Fireeye Ransomware Protection And Containment Strategies

Threat Research Blog

UPDATE (30 Oct 2020): The report has been updated to include additional protection strategies and containment strategies that are based on front-line surveillance and response efforts in fighting ransomware. The original report’s scope remains unchanged. However, we have added the following strategies to the report.

  • Windows Firewall configurations to prevent specific binaries from establishing outbound connections to endpoints
  • Domain Controller recovery and isolation steps
  • Monitoring and review of GPO permissions

Ransomware is a worldwide threat to organizations of all industries. Ransomware can have a significant impact on an organization, including the loss or corruption of data and systems. It can cause significant downtime and result in unexpected expenses for recovery, restoration, and implement new security controls and processes. Ransomware has been a popular attack method in recent years. It is easy to see why, given its simplicity and potential financial returns.

Our latest report, Ransomware Protection & Containment Strategy: Practical Guidance to Endpoint Protection, Hardening, and Containment, discusses steps organizations can take to protect their environment and prevent any ransomware-related downturns. These recommendations can be used to help organizations prioritize the most critical steps needed to limit and minimize the damage caused by ransomware events.

Two ways are common for ransomware to be deployed in an environment:

  1. After they have penetrated an environment, and have administrator-level privileges across the environment, manual propagation can be done by threat actors:
    • Encryptors can be manually run on specific systems.
    • Use Windows batch files to deploy encryptions throughout the environment (mount C$ shares and copy the encryptor. Then, use the Microsoft PsExec tool to execute it).
    • Install encryptors using Microsoft Group Policy Objects.
    • Install encryptors in conjunction with software deployment tools already used by the victim organization.
  2. Automated propagation
    • Extraction of Windows tokens or credentials from memory or disk.
    • Trust relationships between systems – and leveraging methods like Windows Management Instrumentation, SMB, or PsExec that bind to them and execute payloads.
    • Unpatched exploitation methods (e.g., EternalBlue – addressed via Microsoft Security Bulletin MS17-010).

This report contains several technical recommendations that can be used to assist organizations in avoiding and containing ransomware events.

  • Endpoint segmentation
  • Hardening against common exploitation methods
  • Reduce the exposure to privileged and other service accounts
  • Cleartext password protections

This report is intended to assist your organization in responding to ransomware attacks. It is important to understand the nature of ransomware and how to design your ransomware response. This guide will assist organizations in this process.