Immediate Steps for Ransomware Protection, Mitigation and Prevention

1. Require Multifactor Authentication (MFA) to Access External Services, Especially Email and VPN.

Multifactor authentication (MFA) should be required for all users to access all services available outside of the organization. Valid forms of MFA in addition to having a strong username and password include SMS, hardware tokens, software tokens, or (ideally) mobile application authorization.

Multifactor authentication prevents stolen credentials from being used to access your organization. Users should also be encouraged to enable multifactor authentication in their personal lives for platforms such as social media and financial services.

2. Add an “External” Warning to All Emails Originating From Outside Your Organization.

Provide a simple, clear warning to all users letting them know that an email originated from outside the organization. You may also include a brief note about the danger of clicking links or opening attachments from external sources. This reminder will cause users to pay more attention to the content of the email message.

This can be done by adding warning banner text using transport rules in both Microsoft Exchange on-prem and Microsoft 365 (formerly Office 365). (Note: interfaces and workflows change frequently, so admins may need to reach out to support and/or their peers to get the most up-to-date tutorials.)

3. Patch All Systems: Apply All Operating System and Application Updates.

Make sure every Windows (or OSX, Linux, Red Hat, etc.) update is in place on every server, desktop, and laptop within at least a month of release. This feels like common knowledge that wouldn’t be included as a specialized security insight. But out of all the clients we begin working with, over 90% are behind on patching by 90 days or more. If our client base is any indication, many enterprises are not successfully patching within that 30-day mark. Some are not patching at all.

Among all our new clients, over 90% are behind on patching by 90 days or more.

Patching is absolutely critical, and not just for Windows. Linux, enterprise software applications, security appliances, etc. all need to be updated routinely. In addition, they must be a current release so that they can receive updates. (For example, Windows 7 and Windows 2008 R2 — and earlier versions — are no longer supported. Any server running them is, by default, not being patched.)

Lastly, organizations often place too much trust in their patching tool or process. A patching tool or process should never be trusted. Patching needs to be closely monitored and frequently audited both internally and externally.

4. Ensure Critical Domain Security Settings Are in Place.

A number of security settings should be in place in your environment to secure your environment. Many of them will be platform- and application-specific. However, we have found several core security settings for Active Directory domains that are set insecurely at nearly every client impacted by a critical malware infection.

You should absolutely have a comprehensive security compliance program. And you should work through all the compliance violations in your environment. But we recommend that these come first on the list. If they’re not correct, it is only a manner of time before a compromise. For specifics, see additional details below.

5. Ensure a Phishing Email Policy Is in Place, Test It and Give It Teeth.

Phishing is a major entry point for ransomware. To help prevent this, your security policies should include language and procedures related to phishing emails. We recommend including the following components:

An Education Program

Require yearly training for all employees to educate them about how to recognize and handle phishing emails so they will be more prepared.

Periodic Testing

Use a phishing test service that can spam all your employees with an email that looks legitimate and asks them to click a link and sign in. This will give your organization a performance benchmark. It will also give leadership and management the data they need to develop or refine a training strategy.

Accountability

Include accountability in your phishing-related policies and communicate that via training, periodic reminders, and onboarding. For example, many companies require additional individual training for failed phishing tests and manager-supervised training for subsequent offenses. Some make a game out of phishing test results where the losing department needs to buy lunch for the winning department.

Other companies revoke network access after multiple phishing test failures and trainings. Recently, a financial institution we were working with removed access to email and the internet for a problem user and reverted to physical memos for that individual.

Some organizations have even gone so far as to make submitting your credentials during a phishing test three times in a row a fire-able offense. Unfortunately, these more draconian measures tend to discourage employees from reporting when they see something suspicious.

With these five steps taken care of, you will be significantly closer to preventing a successful ransomware attack. But where should you focus your attention next?

Where to Focus Next for Ransomware Prevention

To improve your organization’s security against ransomware attacks, we recommend prioritizing these twelve ransomware mitigation steps next.

1. Review the List of Domain Administrators and Ensure Only Required Accounts Have Group Membership.

There should be a limited number of end users with heightened access to your organization’s environment. The list should be reviewed at least annually to ensure rogue accounts have not been added to the group.

2. Port Scan External Networks for Common Microsoft Ports.

This advice is especially applicable for smaller environments. If you have an external network range used to expose internal systems externally, conduct an external port scan that targets common Microsoft ports such as Remote Desktop and File Sharing. In general, these should never be available over the internet. If they are, it’s typically a sign that a firewall ruleset was accidentally left open.

We have seen this impact several organizations. A web server for an application gets set up and a firewall rule is put in with open access by accident. Then, that server is suddenly exposed to attacks on SMB file sharing. With one missing patch or one domain security setting fault, an organization suddenly has an infection point for the entire network.

