A few years ago, after reading a spate of unhelpful articles on preventing ransomware infections, I wrote this very narrow guide: https://infosec.engineering/actually-preventing-ransomware/
While all the recommendations in the link above are still relevant, it is incomplete, given the way that many ransomware attacks that target organizations are perpetrated lately. Conceptually, the focus of adversaries has shifted from workstations to infrastructure, at least with respect to initial entry points.
Recently, many organizations – particularly local governments – have fallen victim to ransomware attacks. It is this trend that prompted me to update and expand this post.
Much of this guidance is highly focused on Windows environments. Certainly ransomware impacts other environments, such as Linux, however the ability for a single ransomware campaign to inflict widespread damage outside of a Windows environment is limited, due to the tight trust binding that Windows environments have as a result of Active Directory.
I recently posted a long twitter thread about common problems with the implementation and operation of Active Directory, which was included in a BankInfoSecurity post about Active Directory Security. The summary is that Active Directory is easy to get wrong, and in many respects, doing it “right” is so challenging that few actually have the ability to manage a secure Active Directory Environment. As with most complex business concepts, many organizations, either intentionally or out of ignorance, opt to collect the benefits of Active Directory, while disregarding the burdensome security guidance. Right out of the gate, I will direct you to the Active Directory Security blog, and Microsoft’s post on securely designing and administering privileges in Active Directory.
What follows is a long list of controls. Note that not one of them will be fully effective at preventing ransomware in isolation – they are intended to compliment and overlap each other. Also note that these controls help avoid and mitigate attacks far beyond simple ransomware: many types of attack use similar intrusion, lateral movement, and propagation techniques.
To keep the posts somewhat readable, I am breaking this up into sections:
Part 1: Introduction
Part 2: Preventing the initial intrusion
Part 3: Preventing lateral movement and propagation
Part 4: Mitigating the damage caused by ransomware and cleaning up the mess
Part 5: Recap and summary of recommendations