The measures listed below are examples of how to better defend, mitigate, respond to, and recover from ransomware, and they are as context-specific as possible. This list is neither exhaustive nor applicable to every environment. Before implementation, proper testing is encouraged.
Proactive
Implement multi-factor authentication for:
Publicly facing assets and critical services
Virtual Private Network (VPN) and other remote access solutions
Cloud services such Office 365 or G Suite
User accounts
Create, maintain, and test the validity and restoration process of backups, and ensure they're working correctly in case you have to restore from a backup using the 3-2-1 rule. For more information, see The 3-2-1 Backup Rule - An Efficient Data Protection Process on the Nakivo blog.
Use Application Control and allow-listing, such as AppLocker
Disable SMBv1 (really important!!)
If you have Carbon Black Response, use this utility: CB Response smb1 utility
Disable Office macros
If macros are required in your environment, block macros from documents downloaded from the internet
Alternative source: Macro security for Microsoft Office
Use principle of least privilege with local admin accounts.
Lock down user shares to only those who need it
Perform regular audits to ensure share access is maintained appropriately
Perform regular audits of highly sensitive Active Directory groups for unexpected accounts. For example:
Domain admins
Enterprise admins
Backup operators
Administrators
Schema admins
Remove administrative privileges from standard user accounts
If local admin accounts are required use unique passwords per device
Restrict accounts that have the ability to remotely access systems
Remote Desktop Protocol (RDP)
Server Message Block (SMB)/File shares
Maintain up-to-date patches to ensure endpoints don’t have older vulnerabilities
Obtain and maintain cyber-insurance. Ensure it includes an incident response services retainer.
Implement a secure email gateway.
Block .zip files and other extensions
Limit or highlight emails from external senders
Ensure firewalls are up to date and working as expected
Implement strong ingress filtering
Implement strong egressing filtering
Does Active Directory need to communicate with the internet?
Routinely audit ingress firewall rules
Set script files to open using notepad: Controlling JavaScript Malware Before it Runs
Examples can be found on GitHub.
Implement hardened images for operating systems and services
Implement web or domain filtering
Block newly registered domains
Block sites and domains that are categorized as “Malware” or “Suspicious”
Ensure Anti-virus (AV) and Endpoint Detection and Response (EDR) is deployed across all corporate assets and properly functioning and updated
Routinely validate proper functionality
Implement a security awareness program, at least as it applies to email security as an exceedingly large portion of ransomware campaigns begin via email
Training about legitimate communication channels and document sharing platforms
A web page with visual examples can be very helpful
What does “suspicious” and/or “malicious” look like?
Emails
Websites
Software
Training on how to report suspicious activity/emails
Red Canary Specific
Set up Automate trigger/playbook to alert on and contain malicious high severity detections. This contains precursors to ransomware
Reactive
Isolate the affected endpoint/s through Red Canary/EDR platform
Remove ransomware artifacts, restore from known-good backups, or re-image the system
Determine root cause to prevent future occurrence
If needed, engage your cyber-insurance and get IR services allocated
Red Canary specific
Setup Automate trigger/playbook to key off of the subcategory Ransomware. This will contain active ransomware activity
Additionally the CIS top 18 contain steps to a strong foundation and include a lot of what is listed above.
Additional resources: Prevent mitigate ransomware and Detecting and mitigating ransomware