Defend against ransomware attacks
In this phase, you make the threat actors work harder to access your on-premises or cloud systems by gradually removing risks at the points of entry.
While many of these changes will be familiar and easy to implement, it's extremely important that your work on this part of the strategy not slow your progress on the other critically important parts!
Here are the links to review the three-part ransomware prevention plan:
Remote access
Getting access to your organization's intranet through a remote access connection is an attack vector for ransomware threat actors.
Once an on-premises user account is compromised, a threat actor can leverage an intranet to gather intelligence, elevate privileges, and install ransomware. The Colonial Pipeline cyberattack in 2021 is an example.
Program and project member accountabilities for remote access
This table describes the overall protection of your remote access solution from ransomware in terms of a sponsorship/program management/project management hierarchy to determine and drive results.
| Lead | Implementor | Accountability |
|---|---|---|
| CISO or CIO | Executive sponsorship | |
| Program lead on the Central IT Infrastructure/Network Team | Drive results and cross-team collaboration | |
| IT and Security Architects | Prioritize component integration into architectures | |
| Central IT Identity Team | Configure Microsoft Entra ID and conditional access policies | |
| Central IT Operations | Implement changes to environment | |
| Workload Owners | Assist with RBAC permissions for app publishing | |
| Security Policy and Standards | Update standards and policy documents | |
| Security Compliance Management | Monitor to ensure compliance | |
| User Education Team | Update any guidance on workflow changes and perform education and change management |
Implementation checklist for remote access
Apply these best practices to protect your remote access infrastructure from ransomware threat actors.
| Done | Task | Description |
|---|---|---|
| Maintain software and appliance updates. Avoid missing or neglecting manufacturer protections (security updates, supported status). | Threat actors use well-known vulnerabilities that have not yet been patched as attack vectors. | |
| Configure Microsoft Entra ID for existing remote access by including enforcing Zero Trust user and device validation with Conditional Access. | Zero Trust provides multiple levels of securing access to your organization. | |
| Configure security for existing third-party VPN solutions (Cisco AnyConnect, Palo Alto Networks GlobalProtect & Captive Portal, Fortinet FortiGate SSL VPN, Citrix NetScaler, Zscaler Private Access (ZPA), and more). | Take advantage of the built-in security of your remote access solution. | |
| Deploy Azure Point-to-Site (P2S) VPN to provide remote access. | Take advantage of integration with Microsoft Entra ID and your existing Azure subscriptions. | |
| Publish on-premises web apps with Microsoft Entra application proxy. | Apps published with Microsoft Entra application proxy do not need a remote access connection. | |
| Secure access to Azure resources with Azure Bastion. | Securely and seamlessly connect to your Azure virtual machines over SSL. | |
| Audit and monitor to find and fix deviations from baseline and potential attacks (see Detection and Response). | Reduce risk from ransomware activities that probe baseline security features and settings. |
Email and collaboration
Implement best practices for email and collaboration solutions to make it more difficult for threat actors to abuse them, while letting your workers access external content easily and safely.
Threat actors frequently enter the environment by introducing malicious content disguised within authorized collaboration tools such as email and file sharing and convincing users to run the content. Microsoft has invested in enhanced mitigations that vastly increase protection against these attack vectors.
Program and project member accountabilities for email and collaboration
This table describes the overall protection of your email and collaboration solutions from ransomware in terms of a sponsorship/program management/project management hierarchy to determine and drive results.
