Ransomware Protection and Containment Strategies: Practical Guidance for Endpoint Protection, Hardening, and Containment
The paper has been updated to include additional protection and containment techniques based on front-line visibility and reaction activities in the fight against ransomware. The report was originally published on October 30, 2020. While the complete spectrum of suggestions given in the initial study has remained unchanged, the following techniques have been added to the report to make it more comprehensive:
- Configurations of Windows Firewall rules that prevent specific binaries from creating outbound connections from endpoints are discussed here.
- Steps for isolating and preparing a domain controller for recovery
- Guidance for the GPO’s proactive permissions assessment and monitoring
- Ransomware is a global issue that affects enterprises of all sizes and across all industries. The consequences of a successful ransomware attack can be significant for a
- company, including the loss of access to data and systems, as well as the interruption of business operations. The possibility for downtime, combined with the unforeseen expenses associated with restoration, recovery, and the introduction of new security processes and controls, may be extremely stressful and expensive to manage. The use of
- ransomware has grown in popularity among attackers over the past several years, and it’s easy to see why considering how simple it is to incorporate into campaigns – while also providing a lucrative cash return for the perpetrators.
The steps that organizations can take proactively to harden their environment to prevent the downstream impact of a ransomware event are discussed in our latest report, Ransomware Protection and Containment Strategies: Practical Guidance for Endpoint Protection, Hardening, and Containment (PDF). Moreover, these guidelines can assist companies in prioritizing the most critical activities that must be taken to control and reduce the damage of a ransomware attack after it has occurred.
Ransomware is typically distributed throughout an environment in one of two ways:
- manual dissemination by a threat actor once they have infiltrated a target’s environment and have administrator-level access across a large portion of the target’s network:
- Manually run encryptors on the systems that have been targeted.
- Windows batch files can be used to deploy encryptors throughout an environment. These batch files mount C$ shares, copy the encryptor, and then execute it using the
- Microsoft PsExec tool.
- Using Microsoft Group Policy Objects, you can deploy encryptors (GPOs).
- Utilize existing software deployment techniques in use by the victim organization to integrate encryptors onto their systems.
- Automated propagation:
- Extraction of credentials or Windows tokens from a hard drive or memory.
- Relationships of trust between systems – as well as the use of mechanisms such as Windows Management Instrumentation (WMI), SMB, or PsExec, to bind to computers and execute payloads
- Exploitation methods that have not been patched (for example, EternalBlue, which has been addressed by Microsoft Security Bulletin MS17-010).
- Much technical advice is included in the paper to assist enterprises in reducing the risk of and containing ransomware outbreaks, including the following:
Endpoint segmentation is a technique for dividing a network into subsets.
Increasing resistance to popular exploitation techniques
reducing the risk of privileged and service accounts being compromised
Cleartext password safeguards are available.
If you are reading this report to assist your company in responding to a ransomware incident that has already occurred, you must understand how the ransomware was distributed throughout the environment so that you can plan your ransomware response most effectively. This handbook is intended to assist organizations in this process.
Today is the day to download the report.
*Please keep in mind that the recommendations contained in this study will assist companies in reducing the risk of and containing ransomware outbreaks. Although this study covers many areas of ransomware event response, it does not cover all of them. Investigative approaches to detect and remove backdoors (ransomware operators frequently have several backdoors into target environments), interacting and negotiating with threat actors, or recovering data once a decryptor has been delivered are not covered.