Best Practices Against Ransomware Attacks and Hardening Guidelines

Ransomware is malware that encrypts data on a computer system using various ways and then demands payment to regain access. It is commonly used in assaults that can disable enterprises. You can follow a set of best practices and hardening steps outlined below to protect against ransomware attacks and help you recover your data should they occur.

See Also: What Are the Ransomware Infection Vectors

First of all, you can take the following measures to prepare for ransomware attacks:

Make sure you regularly back up your company’s data; cloud storage is a standard tool used for backups. If your employees save important business information on their computers, your organization should also give them clear instructions on how to regularly back up their data.

These best practices can help your organization manage the risk posed by ransomware and respond to a ransomware outbreak in a coordinated and effective manner. It would be helpful if you implement these practices to the fullest extent possible, subject to the availability of corporate resources.

• Prioritize and back up the data most critical to your organization. Make sure you can reinstall from backups that are usually in the cloud and test the backups frequently.
  • It is essential to take encrypted data backups offline and test your backups regularly. Backup procedures should be done periodically. It’s critical to keep backups offline, as many types of ransomware try to find and delete accessible backups.
• Maintain regularly updated images of critical systems when they need to be rebuilt. Images can consist of templates containing related software applications that can be quickly deployed to rebuild a system, such as a preconfigured operating system, virtual machine, or server.
• Retain redundant hardware to rebuild systems in case a primary system rebuild is not preferred.
• In addition to system images, backups of current source code or executables are also required. Some images may not be installed correctly on different hardware or platforms, so having separate access to the software needed will be helpful in these cases.
• A phishing policy is essential, as malicious people often use phishing to infect a system with ransomware. Perform routine social engineering and phishing tests and, whenever possible, use an anti-phishing software program so that employees can detect a phishing email before clicking on any dangerous link or attachment.
• Update your software with the latest security patches. This critical preventative step will make it harder for malicious people to compromise your system.
• Develop an organization-wide policy regarding ransomware attacks.
• Create and implement a basic cyber incident response plan and associated communication plan that includes response and notification procedures for a ransomware incident.
  • Early detection is essential, so make sure your workforce knows how to report a potential ransomware event or unusual network behavior.

Ransomware Attacks Best Practices and Hardening Guide

• Whenever possible, use multi-factor authentication for all services, especially webmail, virtual private networks, and accounts accessing critical systems.
  • If you use passwords, use strong passwords.
  • Do not reuse passwords for multiple accounts.
  • Change default passwords.
  • Account lockouts can be enforced after a particular number of failed login attempts.
  • Strong passwords can be created and managed with the help of password managers.
• Apply the least privilege principle to all systems and services so that users only have access to the resources they require to complete their tasks. Threat actors frequently seek privileged accounts to use ransomware to take over networks.
  • User access to install and run software applications should be limited.
  • Limit a local administrator account’s ability to log in via a local interactive session.
  • Remove any accounts or groups that are no longer needed, and limit root access.
  • Local administrator accounts should be controlled and limited.
  • Use the Protected Users Active Directory group on Windows domains to secure privileged user accounts from pass-the-hash attacks.
  • Regularly audit user accounts, especially Remote Monitoring and Management accounts that are publicly accessible; this includes controls for third-party access to managed service providers.
• In conjunction with cloud environments, use best practices and enable security settings.
• Create and update a thorough network diagram that regularly describes the systems and data flow within your organization’s network.
  • The network diagram should include the main networks, specific IP addressing schemes, and overall topology.
• Use logical or physical network partitioning tools to separate the IT resources of your organization’s various business units or departments and maintain the separation between IT and operational technology.
  • Network segmentation will help contain the impact of any intrusion affecting your organization and prevent or limit the lateral movement of malicious actors.
• Make sure your organization has a comprehensive asset management approach.
  • Understand and inventory your company’s logical (e.g., data, software) and physical IT assets (e.g., hardware).
  • Understand which data or systems are most important for security, income production, or other vital functions, as well as the interdependencies between them.
  • Establishing inventory and determining the criticality of systems will help your organization assess restoration priorities should an incident occur.
  • Apply more comprehensive security controls or protections to critical assets.
• Limit PowerShell usage to specific users on a case-by-case basis using Group Policy.
  • Generally, only users or administrators who manage the network or Windows operating systems should use PowerShell.
  • Update PowerShell and enable advanced logging.
  • Remove all earlier PowerShell versions and update PowerShell instances to version 5.0 or later. PowerShell logs before version 5.0 are either absent or do not record sufficient detail to assist enterprise monitoring and incident response activities.
  • Ensure module, script block, and transcription logging of PowerShell instances are enabled (advanced logging).
  • The PowerShell Windows Event Log and the PowerShell Operational Log are the two logs that record PowerShell activities. Open both Windows Event Logs with a retention period of 180 days.
  • Logs should be checked regularly to verify whether log data has been deleted or logging has been turned off.
  • Set the allowed storage size for both logs as large as possible.
• Secure domain controllers (DCs). Threat actors often target DCs and use them as a staging point to spread ransomware across the network.
  • Ensure DCs are patched regularly and have critical patches applied as soon as possible.
  • Make sure the DCs are using the most up-to-date version of Windows server operating systems. Security features are better integrated into newer versions of Windows Server operating systems.
  • Make sure no additional software or agents are installed on the DCs, as they can be used to execute arbitrary code.
  • Only the
  • Administrators group should have access to DCs. Users in this group should be restricted and have separate accounts with non-administrative access for daily operations.
  • DC host firewalls must be configured to block internet access. Generally, these systems do not have a valid need for direct internet access. Instead of allowing internet access for DCs, internet-connected update servers can be used to pull required updates.
  • Although the Kerberos default protocol is recommended for authentication, NTLM checking should be enabled to verify that only NTLMv2 replies are delivered over the network if Kerberos is not utilized.
  • Precautions should be taken to ensure that LM and NTLM responses are rejected, if possible.
  • To avoid code injection that can gain credentials from the system, enable additional protections for Local Security Authentication. Before allowing these protections, run checks against the lsass.exe program to ensure that programs that will be affected by enabling this protection are understood.
  • Ensure SMB signature is required between hosts and DCs to prevent replay attacks from being used on the network. SMB signing should be applied across the domain as an added layer of defense against these attacks elsewhere in the environment.
• Collect and securely store logs from both network devices and local hosts. The impact of events can be determined by analyzing logs and whether or not an event has occurred.
  • Set up centralized log management using security information and event management tool. This way, you can correlate logs from both network and host security devices. By examining logs from multiple sources, an organization can better prioritize a single event and determine its impact on the organization as a whole.
  • Preserve and backup logs for critical systems for at least one year if possible.
• Base and analyze network activity to identify behavior patterns so regular and legitimate activity can be more easily distinguished from abnormal network activity.

See Also: System Hardening Standards for Complying with PCI DSS

For detailed information on ransomware and countermeasures, you can review the CISA and NIST ransomware resources.