eBook

Azure Defenses for

Ransomware Attack
June 2023

@2023, Microsoft Corporation. All rights reserved.

 eBook

Acknowledgements
Author
Charles lheagwara, Principal Program Manager

Contributors
Mark Simos, Lead Cybersecurity Architect

Yuri Diogenes, Principal PM Manager

Utsav Raghuvanshi, Program Manager II

Amrita Satapathy, Principal Program Manager

Terry Lanfear, Principal Content Developer

Mohit Kumar, Senior PM Manager

Jack Richins, Principal Program Manager

Scott Gorlick, Principal Security Architect

@2023, Microsoft Corporation. All rights reserved.

i
 eBook

Table of Contents
Executive Summary 1

Ransomware: A significant threat 3

Ransomware Evolution: Current model vastly expands extortion scope 8

Azure Provides Native Ransomware Protections 10

Preparing for Ransomware Attacks: Stay ahead of attackers 19

Preparing for Quick Recovery: Restore business operations fast 30

Detecting Ransomware Attacks: Accelerate detection with the right tools 31

Responding to Ransomware Attacks: Increase effectiveness with practiced incident response teams 33

Road to Recovery: Microsoft experts provide insights 34

Conclusion 36

@2023, Microsoft Corporation. All rights reserved. 2 ii

 eBook

Executive Summary
Ransomware and extortion attacks are a high profit, low-cost attacker
business model that have a debilitating impact on targeted organizations,
national security, economic security, and public health and safety. What
started as simple single-PC ransomware has grown to include a variety of
extortion techniques directed at all types of organizations and platforms.

To ensure customers running on Azure are protected against ransomware

attacks, Microsoft has invested heavily into the security of our cloud
platforms and provides you security controls to help you protect your Azure
cloud workloads.

By leveraging Azure native ransomware protections and implementing the

best practices recommended in this eBook, you are taking measures that
ensures your organization is optimally positioned to prevent, detect, and
respond to ransomware and extortion attacks on your Azure assets.

This eBook helps guide you on Azure native capabilities and defenses for
ransomware attacks you can proactively leverage these to protect your
assets on Azure cloud.

@2023, Microsoft Corporation. All rights reserved.

1
 eBook

Introduction

@2023, Microsoft Corporation. All rights reserved. 4 2

 eBook

Ransomware: A significant threat Who can be targeted by ransomware bad actors?

Ransomware explained

Figure 1: Percentage Distribution of Key Sectors Targeted in Recent Ransomware Attacks

@2023, Microsoft Corporation. All rights reserved.

3
 eBook

Ransomware: A significant threat

How can my assets in the

cloud be targeted?
When attacking cloud infrastructure, adversaries often attack multiple
resources to try to obtain access to customer data or company secrets.
The cloud kill chain model (Figure 2) explains how attackers attempt to
gain access to any of your resources running in the public cloud through
a four-step process: exposure, access, lateral movement, and actions. Figure 2: The Cloud Kill Chain Model

1. Exposure is where attackers look for 2. Attackers will try to exploit an 3. During the lateral movement stage, attackers 4. The actions an attacker takes after
opportunities to gain access to your exposure to gain access to your discover what resources they have access to lateral movement, are largely dependent
infrastructure. For example, attackers public cloud infrastructure. This can and what the scope of that access is. Successful on the resources they were able to gain
know customer-facing applications must be done through compromised user attacks on instances give attackers access to access to during the lateral movement
be open for legitimate users to access credentials, compromised instances, storage, databases and other sensitive phase. Attackers can take actions that
them. Those applications are exposed to or misconfigured resources. information. The attacker then searches for cause data exfiltration, data loss or launch
the Internet and therefore susceptible to additional credentials. Our Microsoft Defender other attacks. For enterprises, the average
attacks. Microsoft Defender External for Cloud data shows that without a security financial impact of data loss is now
Attack Surface Management discovers tool to quickly notify you of the attack, it takes reaching $1.23 million.
and maps your externally-facing attack organizations on average 101 days to discover
surface to provide insight about your 1st a breach. Meanwhile, in just 24-48 hours after a
& 3rd party online infrastructure that is breach, the attacker will usually have complete
accessible to the open Internet. control of the network.

@2023, Microsoft Corporation. All rights reserved. 6 4

 eBook

Ransomware: A significant threat

Why do ransomware attacks succeed?

As illustrated in Figure 3, attackers use different techniques, such as RDP brute
There are several reasons why ransomware attacks succeed, and many organizations are
force attack to exploit vulnerabilities.
susceptible to these factors. The top factors include:

• The attack surface has increased as more and more businesses offer more services
through digital outlets
• There is a considerable ease of obtaining off-the-shelf malware, Ransomware-as-a-
Service (RaaS)
• With the above, the option to use cryptocurrency for blackmail payments has
opened new avenues for exploit
• Expansion of computers and their usage in different workplaces (local school
districts, police departments, police squad cars, etc.) each of which is a potential
access point for malware, resulting in potential attack surface
• Prevalence of old, outdated, and antiquated infrastructure systems and software.
• Poor patch management regimen
• Outdated or very old operating systems that are close to or have gone beyond end-
of-support dates
• Lack of resources to modernize the IT footprint
• Knowledge gap
• Lack of skilled staff and key personnel overdependency
• Poor security architecture
Figure 3: Ransomware Compromise Techniques

@2023, Microsoft Corporation. All rights reserved. 7 5

 eBook

Ransomware: A significant threat

Should you pay ransom if attacked?

