Defend against ransomware attacks

In this phase, you make the threat actors work harder to access your on-premises or cloud systems by gradually removing risks at the points of entry.

While many of these changes will be familiar and easy to implement, it's extremely important that your work on this part of the strategy not slow your progress on the other critically important parts!

Here are the links to review the three-part ransomware prevention plan:

Remote access

Getting access to your organization's intranet through a remote access connection is an attack vector for ransomware threat actors.

Once an on-premises user account is compromised, a threat actor can leverage an intranet to gather intelligence, elevate privileges, and install ransomware. The Colonial Pipeline cyberattack in 2021 is an example.

Program and project member accountabilities for remote access

This table describes the overall protection of your remote access solution from ransomware in terms of a sponsorship/program management/project management hierarchy to determine and drive results.

Lead Implementor Accountability
CISO or CIO Executive sponsorship
Program lead on the Central IT Infrastructure/Network Team Drive results and cross-team collaboration
IT and Security Architects Prioritize component integration into architectures
Central IT Identity Team Configure Microsoft Entra ID and conditional access policies
Central IT Operations Implement changes to environment
Workload Owners Assist with RBAC permissions for app publishing
Security Policy and Standards Update standards and policy documents
Security Compliance Management Monitor to ensure compliance
User Education Team Update any guidance on workflow changes and perform education and change management

Implementation checklist for remote access

Apply these best practices to protect your remote access infrastructure from ransomware threat actors.

Done Task Description
Maintain software and appliance updates. Avoid missing or neglecting manufacturer protections (security updates, supported status). Threat actors use well-known vulnerabilities that have not yet been patched as attack vectors.
Configure Microsoft Entra ID for existing remote access by including enforcing Zero Trust user and device validation with Conditional Access. Zero Trust provides multiple levels of securing access to your organization.
Configure security for existing third-party VPN solutions (Cisco AnyConnect, Palo Alto Networks GlobalProtect & Captive Portal, Fortinet FortiGate SSL VPN, Citrix NetScaler, Zscaler Private Access (ZPA), and more). Take advantage of the built-in security of your remote access solution.
Deploy Azure Point-to-Site (P2S) VPN to provide remote access. Take advantage of integration with Microsoft Entra ID and your existing Azure subscriptions.
Publish on-premises web apps with Microsoft Entra application proxy. Apps published with Microsoft Entra application proxy do not need a remote access connection.
Secure access to Azure resources with Azure Bastion. Securely and seamlessly connect to your Azure virtual machines over SSL.
Audit and monitor to find and fix deviations from baseline and potential attacks (see Detection and Response). Reduce risk from ransomware activities that probe baseline security features and settings.

Email and collaboration

Implement best practices for email and collaboration solutions to make it more difficult for threat actors to abuse them, while letting your workers access external content easily and safely.

Threat actors frequently enter the environment by introducing malicious content disguised within authorized collaboration tools such as email and file sharing and convincing users to run the content. Microsoft has invested in enhanced mitigations that vastly increase protection against these attack vectors.

Program and project member accountabilities for email and collaboration

This table describes the overall protection of your email and collaboration solutions from ransomware in terms of a sponsorship/program management/project management hierarchy to determine and drive results.

Lead Implementor Accountability
CISO, CIO, or Identity Director Executive sponsorship
Program lead from the Security Architecture team Drive results and cross-team collaboration
IT Architects Prioritize component integration into architectures
Cloud Productivity or End User Team Enable Defender for Office 365, Azure Site Recovery, and AMSI
Security Architecture / Infrastructure + Endpoint Configuration assistance
User Education Team Update guidance on workflow changes
Security Policy and Standards Update standards and policy documents
Security Compliance Management Monitor to ensure compliance

Implementation checklist for email and collaboration

Apply these best practices to protect your email and collaboration solutions from ransomware threat actors

Done Task Description
Enable AMSI for Office VBA. Detect Office macro attacks with endpoint tools like Defender for Endpoint.
Implement Advanced Email security using Defender for Office 365 or a similar solution. Email is a common entry point for threat actors.
Deploy attack surface reduction (Azure Site Recovery) rules to block common attack techniques including:

- Endpoint abuse such as credential theft, ransomware activity, and suspicious use of PsExec and WMI.

- Weaponized Office document activity such as advanced macro activity, executable content, process creation, and process injection initiated by Office applications.

Note: Deploy these rules in audit mode first, then assess any negative impact, and then deploy them in block mode.
Azure Site Recovery provides additional layers of protect specifically targeted at mitigating common attack methods.
Audit and monitor to find and fix deviations from baseline and potential attacks (see Detection and Response). Reduces risk from ransomware activities that probe baseline security features and settings.

