The ransomware protection checklist


The Cybersecurity and Infrastructure Security Agency (CISA) recently released a detailed report about the ransomware-du-jour, BlackMatter. Similar to other Ransomware-as-a-Service threat vectors (which we’ve written about before), it’s cheap and easy to deploy, utterly devastating to infected systems, and cause for real concern in the IT community. I wish this wasn’t such a tired story, but this is life in 21st century technology environments. Ransomware is everywhere, it’s cheap to create and deploy, and very expensive to clean up after if you’re infected. But, CISA also included a pretty exhaustive list of how to mitigate the risk of ransomware that I thought was worth sharing/excerpting. Some strategies are pretty obvious (use passwords, but make them strong), whereas others were less obvious but equally useful tips.

I give you the ransomware protection checklist:

Use Strong Passwords

  • Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts.) to have strong, unique passwords. Passwords should not be reused across multiple accounts or stored on the system where an adversary may have access.
  • Note: devices with local administrative accounts should implement a password policy that requires strong, unique passwords for each individual administrative account.

Implement Multi-Factor Authentication

  • Require multi-factor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems.
    • Yes, MFA can be a pain for users who just want things to be convenient, but that’s where you have to be disciplined as an organization and instill a culture of security awareness. You have to model this behavior throughout your org, and insist on it for every one of your employees.

Patch and Update Systems

  • Keep all operating systems and software up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. The vast majority of ransomware attacks exploit outdated software with security vulnerabilities to gain access to system-wide resources. If you keep your software up to date, those vulnerabilities are far less likely to present themselves to attackers.

Limit Access to Resources over the Network

  • Remove unnecessary access to administrative shares, especially ADMIN$ and C$. If ADMIN$ and C$ are deemed operationally necessary, restrict privileges to only the necessary service or user accounts and perform continuous monitoring for anomalous activity.
    • The more you can limit the total number of accounts with admin privileges, the better for your operational security. If an employee does expose your IT stack through a phishing link, etc., if they’re not admin, they have much less access to critical systems. As such… the fewer admin accounts, the less likely your entire system is compromised during a breach.
  • Use a host-based firewall to only allow connections to administrative shares via SMB from a limited set of administrator machines.

Implement Network Segmentation and Traversal Monitoring

Adversaries use system and network discovery techniques for network and system visibility and mapping. To limit an adversary from learning the organization’s enterprise environment, limit common system and network discovery techniques by taking the following actions:

  • Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement.
  • Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host.

These strategies are pretty advanced if you’re a small or medium-sized business without a dedicated CTO. That’s where a managed service provider like Leverage comes in — we can set these things up for you to ensure your system safety without cramping your operations or workflows.

Use Admin Disabling Tools to Support Identity and Privileged Access Management

There has been an observed increase in ransomware attacks during non-business hours, especially holidays and weekends. CISA, the FBI, and NSA recommend organizations do the following:

  • Implement time-based access for accounts set at the admin-level and higher. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the AD level when the account is not in direct need. When the account is needed, individual users submit their requests through an automated process that enables access to a system, but only for a set timeframe to support task completion.
  • Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities that run from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally.

Again — this is super important at a system-wide level, but can be relatively complex to set up and execute. Consider working with a managed service provider to help you set up, monitor and police these implementations.

Implement and Enforce Backup and Restoration Policies and Procedures

  • Maintain offline backups of data, and regularly maintain backup and restoration. This ensures you won’t be severely interrupted, have irretrievable data, or be held up by a ransom demand.
  • Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted) and covers the entire organization’s data infrastructure.

If you take away one thing, it should be this — impeccable backup protocols will quite literally save your bacon. If you have encrypted, immutable backup data that executes frequently, you can’t really be held up by a ransom demand… you just refuse to pay, wipe all your machines, and restore from a backup.

We cannot stress this enough — your backup infrastructure is paramount to operational stability.

In closing

CISA has a lot of great literature on how to prepare for and mitigate the risks of ransomware attacks. If you want to get more into the weeds, this white paper is pretty great. But, if you’re like most small or medium-sized businesses, you want to focus on running your business — not spending all your waking time thinking about, preparing for and worrying about cyberattacks. Managed service providers like Leverage can help ease that mental burden — we make sure everything we’ve outlined above is taken care of on your behalf, without slowing down your workflows. Drop us a line today, and let us show you how we can help protect your business from what’s out there.