There are varying opinions on what the best option is when confronted with this vexing demand. The
Federal Bureau of Investigation (FBI) advises victims not to pay ransom but to instead be vigilant
and take proactive measures to secure their data before an attack. They contend that paying
doesn’t guarantee that locked systems and encrypted data will be released again. The FBI
says another reason not to pay is that payments to cyber criminals incentivizes them to continue to
attack organizations.

While you may ultimately be forced into a difficult position where paying seems to be the best option,
you should never plan to pay the ransom ahead of time. Paying the ransom doesn't immediately
restore services, it often requires tools that are prone to failure and require manual restore steps on
each device. It also marks your organization as “willing to pay” to the criminal underground, provides
attack groups with funding to buy more advanced tools, and carries the risk of funding criminal
and/or terrorist activity (which is explicitly outlawed in some jurisdictions).

You may find yourself a victim of an intentional destruction attack where there is no recovery key
available (such as in the case of NotPetya and some recent attacks related to Ukraine).

In the end, the best way to prevent paying ransom is not to fall victim by implementing preventive
measures and having tool saturation to protect your organization from every step that an attacker
takes wholly or incrementally to hack into your system. In addition, having the ability to recover
impacted assets will ensure restoration of business operations in a timely fashion. Azure Cloud has a
robust set of tools to guide you all the way.

@2023, Microsoft Corporation. All rights reserved. 8 6

 eBook

Ransomware: A significant threat

What is the typical cost to a business?​ Impact to business

Ransomware risks
The impact of a ransomware attack on any organization is difficult to quantify
accurately. However, depending on the scope and type, the impact is multi-
dimensional (see Figure 4) and is broadly expressed in:​

• Loss of data access​

• Business operation disruption​

• Financial loss​

• Intellectual property theft

• Compromised customer trust/tarnished reputation​

Colonial Pipeline paid about $4.4 Million in ransom to have their data
released. This does not include the cost of downtime, lost productivity, lost
sales and the cost of restoring services. More broadly, a significant impact is
Figure 4: Impact of Ransomware Attack to Business
the “knock-on effect” of impacting high numbers of businesses and
organizations of all kinds including towns and cities in their local areas. The
financial impact is also staggering. According to Microsoft, the global cost
associated with ransomware recovery was projected to exceed $20 billion in
2021 and is expected to grow year to year as both the number and scope of
attacks continue to increase.​

@2023, Microsoft Corporation. All rights reserved.

7
 eBook

Ransomware: Current model vastly expands extortion scope

How did ransomware evolve

as a business?
Since the first known ransomware attack was disclosed in 1989, much of the
industry has significantly changed not just with the number of attacks
occurring every year and the sophistication of those attacks, but the
emergence and evolution of new ransomware business models. The two
common types are “Commodity Ransomware” and “Human Operated
Ransomware.” Each has its distinctive attributes.

Commodity ransomware attacks target individuals, are pre-programmed,

opportunistic and are unlikely to cause business disruption. Human-
operated ransomware is sometimes referred to as “big game ransomware,”
a term that implies cybercriminals select specific networks for their value
proposition and then hunt for entry vectors. This approach has been the Figure 5: Evolution of Ransomware Models
exception, not the rule, in most major ransomware attacks in the past year.
Cybercriminals perform massive wide-ranging sweeps of the internet, While ransomware existed in small pockets before, the business model didn’t
searching for vulnerable entry points. Or they enter networks via take off at scale until the introduction of Cryptolocker in 2013, which kicked off
“commodity” trojans and then “bank” this access for a time and purpose a surge in this opportunistic, single device way of monetizing cybercrime.
that’s advantageous to them.

@2023, Microsoft Corporation. All rights reserved. 10 8

 eBook

Ransomware: Current model vastly expands extortion scope

How did ransomware

evolve as a business?
The most recent phase in ransomware evolution, as illustrated
in Figure 5, can be traced to WannaCry and (Not)Petya that
fused large scale compromise techniques with an encryption
payload that demanded a ransom payment in exchange for the
decryption key.

This fusion inspired the new generation of human operated

ransomware that started popping up around June 2019, and
vastly expanded the ransomware business model into an
enterprise scale operation blending targeted attack techniques
and the extortion business model (threatening disclosure of
data and/or encryption in exchange for payment).​

@2023, Microsoft Corporation. All rights reserved.

9
 eBook

Azure Provides Native Ransomware Protections​

Microsoft has invested in Azure native security capabilities that organizations

can leverage to defeat ransomware attack techniques found in both high
volume everyday/commodity and sophisticated targeted attacks.​

Key capabilities for Native Security Controls:​

Native Threat Detection Passwordless and Multi- Native Firewall and
factor Authentication Network Security
Microsoft Defender for Cloud provides high
quality threat detection and response
capabilities, also called Extended Detection and – Azure MFA, Azure AD Authenticator App, Microsoft built native DDoS attack mitigations,
Response (XDR). This helps you​: and Windows Hello provide these capabilities. Azure Firewall, Web Application Firewall
(WAF), and many other controls into Azure.
• Avoid wasting time and talent of scarce This helps protect accounts against commonly
security resources to build custom alerts seen password attacks (which account for These security 'as a service' help simplify the
using raw activity logs​ 99.9% of the volume of identity attacks we see configuration and implementation of security
in Azure AD). While no security is perfect, controls. These give organizations the choice
• Ensure effective security monitoring, which eliminating password-only attack vectors of using native services or virtual appliances
often enables security teams to rapidly dramatically lowers the ransomware attack risk versions of familiar vendor capabilities to
approve use of Azure services to Azure resources. simplify their Azure security.