| Lead | Implementor | Accountability |
|---|---|---|
| CISO, CIO, or Identity Director | Executive sponsorship | |
| Program lead from the Security Architecture team | Drive results and cross-team collaboration | |
| IT Architects | Prioritize component integration into architectures | |
| Cloud Productivity or End User Team | Enable Defender for Office 365, Azure Site Recovery, and AMSI | |
| Security Architecture / Infrastructure + Endpoint | Configuration assistance | |
| User Education Team | Update guidance on workflow changes | |
| Security Policy and Standards | Update standards and policy documents | |
| Security Compliance Management | Monitor to ensure compliance |
Implementation checklist for email and collaboration
Apply these best practices to protect your email and collaboration solutions from ransomware threat actors
| Done | Task | Description |
|---|---|---|
| Enable AMSI for Office VBA. | Detect Office macro attacks with endpoint tools like Defender for Endpoint. | |
| Implement Advanced Email security using Defender for Office 365 or a similar solution. | Email is a common entry point for threat actors. | |
| Deploy attack surface reduction (Azure Site Recovery) rules to block common attack techniques including: - Endpoint abuse such as credential theft, ransomware activity, and suspicious use of PsExec and WMI. - Weaponized Office document activity such as advanced macro activity, executable content, process creation, and process injection initiated by Office applications. Note: Deploy these rules in audit mode first, then assess any negative impact, and then deploy them in block mode. |
Azure Site Recovery provides additional layers of protect specifically targeted at mitigating common attack methods. | |
| Audit and monitor to find and fix deviations from baseline and potential attacks (see Detection and Response). | Reduces risk from ransomware activities that probe baseline security features and settings. |
Endpoints
Implement relevant security features and rigorously follow software maintenance best practices for endpoints (devices) and applications, prioritizing applications and server/client operating systems directly exposed to Internet traffic and content.
Internet-exposed endpoints are a common entry vector that provides threat actors access to the organization's assets. Prioritize blocking common OS and application vulnerabilities with preventive controls to slow or stop them from performing the next stages.
Program and project member accountabilities for endpoints
This table describes the overall protection of your endpoints from ransomware in terms of a sponsorship/program management/project management hierarchy to determine and drive results.
| Lead | Implementor | Accountability |
|---|---|---|
| Business leadership accountable for business impact of both downtime and attack damage | Executive sponsorship (maintenance) | |
| Central IT Operations or CIO | Executive sponsorship (others) | |
| Program lead from the Central IT Infrastructure Team | Drive results and cross-team collaboration | |
| IT and Security Architects | Prioritize component integration into architectures | |
| Central IT Operations | Implement changes to environment | |
| Cloud Productivity or End User Team | Enable attack surface reduction | |
| Workload/App Owners | Identify maintenance windows for changes | |
| Security Policy and Standards | Update standards and policy documents | |
| Security Compliance Management | Monitor to ensure compliance |
Implementation checklist for endpoints
Apply these best practices to all Windows, Linux, macOS, Android, iOS, and other endpoints.
| Done | Task | Description |
|---|---|---|
| Block known threats with attack surface reduction rules, tamper protection, and block at first sight. | Don't let lack of use of these built-in security features be the reason an attacker entered your organization. | |
| Apply Security Baselines to harden internet-facing Windows servers and clients and Office applications. | Protect your organization with the minimum level of security and build from there. | |
| Maintain your software so that it is: - Updated: Rapidly deploy critical security updates for operating systems, browsers, & email clients - Supported: Upgrade operating systems and software for versions supported by your vendors. |
Attackers are counting on you missing or neglecting manufacturer updates and upgrades. | |
| Isolate, disable, or retire insecure systems and protocols, including unsupported operating systems and legacy protocols. | Attackers use known vulnerabilities of legacy devices, systems, and protocols as entry points into your organization. | |
| Block unexpected traffic with host-based firewall and network defenses. | Some malware attacks rely on unsolicited inbound traffic to hosts as a way of making a connection for an attack. | |
| Audit and monitor to find and fix deviations from baseline and potential attacks (see Detection and Response). | Reduces risk from ransomware activities that probe baseline security features and settings. |
Accounts
Just as antique skeleton keys won’t protect a house against a modern-day burglar, passwords cannot protect accounts against common attacks we see today. While multifactor authentication (MFA) was once a burdensome extra step, passwordless authentication improves the sign-in experience using biometric approaches that don’t require your users to remember or type a password. Additionally, a Zero Trust infrastructure stores information about trusted devices, which reduce prompting for annoying out-of-band MFA actions.
