Limit the scope and impact of ransomware attacks
The next step to prevent ransomware attacks is to protect privileged roles -- the kind of jobs where people handle a lot of privileged information in an organization.
This phase of ransomware prevention aims to prevent cybercriminal attackers from getting a lot of access to your systems.
The more access a cybercriminal has to your organization and devices, the higher the potential damage to your data and systems.
Important
Read ransomware prevention series, and make your organization hard to cyber attack.
Create a ransomware 'privileged access strategy'
You must apply a thorough and comprehensive strategy to reduce the risk of privileged access compromise.
Any other security control you apply can easily be invalidated by an attacker with privileged access in your environment. Ransomware attackers use privileged access as a quick path to control all critical assets in the organization for attack and subsequent extortion.
Who is accountable in the program or project
This table describes a privileged access strategy to prevent ransomware in terms of a sponsorship/program management/project management hierarchy to drive results.
| Lead | Implementor | Accountability |
|---|---|---|
| CISO or CIO | Executive sponsorship | |
| Program lead | Drive results and cross-team collaboration | |
| IT and Security Architects | Prioritize components integrate into architectures | |
| Identity and Key Management | Implement identity changes | |
| Central IT Productivity / End User Team | Implement changes to devices and Office 365 tenant | |
| Security Policy and Standards | Update standards and policy documents | |
| Security Compliance Management | Monitor to ensure compliance | |
| User Education Team | Update any password guidance | |
Ransomware 'privileged access strategy' checklist
Build a multi-part strategy using the guidance at https://aka.ms/SPA that includes this checklist.
| Done | Task | Description |
|---|---|---|
| Enforce end-to-end session security. | Explicitly validates the trust of users and devices before allowing access to administrative interfaces (using Microsoft Entra Conditional Access). | |
| Protect and monitor identity systems. | Prevents privilege escalation attacks including directories, identity management, administrator accounts and groups, and consent grant configuration. | |
| Mitigate lateral traversal. | Ensures that compromising a single device does not immediately lead to control of many or all other devices using local account passwords, service account passwords, or other secrets. | |
| Ensure rapid threat response. | Limits an adversary's access and time in the environment. See Detection and Response for more information. | |
Implementation results and timelines
Try to achieve these results in 30-90 days:
- 100 % of admins are required to use secure workstations
- 100 % local workstation/server passwords are randomized
- 100 % privilege escalation mitigations are deployed
Ransomware detection and response
Your organization needs responsive detection and remediation of common attacks on endpoints, email, and identities. Minutes matter.
You must quickly remediate common attack entry points to limit the attacker’s time to laterally traverse your organization.
Who is accountable in the program or project
This table describes the improvement of your detection and response capability against ransomware in terms of a sponsorship/program management/project management hierarchy to determine and drive results.
| Lead | Implementor | Accountability |
|---|---|---|
| CISO or CIO | Executive sponsorship | |
| Program lead from Security Operations | Drive results and cross-team collaboration | |
| Central IT Infrastructure Team | Implement client and server agents/features | |
| Security Operations | Integrate any new tools into security operations processes | |
| Central IT Productivity / End User Team | Enable features for Defender for Endpoint, Defender for Office 365, Defender for Identity, and Defender for Cloud Apps | |
| Central IT Identity Team | Implement Microsoft Entra security and Defender for Identity | |
| Security Architects | Advise on configuration, standards, and tooling | |
| Security Policy and Standards | Update standards and policy documents | |
| Security Compliance Management | Monitor to ensure compliance | |
Ransomware detection and response checklist
Apply these best practices for improving your detection and response.
| Done | Task | Description |
|---|---|---|
| Prioritize common entry points: - Use integrated Extended Detection and Response (XDR) tools like Microsoft Defender XDR to provide high quality alerts and minimize friction and manual steps during response. - Monitor for brute-force attempts like password spray. |
Ransomware (and other) operators favor endpoint, email, identity, and RDP as entry points. | |
| Monitor for an adversary disabling security (this is often part of an attack chain), such as: - Event log clearing, especially the Security Event log and PowerShell Operational logs. - Disabling of security tools and controls. |
Attackers target security detection facilities to continue their attack more safely. | |
| Don’t ignore commodity malware. | Ransomware attackers regularly purchase access to target organizations from dark markets. | |
| Integrate outside experts into processes to supplement expertise, such as the Microsoft Detection and Response Team (DART). | Experience counts for detection and recovery. | |
| Rapidly isolate compromised computers using Defender for Endpoint. | Windows 11 and 10 integration makes this easy. | |
Next step
Continue with Phase 3 to make it hard for an attacker to get into your environment by incrementally removing risks.
Additional ransomware resources
Key information from Microsoft:
- The growing threat of ransomware, Microsoft On the Issues blog post on July 20, 2021
- Human-operated ransomware
- Rapidly protect against ransomware and extortion
- 2021 Microsoft Digital Defense Report (see pages 10-19)
- Ransomware: A pervasive and ongoing threat threat analytics report in the Microsoft Defender portal
- Microsoft's Detection and Response Team (DART) ransomware approach and case study
Microsoft 365:
- Deploy ransomware protection for your Microsoft 365 tenant
- Maximize Ransomware Resiliency with Azure and Microsoft 365
- Recover from a ransomware attack
- Malware and ransomware protection
- Protect your Windows 10 PC from ransomware
- Handling ransomware in SharePoint Online
- Threat analytics reports for ransomware in the Microsoft Defender portal
Microsoft Defender XDR:
Microsoft Azure:
- Azure Defenses for Ransomware Attack
- Maximize Ransomware Resiliency with Azure and Microsoft 365
- Backup and restore plan to protect against ransomware
- Help protect from ransomware with Microsoft Azure Backup (26 minute video)
- Recovering from systemic identity compromise
- Advanced multistage attack detection in Microsoft Sentinel
- Fusion Detection for Ransomware in Microsoft Sentinel
Microsoft Defender for Cloud Apps:
Microsoft Security team blog posts:
3 steps to prevent and recover from ransomware (September 2021)
A guide to combatting human-operated ransomware: Part 1 (September 2021)
Key steps on how Microsoft's Detection and Response Team (DART) conducts ransomware incident investigations.
A guide to combatting human-operated ransomware: Part 2 (September 2021)
Recommendations and best practices.
-
See the Ransomware section.
Human-operated ransomware attacks: A preventable disaster (March 2020)
Includes attack chain analyses of actual attacks.
Norsk Hydro responds to ransomware attack with transparency (December 2019)
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for