
Ranswomare is an evolving and lucrative attack type that cybercriminals use to extort organizations large and small. Understanding how to protect against ransomware attacks and minizmize the damage is an important part of safguarding your company. This article provides practical guidance for how to quickly configure ransomware protection.
This guidance is organized into steps, starting with the most urgent actions to take.
Each step is a separate article linked below. Bookmark this page as your starting point.
What is ransomware? See the ransomware definition here.
Important information about this article
The order of these steps is designed to ensure you reduce risk as fast as possible, and built on an assumption of great urgency that overrides normal security and IT priorities, in order to avoid or mitigate devastating attacks.
It is important to note this ransomware prevention guidance is structured as steps you should follow in the order shown. To best adapt this guidance to your situation:
Stick with the recommended priorities
Use the steps as a starting plan for what to do first, next, and later, so you get the most impactful elements first. These recommendations have been prioritized using the Zero Trust principle of assuming a breach. This forces you to focus on minimizing business risk by assuming the attackers can successfully gain access to your environment through one or more methods.
Be proactive and flexible (but don’t skip important tasks)
Scan through the implementation checklists for all sections of all three steps to see if there are any areas and tasks that you can quickly complete earlier (e.g. already have access to a cloud service that hasn’t been utilized but could be quickly and easily configured). As you look over the whole plan, be very careful that these later areas and tasks don’t delay completion of critically important areas like backups and privileged access!
Do some items in parallel
Trying to do everything at once can be overwhelming, but some items can naturally be done in parallel. Staff on different teams can be working on tasks at the same time (e.g. backup team, endpoint team, identity team), while also driving for completion of the steps in priority order.
The items in the implementation checklists are in the recommended order of prioritization, not a technical dependency order.
Use the checklists to confirm and modify your existing configuration as needed and in a way that works in your organization. For example, in the most important backup element, you backup some systems, but they may not be offline/immutable, or you may not test the full enterprise restore procedures, or you may not have backups of critical business systems or critical IT systems like Active Directory Domain Services (AD DS) domain controllers.
See the 3 steps to prevent and recover from ransomware (September 2021) Microsoft security blog post for an additional summary of this process.
Set up your system to prevent ransomware right now
The steps are:
Step 1. Prepare your ransomware recovery plan
This step is designed to minimize the monetary incentive from ransomware attackers by making it:
- Much harder to access and disrupt systems or encrypt or damage key organization data.
- Easier for your organization to recover from an attack without paying the ransom.
While restoring many or all enterprise systems is a difficult endeavor, the alternative of paying an attacker for a recovery key they may or may not deliver, and using tools written by the attackers to try to recover systems and data.
Step 2. Limit the scope of ransomware damage
Make the attackers work a lot harder to gain access to multiple business critical systems through privileged access roles. Limiting the attacker’s ability to get privileged access makes it much harder to profit off of an attack on your organization, making it more likely they will give up and go elsewhere.
Step 3. Make it hard for cybercriminals to get in
This last set of tasks is important to raise friction for entry but will take time to complete as part of a larger security journey. The goal of this step is to make the attackers' work much harder as they try to obtain access to your on-premises or cloud infrastructures at the various common points of entry. There are a lot of these tasks, so it’s important to prioritize your work here based on how fast you can accomplish these with your current resources.
While many of these will be familiar and easy to quickly accomplish, it’s critically important that your work on step 3 should not slow down your progress on steps 1 and 2.
Ransomware protection at a glance
You can also see an overview of the steps and their implementation checklists as levels of protection against ransomware attackers with the Protect your organization from ransomware poster.
Start with step 1 to prepare your organization to recover from an attack without having to pay the ransom.
Additional ransomware resources
Key information from Microsoft:
- The growing threat of ransomware, Microsoft On the Issues blog post on July 20, 2021
- Human-operated ransomware
- 2021 Microsoft Digital Defense Report (see pages 10-19)
- Ransomware: A pervasive and ongoing threat threat analytics report in the Microsoft Defender portal
- Microsoft's Detection and Response Team (DART) ransomware approach and case study
- Deploy ransomware protection for your Microsoft 365 tenant
- Maximize Ransomware Resiliency with Azure and Microsoft 365
- Recover from a ransomware attack
- Malware and ransomware protection
- Protect your Windows 10 PC from ransomware
- Handling ransomware in SharePoint Online
- Threat analytics reports for ransomware in the Microsoft Defender portal
Microsoft Defender XDR:
- Azure Defenses for Ransomware Attack
- Maximize Ransomware Resiliency with Azure and Microsoft 365
- Backup and restore plan to protect against ransomware
- Help protect from ransomware with Microsoft Azure Backup (26 minute video)
- Recovering from systemic identity compromise
- Advanced multistage attack detection in Microsoft Sentinel
- Fusion Detection for Ransomware in Microsoft Sentinel
Microsoft Defender for Cloud Apps:
Microsoft Security team blog posts:
Key steps on how Microsoft's Detection and Response Team (DART) conducts ransomware incident investigations.
Recommendations and best practices.
See the Ransomware section.
Includes attack chain analyses of actual attacks.