Starting with high-privilege administrator accounts, rigorously follow these best practices for account security including using passwordless or MFA.
Program and project member accountabilities for accounts
This table describes the overall protection of your accounts from ransomware in terms of a sponsorship/program management/project management hierarchy to determine and drive results.
| Lead | Implementor | Accountability |
|---|---|---|
| CISO, CIO, or Identity Director | Executive sponsorship | |
| Program lead from Identity and Key Management or Security Architecture teams | Drive results and cross-team collaboration | |
| IT and Security Architects | Prioritize component integration into architectures | |
| Identity and Key Management or Central IT Operations | Implement configuration changes | |
| Security Policy and Standards | Update standards and policy documents | |
| Security Compliance Management | Monitor to ensure compliance | |
| User Education Team | Update password or sign-in guidance and perform education and change management |
Implementation checklist for accounts
Apply these best practices to protect your accounts from ransomware attackers.
| Done | Task | Description |
|---|---|---|
| Enforce strong MFA or passwordless sign-in for all users. Start with administrator and priority accounts using one or more of: - Passwordless authentication with Windows Hello or the Microsoft Authenticator app. - Multifactor authentication. - A third-party MFA solution. |
Make it harder for an attacker to perform a credential compromise by just determining a user account password. | |
| Increase password security: - For Microsoft Entra accounts, use Microsoft Entra Password Protection to detect and block known weak passwords and additional weak terms that are specific to your organization. - For on-premises Active Directory Domain Services (AD DS) accounts, Extend Microsoft Entra Password Protection to AD DS accounts. |
Ensure that attackers can't determine common passwords or passwords based on your organization name. | |
| Audit and monitor to find and fix deviations from baseline and potential attacks (see Detection and Response). | Reduces risk from ransomware activities that probe baseline security features and settings. |
Implementation results and timelines
Try to achieve these results within 30 days:
100% of employees are actively using MFA
100% deployment of higher password security
Additional ransomware resources
Key information from Microsoft:
Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks, Microsoft Blog, May 2024
2023 Microsoft Digital Defense Report (see pages 17-26)
Ransomware: A pervasive and ongoing threat threat analytics report in the Microsoft Defender portal
Microsoft Incident Response team (formerly DART) ransomware approach and case study
Microsoft 365:
- Deploy ransomware protection for your Microsoft 365 tenant
- Maximize Ransomware Resiliency with Azure and Microsoft 365
- Recover from a ransomware attack
- Malware and ransomware protection
- Protect your Windows 10 PC from ransomware
- Handling ransomware in SharePoint Online
- Threat analytics reports for ransomware in the Microsoft Defender portal
Microsoft Defender XDR:
Microsoft Azure:
- Azure Defenses for Ransomware Attack
- Maximize Ransomware Resiliency with Azure and Microsoft 365
- Backup and restore plan to protect against ransomware
- Help protect from ransomware with Microsoft Azure Backup (26 minute video)
- Recovering from systemic identity compromise
- Advanced multistage attack detection in Microsoft Sentinel
- Fusion Detection for Ransomware in Microsoft Sentinel
Microsoft Defender for Cloud Apps:
Microsoft Security team blog posts:
3 steps to prevent and recover from ransomware (September 2021)
A guide to combatting human-operated ransomware: Part 1 (September 2021)
Key steps on how Microsoft's Detection and Response Team (DART) conducts ransomware incident investigations.
A guide to combatting human-operated ransomware: Part 2 (September 2021)
Recommendations and best practices.
-
See the Ransomware section.
Human-operated ransomware attacks: A preventable disaster (March 2020)
Includes attack chain analyses of actual attacks.
Norsk Hydro responds to ransomware attack with transparency (December 2019)