3. Require Additional Training for VIPs in Your Organization.

High level and executives are frequently targeted as VIPs by specialized hacking groups for phishing. The process, known as spear phishing, is a common method to infiltrate important user accounts. These users should be given further training to recognize malicious emails and attacks in progress.

4. Enable Centralized Logging for Egress Traffic From All Edge Firewalls.

Ransomware and other malware communicate outside of an organization to a command-and-control (C&C) infrastructure to report in and get further instructions. All egress (outgoing) traffic should be logged into a centralized collection and analysis system to identify anomalous traffic and notify relevant admins via automation. This can act as a “canary in a coal mine” early warning system that indicates a possible breach and beachhead.

5. Enable Detailed Audit Logs for Services Such as Email and Remote Access.

All externally accessible services (email, VPN, remote access, etc.) should have detailed audit logs that can be reviewed from a central location. At a minimum, attributes to log include usernames, source internet addresses, timestamps, and status (success or failure).

6. Require Complex Account Passwords.

One trick still used in attacks is to compromise insecure passwords. Requiring all users to have complex passwords of at least 8 characters is a must because only one weak link can give attackers access to data. This can be accomplished by ensuring the policy “Password must meet complexity requirements” is enabled in the Microsoft Active Directory Domain User Password Policy, and similar settings can be applied to other environments.

However, we also recommend getting rid of “change your password every 90 days” rules that many organizations still use. Forcing periodic password changes every 90 days has been proven to have no mathematically meaningful effect on password efficacy and is no longer part of the NIST security recommendations. By allowing end users to keep their password for a longer time (or even indefinitely), they will be less likely to perform insecure actions like writing it down or intentionally making it weaker. Balanced with communications, training, and guidance for creating complex, memorable passwords, you can ensure secure handling of passwords and complexity that can prevent brute force harvesting.

7. Block Direct Internet Access and Route Everything Through a Proxy

On an internal network, there should generally not be a route directly to the internet. All internet access should run through some form of internet proxy that can filter, check against known attack sites, and detect and block certain traffic. Your proxy should also provide monitoring and reporting capabilities so that you can view visited sites. In our increasingly work-from-home world, cloud-based options can allow you to specify end-user devices you own and that are outside of your network, to be proxied the same way.

8. Conduct a Vulnerability Scan and Assessment and Implement High Priority Recommendations.

An annual (or more frequent) vulnerability scan and assessment from a reputable organization can identify known vulnerabilities within your environment and provide necessary information to address and eliminate them. Even if you have your own internal scanning function, it is important to have an external party conduct these assessments, since it removes any bias and helps audit results that the tools you’re relying on may be providing. You should then implement the highest priority recommendations resulting from that assessment and develop a plan to work through any remaining action items.

9. Implement an Effective Anti-Malware Toolset and Process.

Install an enterprise-class antivirus and anti-malware tool on every server and every desktop in your environment. Ensure that all those systems check in for updates at least daily. Then, develop a continual improvement process to evaluate the total number of devices on your network and in your endpoint inventory against the list of healthy, updated endpoints. As part of that process, have remaining devices chased down and corrected or taken off the network.

10. Establish a Robust, Audited, Highly Monitored Backup Solution.

At some point, you will be impacted by ransomware or other disasters, even if you do the right things. Implementing robust backup systems will ensure all critical data is saved. But you need to take this one step further.

Backups should be monitored. All key systems should be manually audited on a regular schedule. Backup management systems should also be disconnected from the domain that houses the systems they are backing up. (Our best practice is that Windows or other backup infrastructure should be standalone, not a member of a domain, and locked down.)

11. Ensure High-Level Administrators Have Separate User Accounts.

Any person that has authority to administer a system (i.e., alter the credential or authentication of a system, such as a server administrator, domain administrator, etc.) should have two accounts. One account will function as their everyday account with the access they need to perform the duties of their job outside of system administration. For example, this everyday account can be used to access applications and email systems.

A second account should contain their administrative access and should only be used when accessing those systems. Ideally, their account with administrative access is not used on the same workstation as their everyday account. Why? If they log into an infected workstation with administrator privileges, then ransomware infecting that workstation can spread through the rest of the organization via that administrator account. This is known as “privilege escalation.” Additionally, hackers can steal cached credentials of the elevated user account and then use them to infect the rest of the organization.

By taking these eleven additional actions, your organization will be in a stronger place to prevent ransomware attacks from significantly affecting your day-to-day operations. Unfortunately, nefarious actors are continually developing new approaches to cripple your infrastructure and demand exorbitant amounts to restore it (if they’re even able to). To stay ahead of the curve, your business needs to reach the next level of ransomware mitigation.

