Ransomware Guidance

The measures listed below are examples of how to better defend, mitigate, respond to, and recover from ransomware, and they are as context-specific as possible. This list is neither exhaustive nor applicable to every environment. Before implementation, proper testing is encouraged.

Proactive

• Implement multi-factor authentication for:

  • Publicly facing assets and critical services

  • Virtual Private Network (VPN) and other remote access solutions

  • Cloud services such Office 365 or G Suite

  • User accounts

• Create, maintain, and test the validity and restoration process of backups, and ensure they're working correctly in case you have to restore from a backup using the 3-2-1 rule. For more information, see The 3-2-1 Backup Rule - An Efficient Data Protection Process on the Nakivo blog.

• Use Application Control and allow-listing, such as AppLocker

  • Example Policy 

• Disable SMBv1 (really important!!)

  • If you have Carbon Black Response,  use this utility: CB Response smb1 utility 

• Disable Office macros

  • If macros are required in your environment, block macros from documents downloaded from the internet

    • Alternative source: Macro security for Microsoft Office 

• Use principle of least privilege with local admin accounts. 

  • Lock down user shares to only those who need it

  • Perform regular audits to ensure share access is maintained appropriately

  • Perform regular audits of highly sensitive Active Directory groups for unexpected accounts. For example:

    • Domain admins

    • Enterprise admins

    • Backup operators

    • Administrators

    • Schema admins

  • Remove administrative privileges from standard user accounts

  • If local admin accounts are required use unique passwords per device

  • Restrict accounts that have the ability to remotely access systems

    • Remote Desktop Protocol (RDP)

    • Server Message Block (SMB)/File shares

• Maintain up-to-date patches to ensure endpoints don’t have older vulnerabilities 

• Obtain and maintain cyber-insurance. Ensure it includes an incident response services retainer.

• Implement a secure email gateway. 

  • Block .zip files and other extensions

  • Limit or highlight emails from external senders

• Ensure firewalls are up to date and working as expected

  • Implement strong ingress filtering

  • Implement strong egressing filtering

    • Does Active Directory need to communicate with the internet?

  • Routinely audit ingress firewall rules

• Set script files to open using notepad: Controlling JavaScript Malware Before it Runs

  • Examples can be found on GitHub.

• Implement hardened images for operating systems and services

  • CIS Benchmarks

  • DoD STIG

• Implement web or domain filtering

  • Block newly registered domains

  • Block sites and domains that are categorized  as “Malware” or “Suspicious” 

• Ensure Anti-virus (AV) and Endpoint Detection and Response (EDR) is deployed across all corporate assets and properly functioning and updated

  • Routinely validate proper functionality

• Implement a security awareness program, at least as it applies to email security as an exceedingly large portion of ransomware campaigns begin via email

  • Training about legitimate communication channels and document sharing platforms 

    • A web page with visual examples can be very helpful

  • What does “suspicious” and/or “malicious” look like?

    • Emails

    • Websites

    • Software

  • Training on how to report suspicious activity/emails

• Red Canary Specific

  • Set up Automate trigger/playbook to alert on and contain malicious high severity detections. This contains precursors to ransomware 

Reactive

• Isolate the affected endpoint/s through Red Canary/EDR platform

• Remove ransomware artifacts, restore from known-good backups, or re-image the system 

• Determine root cause to prevent future occurrence

• If needed, engage your cyber-insurance and get IR services allocated

• Red Canary specific

  • Setup Automate trigger/playbook to key off of the subcategory Ransomware. This will contain active ransomware activity

Additionally the CIS top 18 contain steps to a strong foundation and include a lot of what is listed above.

Additional resources: Prevent mitigate ransomware and Detecting and mitigating ransomware