Ransomware Protection and Containment Strategies: Practical Guidance for Hardening and Protecting Infrastructure, Identities and Endpoints
Mandiant
Written by: Matthew McWhirt, Omar ElAhdan, Glenn Staniforth, Brian Meyer
Multi-faceted extortion via ransomware and/or data theft is a popular end goal for attackers, representing a global threat targeting organizations in all industries. The impact of a successful ransomware event can be material to an organization, including the loss of access to data, systems, and prolonged operational outages. The potential downtime, coupled with unforeseen expenses for restoration, recovery, and implementation of new security processes and controls can be overwhelming.
Since the initial launch of our report in 2019, data theft and ransomware deployment tactics have continued to evolve and escalate. This evolution marks a shift from manual or script-based ransomware deployment to sophisticated, large-scale operations, including:
-
Weaponizing Trusted Service Infrastructure (TSI): Adversaries are increasingly abusing legitimate infrastructure and security tools (TSI) to rapidly propagate malware or ransomware across entire networks.
-
Targeting Virtualization Platforms: Attackers are actively focusing on the virtualization layer, aiming to mass-encrypt virtual machines (VMs) and other critical systems at scale.
-
Targeting Backup Data / Platforms: Threat actors are exploiting misconfigurations or security gaps in backup systems to either erase or corrupt data backups, severely hindering recovery efforts.
Based upon these newer techniques, it is critical that organizations identify the span of the attack surface, and align proper security controls and visibility that includes coverage for protecting:
-
Identities
-
Endpoints
-
Network Architectures
-
Remote Access Platforms
-
Trusted Service Infrastructure (TSI)
Cascading weaknesses across these layers create opportunities for attackers to breach an organization's perimeter, gain initial access, and maintain a persistent foothold within the compromised network.
In our updated report, Ransomware Protection and Containment Strategies, we have expanded the strategies organizations can proactively take to identify gaps and harden their environment(s)to prevent the downstream impact of a ransomware event. The strategies represent practical and scalable methods to protecting organizations, and are the same strategies that are leveraged by Mandiant when working with clients across the globe.
The report covers several areas to help organizations mitigate the risk of and contain ransomware events including:
-
Attack Surface Identification and Reduction
-
Endpoint Hardening
-
Credential Protections
-
Domain Controller Protections
-
Group Policy Objects (GPOs)
-
Virtualization Infrastructure Protections
-
Backup Infrastructure Protections
If you are reading this report to aid your organization’s response to an existing ransomware event, it is important to understand how the ransomware was deployed through the environment and design your ransomware response appropriately. This guide should help organizations in that process.
*Note: The recommendations in this report can help organizations mitigate the risk of and contain ransomware events. However, this report does not cover all aspects of a ransomware incident response. We do not discuss investigative techniques to identify and remove backdoors (ransomware operators often have multiple backdoors into victim environments), communicating and negotiating with threat actors, or recovering data once a decryptor is provided.