Here’s How to Reach the Next Level of Ransomware Mitigation

Depending on your organization’s size, industry, and numerous other factors, you may need to take prevention and resiliency to the next level. Below are seven additional steps that you can take to boost protection against ransomware and other malicious attacks.

1. Implement a Cyber Recovery Solution.

A cyber recovery solution is a backup that is both protected from your environment and immutable (cannot be changed). If your environment were to be a total loss due to ransomware or another disaster, your cyber recovery environment would be firewalled from production and would leverage a storage solution that would remain uncorrupted. A cyber recovery solution can simply provide a restore back to your production environment or even act as a complete recovery hosting environment.

2. Remove Administrator Rights From End-User Devices.

End users should not have or require administrator rights to their local workstations. This helps prevent the installation of malware.

3.Remove All Attachments From Emails External to Your Organization.

Email attachments are a common vector for malware infections. With the use of collaboration software such as Microsoft Teams, Slack, etc., fewer people will email documents and other attachments. Email attachments from external users can thus be removed from incoming emails and quarantined. Users who are expecting external attachments should request that senders utilize an alternative method, such as encrypted email systems, to receive those attachments.

4. Develop a Disaster Recovery Plan.

What happens if you are attacked in the worst way? Develop a plan for how you would operate in the event of a total loss and what your approach would be for recovery. The plan does not have to include every answer. Instead, it should be a general framework to guide decision making when responding to the disaster.

5. Implement a Next-Generation Anti-Malware Toolset.

Many new anti-malware tools have recently come on the market that monitor for malicious activity instead of relying purely on known malicious signatures. For example, Carbon Black and similar products are much more likely to catch malware used to compromise an environment since they rely on “zero-day” attacks (i.e., the code is compiled specifically for the attack so that it does not match any virus signature). These toolsets do require significantly more administration than standard antivirus toolsets, and most environments utilizing them will require a dedicated administrator or even a small team.

6. Implement a Security Monitoring Service.

Security event and incident management is a way to detect patterns and monitor for suspicious activity. These services leverage logging, alerting and custom agents across the environment to detect malicious activity. The rigor of this approach requires management by trained, experienced professionals as well as stringent processes.

7. Block Access to Known Malware Domains and Internet Addresses.

Utilize a combination of firewall and web filtering to block access to known domains and internet addresses that either host or communicate with malware. Web filtering should also be implemented for all users and devices to block access to certain categories (e.g., pornography, hate speech, firearms, etc.). Keeping up to date is incredibly difficult, which is why this approach is often paired with a threat management service.

Vervint: Comprehensive and Tailored IT Managed Services

With a broad range of technology and security expertise, the experts at Vervint are ready to connect, understand the specific needs your business has, and find a solution that’s right for you and your budget. All you need to do to get started is complete a simple contact form to start a conversation. We look forward to hearing from you!

Critical Domain Security Setting Details

Below are group policy settings that should be put in place and validated. The names of GPO templates may vary, but validating that these settings are effectively in place is critical.

1. Default Domain Policy (Group Policy)

• Network security: LAN Manager authentication level = Send NTLMv2 response only
• Network security: Minimum session security for NTLM SSP based (including secure RPC) clients = Require NTLMv2 session security and Require 128-bit encryption
• Network security: Minimum session security for NTLM SSP based (including secure RPC) servers = Require NTLMv2 session security and Require 128-bit encryption
• Microsoft network client: Digitally sign communications (if server agrees) = Enabled
• Microsoft network client: Digitally sign communications (always) = Enabled
• Microsoft network server: Digitally sign communications (if client agrees) = Enabled
• Microsoft network server: Digitally sign communications (always) = Enabled
• Domain member: Digitally encrypt secure channel data (when possible) = Enabled
• Domain member: Digitally sign secure channel data (when possible) = Enabled
• Domain member: Digitally encrypt or sign secure channel data (always) = Enabled

2. Default Domain Controllers Policy (Group Policy)

• Network security: LAN Manager authentication level = Send NTLMv2 response only\refuse LM & NTLM
• Network security: Minimum session security for NTLM SSP based (including secure RPC) clients = Require NTLMv2 session security and Require 128-bit encryption
• Network security: Minimum session security for NTLM SSP based (including secure RPC) servers = Require NTLMv2 session security and Require 128-bit encryption
• Microsoft network client: Digitally sign communications (if server agrees) = Enabled
• Microsoft network client: Digitally sign communications (always) = Enabled
• Microsoft network server: Digitally sign communications (if client agrees) = Enabled
• Microsoft network server: Digitally sign communications (always) = Enabled
• Domain member: Digitally encrypt secure channel data (when possible) = Enabled
• Domain member: Digitally sign secure channel data (when possible) = Enabled
• Domain member: Digitally encrypt or sign secure channel data (always) = Enabled
• Store passwords using reversible encryption = Disabled