@2023, Microsoft Corporation. All rights reserved. 12 10

 eBook

Azure Provides Native Ransomware Protections​

Native Network based Threat

Detection and Prevention
Microsoft built cloud native DDoS attack mitigations, Firewall, Web
Application Firewall, and many other controls into Azure.​

These security 'as a service' products help simplify implementation

and configuration of security controls. These security controls allow
organizations to detect and prevent, network and application-based
attacks while simplifying their Azure security.​

Azure Firewall Premium TI and IDPS signatures can identify, and block
command-and-control activity and other operations used by Figure 6: Detecting and Preventing Ransomware with Azure Firewall
ransomware at the network layer to enable early
detection, comprehensive attack prevention or lower their impact
to resources.​

Azure Firewall integration with Microsoft Sentinel provides automated

detection and response capabilities in the form of an easy-to-deploy
and use solution.

@2023, Microsoft Corporation. All rights reserved. 13 11

 eBook

Azure Provides Native Ransomware Protections​

Microsoft Defender for Cloud

Microsoft Defender for Cloud is a cloud-native
application protection platform (CNAPP) with a set
of security measures and practices designed to
protect cloud-based applications from various
cyber threats and vulnerabilities.

Defender for Cloud has different plans to help protect your hybrid workloads, cloud
native services, and servers from ransomware and other threats; it integrates with
your existing security workflows like your SIEM solution and Microsoft’s vast threat
intelligence to streamline threat mitigation.

Defender for Cloud has a built-in Ransomware workbook that maps security
recommendations to MITRE ATT&CK framework, facilitating the prioritization of
remediations to help prevent successful attacks.

Defender for Cloud helps you to incorporate good security practices early during the
software development process, or DevSecOps. You can protect your code
management environments and your code pipelines and get insights into your
development environment security posture from a single location. In addition,
Defender for Cloud extends protection to on-premises and multi-cloud workloads, Figure 7: Defender for Cloud
including Containers and SQL databases using Azure Arc.

@2023, Microsoft Corporation. All rights reserved. 14 12

 eBook

Azure Provides Native Ransomware Protections​

With Sentinel you can connect to any of your security sources using built-

Microsoft Sentinel helps to create in connectors and industry standards and then take advantage of artificial
intelligence to correlate multiple low fidelity signals spanning multiple sources

a complete view of a kill chain

to create a complete view of a ransomware kill chain and prioritized alerts so
that defenders can accelerate their time to evict adversaries.

Microsoft Sentinel is your birds-eye view across the enterprise alleviating the
stress of increasingly sophisticated attacks, increasing volumes of alerts, and
Microsoft Sentinel
long resolution time frames.​
Optimize security operations with cloud-native SIEM powered by AI and automation
• Harness the scale of the cloud eliminating infrastructure setup and
maintenance and collecting data across your entire organization.

• Detect evolving threats using ML-based Microsoft's analytics

and unparalleled threat intelligence from Microsoft’s expert security team.​

• Expedite incident response, easily understand the scope of an attack

with incidents that automatically map related entities and integrate
automation into your day-to-day operations workflow​.
Figure 8: Microsoft Sentinel SIEM Tool
• Get ahead of attackers, rapidly hunt for threats with built-in robust threat
hunting tool and get advanced insights into entities fueled by built-in User
and Entity Behavior Analytics (UEBA)​.

@2023, Microsoft Corporation. All rights reserved. 15 13

 eBook

Azure Provides Native Ransomware Protections​

Keeping your resources safe is a joint effort between your cloud provider,
Azure, and you, the customer. You have to make sure your workloads are
secure as you move to the cloud, and at the same time, when you move to
IaaS (infrastructure as a service) there is more customer responsibility than
there was in PaaS (platform as a service), and SaaS (software as a service).
Microsoft Defender for Cloud provides you the tools needed to harden

Microsoft Defender for Cloud

your network, secure your services and make sure you're on top of your
security posture.

has capabilities to detect and Microsoft Defender for Cloud is a cloud-native application protection
platform (CNAPP) with a set of security measures and practices designed to

prevent ransomware, malware,

protect cloud-based applications from various cyber threats and
vulnerabilities. Defender for Cloud combines the capabilities of a cloud
security posture management (CSPM) solution that surfaces actions that

and threats against your you can take to prevent breaches and a cloud workload protection platform
(CWPP).

workloads in Azure Microsoft Defender for Cloud's threat protection enables you to detect and
prevent threats at the IaaS and PaaS layers in Azure, as well as in non-Azure
servers.

Microsoft Defender for Cloud has different plans that offer tailored threat
detection and alert correlation with the fusion. This capability automatically
correlates alerts in your environment based on cyber kill-chain analysis, to
help you better understand the full story of an attack campaign, where it
started and what kind of impact it had on your resources.

@2023, Microsoft Corporation. All rights reserved. 16 14

 eBook

Azure Provides Native Ransomware Protections​

Microsoft Defender for Cloud Key Capabilities

• Continuous security assessment: Identify Windows and Linux machines with • Attack Path Analysis: Graph-based algorithm that scans the cloud security graph to
missing security updates or insecure OS settings and vulnerable Azure find exploitable paths that attackers may use to breach your environment. Attack path
configurations. Add optional watchlists or events you want to monitor. analysis exposes attack paths and suggests recommendations as to how best
remediate issues that will break the attack path and prevent successful breach.
• Cloud Security Explorer: Provides you with the ability to perform proactive
exploration, that enables you to search for security risks within your organization. • Prioritized alerts and attack timelines: Focus on the most critical threats first with
prioritized alerts and incidents that are mapped into a single attack campaign.
• Centralized policy management: Ensure compliance with company or
regulatory security requirements by centrally managing security policies across • Streamlined investigation: Quickly investigate the scope and impact of an attack
all your hybrid cloud workloads. with a visual, interactive experience. Use ad hoc queries for deeper exploration of
security data.
• Industry’s most extensive threat intelligence: Tap into the Microsoft
Intelligent Security Graph, which uses trillions of signals from Microsoft services • Automation and orchestration: Automate common security workflows to address
and systems around the globe to identify new and evolving threats. threats quickly using built-in integration with Azure Logic Apps. Create security
playbooks that can route alerts to existing ticketing system or trigger incident
• Advanced analytics and machine learning: Use built-in behavioural analytics response actions.
and machine learning to identify known attack patterns and post-breach activity.
• Drive governance at scale: Assign owners and set remediation due dates.
Configure governance rules at scale for your entire organization. Automatic email
reminders to owners and manager escalation.

@2023, Microsoft Corporation. All rights reserved. 17

15
 eBook

Azure Provides Native Ransomware Protections​

Native Threat Detection with
Microsoft Defender for Cloud
Security Posture Management in Microsoft Defender for Cloud offers different plans to protect a variety of

Defender for Cloud​

workloads in Azure, Amazon Web Services (AWS) and Google Cloud Platform
(GCP). When a threat or suspicious activity is identified in the protected
workload, a security alert is generated and presented in the dashboard.
Microsoft Defender for Cloud continually assesses your security posture so
you can track new security opportunities and precisely report on the progress These alerts describe details of the affected resources, suggested remediation
of your security efforts. steps, and in some cases an option to trigger a logic app in response.

Defender for Cloud provides hardening recommendations based on any

identified security misconfigurations and weaknesses. This helps to reduce the
attack surface in your environment, decreasing the likelihood of successful
ransomware attacks.

The alert below is an example of a detected Petya ransomware alert:​

@2023, Microsoft Corporation. All rights reserved. 18 16

 eBook

Azure Provides Native Ransomware Protections​

Azure Native Backup Solution

Protects Your Data
One important way that organizations can help protect against losses in a ransomware attack is to
have a backup of business-critical information in case other defenses fail. Since ransomware attackers
have invested heavily into neutralizing backup applications and operating system features like volume
shadow copy, it is critical to have backups that are inaccessible to a malicious attacker. With a flexible
business continuity and disaster recovery solution, industry-leading data protection and security
tools, Azure cloud offers secure services to protect your data:

Azure Backup Azure Site Recovery Built-in Security and Management in Azure
Azure Backup, part of Azure Business Continuity and With disaster recovery from on-prem to the cloud, To be successful in the Cloud era, enterprises must have
Disaster Recovery (BCDR) services, provides simple, or from one location to another, you can avoid visibility/metrics and controls on every component to
secure, and cost-effective solution to back up your downtime and keep your applications up and pinpoint issues efficiently, optimize and scale effectively,
Azure VMs, on-prem servers, databases running in running. Azure Site Recovery, also part of Azure while having the assurance the security, compliance and
Azure VMs, and other Azure resources. Additionally, BCDR, can help accomplish this. polices are in place to ensure the velocity.
several Azure resources also provide their own built-
in backup solutions. Azure Backup also provides
several enhanced protection features like
immutability, MUA and soft delete to help protect
better against threats like ransomware.

@2023, Microsoft Corporation. All rights reserved. 19 17

 eBook

Azure Provides Native Ransomware Protections​

Guaranteed and Protected Access

to Your Data
Azure has a lengthy period of experience managing global data centers, which are backed by
Microsoft’s $15 billion infrastructure investment that is under continuous evaluation and
improvement – with ongoing investments and improvements, of course.

Key Features:

• Azure comes with Locally Redundant Storage (LRS), where data is stored locally, as well as Geo
Redundant Storage (GRS) in a second region

• All data stored on Azure is protected by an advanced encryption process, and all Microsoft’s data
centers have two-tier authentication, proxy card access readers, biometric scanners

• Azure has more certifications than any other public cloud provider on the market, including ISO
27001, HIPAA, FedRAMP, SOC 1, SOC 2, and many international specifications

Guaranteed: - Microsoft offers 99.5-99.9% uptime on their services. Read the full SLA for more details.

All of the above are some very good reasons to trust Microsoft—and Azure—with your data.

@2023, Microsoft Corporation. All rights reserved.

18
 eBook

Preparing for Ransomware Attacks: Stay ahead of attackers​

Microsoft Cloud Security Benchmark

Adopt a Cybersecurity framework Network security (NS)

Identity Management (IM)

A good place to start is to adopt Microsoft Cloud Security Benchmark to secure the Azure
environment. Microsoft Cloud Security Benchmark is Azure’s own security control framework Privileged Access (PA)
based on industry-based security control frameworks such as NIST SP800-53, CIS Controls v8. It
provides organizations guidance on how to configure Azure and Azure Services and implement Data Protection (DP)
the security controls. Organizations can use Microsoft Defender for Cloud to monitor their live
Azure environment status with all the Microsoft Cloud Security Benchmark controls. Asset Management (AM)

Ultimately, the Framework is aimed at reducing and better managing cybersecurity risks Logging and Threat Detection (LT)

Incident Response (IR)

Posture and Vulnerability Management (PV)

Endpoint Security (ES)

[Example: Azure Security Benchmark control framework mapping]
Backup and Recovery (BR)

Governance and Strategy (GS)

@2023, Microsoft Corporation. All rights reserved. 21 19

 eBook

Preparing for Ransomware Attacks: Stay ahead of attackers​

1 2 3
Prepare your recovery plan Limit the scope of damage Make it hard to get in
Recover without paying Protect privileged roles Incrementally remove risks

Based on our experience with ransomware attacks, we’ve found that prioritization should focus on:

1. Prepare your recovery plan first, then

2. Limit the scope of damage, and finally

3. Prevent – make it hard for attackers to Providers get in

This may seem counterintuitive, since most people want to simply prevent attacks first. But the unfortunate truth is that we must assume breach (a key Zero Trust
principle) and focus on reliably mitigating the most damage first. This prioritization is critical because of the high likelihood of a worst-case scenario with
ransomware/extortion attacks.

While it’s not a pleasant truth to accept, we face creative and motivated human attackers who are skilled at finding ways to control the complex environments we
operate. Against that reality, it’s important to prepare for the worst and establish frameworks to contain and prevent attackers’ ability to get what they’re after.

While these priorities should govern what to do first, we encourage organizations to run as many steps in parallel as
possible (including pulling quick wins forward from steps 2 and 3 whenever you can).

@2023, Microsoft Corporation. All rights reserved. 22 20

 eBook

Preparing for Ransomware Attacks: Stay ahead of attackers​

Step 1 - Prepare your recovery plan:

recover without paying
Plan for the worst-case scenario and expect that it will happen (at all levels of the organization).
This will help both your organization and others in the world you depend on:

a) Limit damage for the worst-case scenario

– While restoring all systems from backups can be disruptive to business, this is more
effective and efficient than trying to recover using (low quality) attacker-provided decryption
tools after paying to get the key. Note: Paying is an uncertain path – You have no formal or
legal guarantee that the key works on all files, the tools will work effectively, or that the
attacker (who may be an amateur affiliate using a professional’s toolkit) will act in good faith.

b) Limit the financial return for attackers

– If an organization can restore business operations without paying the attackers, the attack
has effectively failed and resulted in zero return on investment (ROI) for the attackers. This
makes it less likely that they will target the organization in the future (and deprives them of
additional funding to attack others).

Note: The attackers may still attempt to extort the organization through data disclosure or
abusing/selling the stolen data, but this gives them less leverage than if they have the only
access path to your data and systems.

@2023, Microsoft Corporation. All rights reserved. 23 21

 eBook

Preparing for Ransomware Attacks: Stay ahead of attackers​

Step 1 - Prepare your recovery plan:

recover without paying (cont.)
To realize this, organizations should ensure they:

1. Register Risk - Add ransomware to risk register as high likelihood and high impact scenario. Track mitigation status via
Enterprise Risk Management (ERM) assessment cycle.

2. Define and Backup Critical Business Assets – Define systems required for critical business operations and automatically
back them up on a regular schedule (including correct backup of critical dependencies like Active Directory).

3. Protect backups and supporting documents/systems (CMDB, network diagrams, etc.) against deliberate erasure and
encryption. This could use immutable backups, traditional offline/isolated backups, soft delete, and/or out of band steps
(MFA, MUA or PIN) before modifying/erasing online backups.

4. Test ‘Recover from Zero’ Scenario – test to ensure your business continuity / disaster recovery (BC/DR) can rapidly bring
critical business operations online from zero functionality (all systems down). Conduct practice exercise(s) to validate
cross-team processes and technical procedures, including out-of-band employee and customer communications (assume
all email/chat/etc. is down).

IMPORTANT: Protect (or print) supporting documents and systems required for recovery including restoration
procedure documents, CMDBs, network diagrams, SolarWinds instances, etc. Attackers destroy these regularly.

5. Reduce on-premises exposure – by moving data to cloud services with automatic backup & self-service rollback.

@2023, Microsoft Corporation. All rights reserved. 24 22

 eBook

Preparing for Ransomware Attacks: Stay ahead of attackers​

Step 2 –
Limit Scope of Damage:
Protect Privileged Roles
(starting with IT Admins)
Ensure you have strong controls (prevent, detect, respond) for
privileged accounts like IT Admins and other roles with
control of business-critical systems. This slows and/or blocks Figure 9: Complete End-to-end Approach
attackers from gaining complete access to your resources to
steal and encrypt them. Taking away the attackers’ ability to See Microsoft’s recommended roadmap at aka.ms/spa that describes how to establish:​
use IT Admin accounts as a shortcut to resources, will
• End to End Session Security (including multifactor authentication (MFA) for admins)​
drastically lower the chances they are successful at attacking
you and demanding payment / profiting. • Protection and Monitoring Identity Systems​

Organizations should have elevated security for privileged • Mitigating Lateral Traversal attacks​
accounts (tightly protect, closely monitor, and rapidly respond
• Establishing Rapid Threat Response
to incidents related to these roles).

@2023, Microsoft Corporation. All rights reserved. 25 23

 eBook

Preparing for Ransomware Attacks: Stay ahead of attackers​

Step 3 –
Make it harder to get in:
incrementally remove risks Microsoft recommends organizations follow the principles outlined
in the Zero Trust strategy here. Specifically, against Ransomware,
Prevent a ransomware attacker from entering your environment and organizations should prioritize:
rapidly respond to incidents to remove attacker access before they
can steal and encrypt data. This will cause attackers to fail earlier
and more often, undermining the profit of their attacks. While a. Ransomware-specific features of detection and prevention
prevention is the preferred outcome, it is a continuous journey and tools. While these won’t block all attacks, these will quickly
may not be possible to achieve 100% prevention and rapid response mitigate risks specific to attack techniques currently popular
across a real-world organization’s complex multi-platform and with these attackers.
multi-cloud estate with distributed IT responsibilities.
b. Improving security hygiene by focusing efforts on attack
surface reduction and threat and vulnerability management for
To achieve this, organizations should identify and execute quick
assets in their estate.
wins to strengthen security controls to prevent entry and rapidly
detect/evict attackers while implementing a sustained program that c. Implementing Protection, Detection and Response
helps them stay secure. controls for their digital assets that can protect against
commodity and advanced threats, provide visibility and alerting
. on attacker activity, and respond to active threats.

@2023, Microsoft Corporation. All rights reserved. 26 24

 eBook

Preparing for Ransomware Attacks: Stay ahead of attackers​

Promote awareness and ensure there is no knowledge gap

There are a number of activities that may be undertaken to prepare for potential ransomware incidents.

Educate end-users on the dangers of ransomware Educate security operations center (SOC) analysts and
others on how to respond to ransomware incidents
As most ransomware variants rely on end-users to install the
ransomware or connect to compromised Web sites, all end-
SOC analysts and others involved in ransomware incidents should
users should be educated about the dangers. This would
know the fundamentals of malicious software and ransomware
typically be part of annual security awareness training as well as
specifically. They should be aware of major variants/families of
ad hoc training available through the company’s learning
ransomware, along with some of their typical characteristics.
management systems. The awareness training should also
Customer call center staff should also be aware of how to handle
extend to the company’s customers via the company’s portals
ransomware reports from the company’s end-users and customers.
or other appropriate channels.

@2023, Microsoft Corporation. All rights reserved. 27 25

 eBook

Preparing for Ransomware Attacks: Stay ahead of attackers​

Ensure that you have appropriate

technical controls in place
There are a wide variety of technical controls that should be in This should include some or all of the following essential tools:
place to protect, detect and respond to ransomware incidents
with a strong emphasis on prevention. At a minimum, SOC Detective and preventive tools
analysts should have access to the telemetry generated by
antimalware systems in the company, understand what • Enterprise server antimalware product suites (such as Microsoft Defender for Cloud)
preventive measures are in place, understand the infrastructure
targeted by ransomware, and be able to assist the company • Network antimalware solutions (such as Microsoft Antimalware)
teams to take appropriate action. • Security data analytics platforms (such as Azure Monitor, Microsoft Sentinel)

• Next generation intrusion detection and prevention systems

• Next generation firewall (NGFW)

@2023, Microsoft Corporation. All rights reserved. 28 26

 eBook

Preparing for Ransomware Attacks: Stay ahead of attackers​

Malware analysis and Enrichment and

response toolkits intelligence sources
• Automated malware analysis systems with support for most • Online and offline threat and malware intelligence sources
major end-user and server operating systems in the organization (such as Microsoft Sentinel, Azure Network Watcher)

• Static and dynamic malware analysis tools • Active Directory and other authentication systems
(and related logs)
• Digital forensics software and hardware
• Internal Configuration Management Databases (CMDBs)
• Non- Organizational Internet access (e.g. 4G dongle) containing endpoint device information

For maximum effectiveness SOC analysts should have extensive

access to almost all antimalware platforms through their native
interfaces in addition to unified telemetry within the security data
analysis platforms. The platform for Azure native Antimalware for
Azure Cloud Services and Virtual Machines provides step-by-step
guides on how to accomplish this.

@2023, Microsoft Corporation. All rights reserved. 29 27

 eBook

Preparing for Ransomware Attacks: Stay ahead of attackers​

Data protection Secure backups

Implement data protection to ensure rapid and reliable recovery from Ensure critical systems are backed up and backups are protected against
a ransomware attack + block some techniques. deliberate attacker erasure/encryption.

• Designate Protected Folders – to make it more difficult for • Backup all critical systems automatically on a regular schedule.
unauthorized applications to modify the data in these folders.
• Ensure Rapid Recovery of business operations by regularly exercising
• Review Permissions – to reduce risk from broad access business continuity / disaster recovery (BC/DR) plan.
enabling ransomware
• Protect backups against deliberate erasure and encryption
• Discover broad write/delete permissions on fileshares,
SharePoint, and other solutions • Strong Protection – Require out of band steps (MFA or PIN) before
allowing access to online backups, such as Azure Backup security
• Reduce broad permissions while meeting business features and Azure Role Based Access (RBAC) model
collaboration requirements
• Strongest Protection – Store backups in online immutable storage
• Audit and monitor to ensure broad permissions (Azure Blob info) and/or fully offline/off-site
don’t reappear
• Protect supporting documents required for recovery such as restoration
procedure documents, CMDB, and network diagrams.

@2023, Microsoft Corporation. All rights reserved. 30 28

 eBook

1. Preparation: This stage describes the various measures that should be put into
place prior to an incident. This may include both technical preparations (such as the
Preparing for Ransomware Attacks: Stay ahead of attackers​ implementation of suitable security controls and other technologies) and non-
technical preparations (such as the preparation of processes and procedures).

Establish an incident
2. Triggers / Detection: This stage describes how this type of incident may be
detected and what triggers may be available that should be used to initiate either

handling process
further investigation or the declaration of an incident. These are generally separated
into high-confidence and low-confidence triggers.

3. Investigation / Analysis: This stage describes the activities that should be

Ensure your organization undertakes a number of activities roughly undertaken to investigate and analyze available data when it is not clear that an
following the incident response steps and guidance described in the US incident has occurred, with the goal of either confirming that an incident should be
National Institute of Standards and Technology (NIST) Computer Security declared or concluded that an incident has not occurred.
Incident Handling Guide (Special Publication 800-61r2) to prepare for
4. Incident Declaration: This stage covers the steps that must be taken to declare an
potential ransomware incidents.
incident, typically with the raising of a ticket within the enterprise incident
As illustrated in Figure 10, these steps include: management (ticketing) system and directing the ticket to the appropriate
personnel for further evaluation and action.

5. Containment / Mitigation: This stage covers the steps that may be taken either by
the Security Operations Center (SOC), or by others, to contain or mitigate (stop) the
incident from continuing to occur or limiting the effect of the incident using
available tools, techniques and procedures.

6. Remediation / Recovery: This stage covers the steps that may be taken to
remediate or recover from damage that was caused by the incident before it was
contained and mitigated.

7. Post-Incident Activity: This stage covers the activities that should be performed
Figure 10: NIST SP 800-61r2 Incident Response Lifecycle
once the incident has been closed. This can include capturing the final narrative
associated with the incident as well as identifying lessons learned.

@2023, Microsoft Corporation. All rights reserved.

29
 eBook

Preparing for Quick Recovery: Restore business operations fast​​

Isolated backups with Azure Backup

Ensure that you have appropriate • Azure Virtual Machines

processes and procedures in place

• Databases in Azure VMs: SQL, SAP HANA

• Azure Database for PostgreSQL

• On-premises Windows Servers (back up to cloud using MARS agent)

Almost all ransomware incidents result in the need to restore compromised
systems. So appropriate and tested backup and restore processes and Local (operational) backups with Azure Backup
procedures should be in place for most systems. There should also be suitable
containment strategies in place with suitable procedures to stop ransomware • Azure Files
from spreading and recovery from ransomware attacks.
• Azure Blobs
Ensure that you have well-documented procedures for engaging any third-party
support, particularly support from threat intelligence providers, antimalware • Azure Disks
solution providers and from the malware analysis provider. These contacts may
• Azure Kubernetes Services
be useful if the ransomware variant has known weaknesses or decryption tools
are available.
Built-in backups from Azure services
The Azure platform provides backup and recovery options through Azure
• Data services like Azure Databases (SQL, MySQL, MariaDB, PostgreSQL),
Backup as well as built-in data services and workloads.
Cosmos DB; and ANF offer built-in backup capabilities

@2023, Microsoft Corporation. All rights reserved. 32 30

 eBook

Detecting Ransomware Attacks: Accelerate detection with the right tools​

Potential triggers Microsoft Security Product Portfolio

There are several potential triggers that may indicate a ransomware

incident. Unlike many other types of malware, most will be higher-
confidence triggers (where little additional investigation or analysis
should be required prior to the declaration of an incident) rather than
lower-confidence triggers (where more investigation or analysis would
likely be required before an incident should be declared).

In general, such infections are obvious from basic system behavior

manifested in the absence of key system or user files, and the demand for
ransom. In this case, the analyst should consider whether to immediately
declare and escalate the incident, including taking any automated actions
to mitigate the attack.

Microsoft Security solutions are notably designed to help you eliminate

inefficient silos and patchwork fixes, closing the gaps with simplified,
comprehensive protection. We integrate more than 50 categories into Figure 11: Microsoft Security Product Portfolio
six product lines which form one Microsoft Security cloud.

@2023, Microsoft Corporation. All rights reserved. 33 31

 eBook

Detecting Ransomware Attacks: Accelerate detection with the right tools​

Ensure rapid detection and remediation of

common attacks on VMs, storage,
containers, SQL servers, web applications,
and identity.
Prioritize Common Entry Points
Ransomware (and other) operators favor Endpoint/Email/Identity + RDP Figure 12: Integrated XDR

• Integrated XDR - Use integrated Extended Detection and Response (XDR)

tools like Defender for Cloud to provide high quality alerts and minimize
Don’t Ignore Commodity Malware
friction and manual steps during response.
Ransomware attackers regularly purchase access to target organizations
• Brute Force - Monitor for brute-force attempts like password spray. from dark markets.

Integrate outside experts into processes to supplement expertise, such as

Monitor for Adversary Disabling Security
Microsoft Detection and Response Team (DART).
As this is often part of Human Operated Ransomware (HumOR) attack chain
Rapidly isolate compromised computers using Defender for Endpoint in
• Event Logs Clearing – especially the Security event log and PowerShell
on-premises deployment.
operational logs.

• Disabling of security tools/controls (associated with some groups).

@2023, Microsoft Corporation. All rights reserved. 34 32

 eBook

Responding to Ransomware Attacks: Increase effectiveness with practiced IR teams​

The following are recommended actions to contain or mitigate a declared

Incident declaration incident involving ransomware where automated actions taken by

antimalware systems have been unsuccessful:

Once a successful ransomware infection has been confirmed, the analyst should verify that 1. Engage antimalware vendors through standard support processes
this represents a new incident or that it is related to an existing incident. Look for
2. Manually add hashes and other information associated with malware to
currently-open tickets that indicate similar incidents. If so, update the current incident
antimalware systems
ticket with new information in the ticketing system. If this is a new incident, an incident
should be declared in the relevant ticketing system and escalated to the appropriate teams
3. Apply antimalware vendor updates
or providers to contain and mitigate the incident. Be mindful that managing ransomware
incidents may require actions taken by multiple IT and security teams. Where possible, 4. Contain affected systems until they can be remediated
ensure that the ticket is clearly identified as a ransomware incident to guide workflow.
5. Disable compromised accounts

Containment/Mitigation 6. Perform root cause analysis

7. Apply relevant patches and configuration changes on affected systems

In general, various server/endpoint antimalware, email antimalware, and network protection
solutions should be configured to automatically contain and mitigate known ransomware.
8. Block ransomware communications using internal and external controls
However, there may be cases where the specific ransomware variant is able to bypass such
protections and successfully infect target systems. 9. Purge cached content
Microsoft provides extensive resources to help update your incident response processes on
the Top Azure Security Best Practices.

@2023, Microsoft Corporation. All rights reserved. 35 33

 eBook

Road to Recovery: Microsoft experts provide insights​

Microsoft’s Detection and

Response Team will help protect
you from attacks
Understanding and fixing the fundamental security issues that led to
the compromise in the first place should be a priority for
ransomware victims.

Integrate outside experts into processes to supplement expertise,

such as Microsoft Incident Response (MIR). MIR engages with
customers around the world, helping to protect and harden against
attacks before they occur, as well as investigating and remediating
when an attack has occurred.

Customers can engage our security experts directly from within

Microsoft Defender Security Center for timely and accurate
response. Experts provide insights needed to better understand the
complex threats affecting your organization, from alert inquiries,
potentially compromised devices, root cause of a suspicious
network connection, to additional threat intelligence regarding
ongoing advanced persistent threat campaigns.

@2023, Microsoft Corporation. All rights reserved.

34
 eBook

Road to Recovery: Microsoft experts provide insights​

Microsoft is ready to assist

your company in returning to
safe operations.
Microsoft performs hundreds of compromise recoveries and has a
tried-and-true methodology. Not only will this methodology get you to
a more secure position, but it will also afford you the opportunity to
consider your long-term strategy rather than reacting to the situation.

Microsoft provides Rapid Ransomware Recovery services. Under these

services, assistance is provided in all areas such as restoration of
identity services, remediation and hardening, and with monitoring
deployment to help victims of ransomware attacks to return to normal
business in the shortest possible timeframe.

Our Rapid Ransomware Recovery services are treated as "Confidential"

for the duration of the engagement. Rapid Ransomware
Recovery engagements are exclusively delivered by the Microsoft
Compromise Recovery Security Practice (CRSP), part of the Azure Cloud
& AI Domain. For more information you can contact CRSP at Request
contact about Azure security.

@2023, Microsoft Corporation. All rights reserved.

35
 eBook

Conclusion
Microsoft focuses heavily on both security of our cloud and providing
you the security controls you need to protect your cloud workloads. As
a leader in cybersecurity, we embrace our responsibility to make the
world a safer place. This is reflected in our comprehensive approach to
ransomware prevention and detection in our security framework,
designs, products, legal efforts, industry partnerships, and services.

We look forward to partnering with you in addressing ransomware

protection, detection, and prevention in a holistic manner.

@2023, Microsoft Corporation. All rights reserved.

36
 eBook

Additional Resources
Microsoft Cloud Adoption Framework for Azure Azure Security Control – Incident Response

Build great solutions with the Microsoft Azure Well- Zero Trust Guidance Center
Architected Framework
Azure Web Application Firewall

Microsoft Azure Top Security Best Practices Azure VPN gateway

Microsoft Security Baselines Azure Multi-Factor Authentication (MFA)

Azure AD Password Protection

Resource Center | Microsoft Azure
Azure AD Conditional Access
Azure Migration Guide
Microsoft Defender for Cloud documentation
Security Compliance Management

Microsoft Sentinel documentation

To report a ransomware breach, contact the FBI at:

IC3 Complaint Referral Form

@2023, Microsoft Corporation. All rights reserved.

37
 eBook

Connect with us!

• AskAzureSecurity@microsoft.com

www.microsoft.com/services

For detailed information on how Microsoft

secures our cloud, visit the service trust portal
https://servicetrust.microsoft.com/

@2023, Microsoft Corporation. All rights reserved.

38
 eBook

We embrace our responsibility to create a safer world that enables

organizations to digitally transform. We Have Your Back!

Thank you!

@2023, Microsoft Corporation. All rights reserved.

39