Endpoints

Implement relevant security features and rigorously follow software maintenance best practices for endpoints (devices) and applications, prioritizing applications and server/client operating systems directly exposed to Internet traffic and content.

Internet-exposed endpoints are a common entry vector that provides threat actors access to the organization's assets. Prioritize blocking common OS and application vulnerabilities with preventive controls to slow or stop them from performing the next stages.

Program and project member accountabilities for endpoints

This table describes the overall protection of your endpoints from ransomware in terms of a sponsorship/program management/project management hierarchy to determine and drive results.

Lead Implementor Accountability
Business leadership accountable for business impact of both downtime and attack damage Executive sponsorship (maintenance)
Central IT Operations or CIO Executive sponsorship (others)
Program lead from the Central IT Infrastructure Team Drive results and cross-team collaboration
IT and Security Architects Prioritize component integration into architectures
Central IT Operations Implement changes to environment
Cloud Productivity or End User Team Enable attack surface reduction
Workload/App Owners Identify maintenance windows for changes
Security Policy and Standards Update standards and policy documents
Security Compliance Management Monitor to ensure compliance

Implementation checklist for endpoints

Apply these best practices to all Windows, Linux, macOS, Android, iOS, and other endpoints.

Done Task Description
Block known threats with attack surface reduction rules, tamper protection, and block at first sight. Don't let lack of use of these built-in security features be the reason an attacker entered your organization.
Apply Security Baselines to harden internet-facing Windows servers and clients and Office applications. Protect your organization with the minimum level of security and build from there.
Maintain your software so that it is:

- Updated: Rapidly deploy critical security updates for operating systems, browsers, & email clients

- Supported: Upgrade operating systems and software for versions supported by your vendors.
Attackers are counting on you missing or neglecting manufacturer updates and upgrades.
Isolate, disable, or retire insecure systems and protocols, including unsupported operating systems and legacy protocols. Attackers use known vulnerabilities of legacy devices, systems, and protocols as entry points into your organization.
Block unexpected traffic with host-based firewall and network defenses. Some malware attacks rely on unsolicited inbound traffic to hosts as a way of making a connection for an attack.
Audit and monitor to find and fix deviations from baseline and potential attacks (see Detection and Response). Reduces risk from ransomware activities that probe baseline security features and settings.

Accounts

Just as antique skeleton keys won’t protect a house against a modern-day burglar, passwords cannot protect accounts against common attacks we see today. While multifactor authentication (MFA) was once a burdensome extra step, passwordless authentication improves the sign-in experience using biometric approaches that don’t require your users to remember or type a password. Additionally, a Zero Trust infrastructure stores information about trusted devices, which reduce prompting for annoying out-of-band MFA actions.

Starting with high-privilege administrator accounts, rigorously follow these best practices for account security including using passwordless or MFA.

Program and project member accountabilities for accounts

This table describes the overall protection of your accounts from ransomware in terms of a sponsorship/program management/project management hierarchy to determine and drive results.

Lead Implementor Accountability
CISO, CIO, or Identity Director Executive sponsorship
Program lead from Identity and Key Management or Security Architecture teams Drive results and cross-team collaboration
IT and Security Architects Prioritize component integration into architectures
Identity and Key Management or Central IT Operations Implement configuration changes
Security Policy and Standards Update standards and policy documents
Security Compliance Management Monitor to ensure compliance
User Education Team Update password or sign-in guidance and perform education and change management

Implementation checklist for accounts

Apply these best practices to protect your accounts from ransomware attackers.

Done Task Description
Enforce strong MFA or passwordless sign-in for all users. Start with administrator and priority accounts using one or more of:

- Passwordless authentication with Windows Hello or the Microsoft Authenticator app.

- Multifactor authentication.

- A third-party MFA solution.
Make it harder for an attacker to perform a credential compromise by just determining a user account password.
Increase password security:

- For Microsoft Entra accounts, use Microsoft Entra Password Protection to detect and block known weak passwords and additional weak terms that are specific to your organization.

- For on-premises Active Directory Domain Services (AD DS) accounts, Extend Microsoft Entra Password Protection to AD DS accounts.
Ensure that attackers can't determine common passwords or passwords based on your organization name.
Audit and monitor to find and fix deviations from baseline and potential attacks (see Detection and Response). Reduces risk from ransomware activities that probe baseline security features and settings.

Implementation results and timelines

Try to achieve these results within 30 days:

  • 100% of employees are actively using MFA

  • 100% deployment of higher password security

Additional ransomware resources

Key information from Microsoft:

Microsoft 365:

Microsoft Defender XDR:

Microsoft Azure:

Microsoft Defender for Cloud Apps:

Microsoft Security team blog posts: