Over the past few months we’ve had a number of questions from Enterprise and Public Section customers on how to best protect yourself and your organisation and mitigate the threat of ransomware.
The National Cyber Security Centre (NCSC) has some great guidance. We thought we would seek some to provide some clarification as well as explain how best to approach that guidance with the tools we have available. We’ve put this together into one place so you can have it as an easy reference.
The key action to take to mitigate the damage of ransomware is to ensure that you have up-to-date backups of important files. If so, you will be able to recover your data without having to pay a ransom.
Ensure your backups are kept separate from your network or in a cloud service designed for this purpose. Also, don’t rely on just one back up.
The NCSC suggest to stick to the 3-2-1 rule for backups – at least three copies, on two devices, and one offsite. This allows you to scale effectively, while giving you confidence your data is safe from localised incidents.
To help interpret its guidance, the NCSC has suggested a few extra options if you already have data in the cloud:
Software as a Service (SaaS) apps: Some fully-managed services include the ability to retain historic versions of files and recover recently deleted files. Built-in record retention can also give you access to archived data. It’s important to remember these protections may not stop a Global or Super Administer account from being compromised. You should only use those when absolutely necessary and from trusted devices.
Cloud storage: Data associated with Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) is normally stored in the provider’s ‘blob storage’. Configure an automated or backup task to copy data into long-term ‘blob’ storage and configure that data to make it undeletable for a set period. It also allows you to maintain data immutability, and set policies for deleting or modifying data.
Third party software: Workloads and data hosted in IaaS in the cloud usually work well with on-premise backup solutions. To defend against ransomware effectively, your strategy will need the ability to copy the backup and set policies for modifying or deleting the data, include removing the ability to modify the data for a period of time. They also offer services and software that backup data stored in SaaS apps and your cloud storage – something you should consider if you don’t have the built-in capabilities of your cloud service.
Infrastructure as code: Recovering from a ransomware incident usually requires a combination of restoring data and rebuilding underlying services. The NCSC recommends building and configuring services in the cloud, using Infrastructure as a Code. This will help you rebuild new and clean versions more quickly if you find yourself in a disaster recovery scenario.
No matter what method you use, both we and the NCSC recommend regularly testing your backups are working as normal. This includes checking that backups can’t be changed or deleted and making sure you can recover data successfully.
How we can help
We build with security in mind to make it easy for you to store, backup, and access your data securely and quickly.
Azure has built-in, one-click offsite backup of cloud workloads and hybrid data. It uses write-once-read-many blob storage across all tiers, which allows you to store data in the most cost-optimised tier. You can create your own policies while maintaining data immutability.
OneDrive for Business is included in SharePoint Online on Microsoft 365. To prevent the loss of SharePoint data, backups are performed every 12 hours and retained for 14 days.
You can store documents in OneDrive for Business and gain versioning control. By default, OneDrive for Business stores 10 copies of previous versions of a document. This means if ransomware overwrites your document you can recover a previously saved version. You can also restore the entire OneDrive for Business to a previous point in time within the last 30 days.
OneDrive Known Folder Protection automatically backs up workstation desktops and document folders and keeps 1,000 revisions of files offsite in Azure. OneDrive Personal Vault also adds a second layer of authentication to further protect your most sensitive files.
Microsoft 365 customers have multiple copies of data automatically backed up in off-premises two data centres as part of the default configuration.
In Windows 10, the Ransomware Protection feature controls access to data held in commonly used folders such as documents, pictures, videos, music, and favourites. You can enable Ransomware Data Recovery in the Update and Security section of your Windows Security app to automatically synchronise with your OneDrive for Business account and back up your data.
If you have implemented File History in Windows and have stored documents on an external offline drive, you can restore a previous version easily with File History Backup and Restore.
Ransomware infections usually start with email, through a malicious URL or attachment. You can reduce this with network services by:
- Mail and spam filtering to block malicious emails and remove executable attachments.
- Intercepting proxies and safe browsing lists within browsers to block known malicious websites
- Internet security gateways, which can inspect content in certain protocols (including some encrypted protocols) for known malware.
Some ransomware attacks gain access to networks through remote access software like Remote Desktop Protocol. By using multi-factor authentication and ensuring users have first connected via a secure VPN, you can prevent these brute-force attacks.
How we can help
Microsoft 365 can perform real-time scans of files as they are downloaded, opened, or executed, and can be configured to periodically scan the file system as frequently as required.
If you’re a Microsoft 365 customer with mailboxes in Exchange Online or a standalone Exchange Online Protection (EOP) customer without Exchange Online mailboxes, your email messages are automatically protected against spam and malware with Exchange Online Protection.
You can further protect your organisation by implementing Office 365 ATP. This enables protections against unsafe attachments and links and extends the capability to real time detections and automated response.
Depending on your tenancy, you need to configure your anti-spam policies appropriately. We’d recommend government customers follow the NCSC guidance on SPF, DMARC, and DKIM in their anti-spoofing post on email security.
Smartscreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files on Windows 10 and Edge.
The NCSC guidance for Windows 10 shows how you can configure the native VPN to meet the needs of the government.
You can also prevent untrusted apps from making changes to folders in Windows 10 or Server 2019 by implementing Controlled Folder Access. It also alerts you when such activity is taking place, meaning you can respond quickly.
In addition, we would recommend that you stay current with your security updates.
Take a zero trust approach. This is where you assume that malware will reach your organisations devices. The NCSC suggests you take steps to prevent malware from running at device-level by implementing security features. Centrally managing enterprise devices ensures you only permit apps your organisation trusts, or only allow apps from trusted app stores or locations.
If you think enterprise antivirus or anti-malware products are necessary, ensure the software (and its definition files) are kept up to date.
Attackers often use malicious macros to obfuscate ransomware. You can help stop this by disabling or constraining macros in productivity suites (e.g. scripting environments), disabling autorun for mounted media, and protecting your systems from malicious Office macros.
In addition, attackers can force their code to execute by exploiting device vulnerabilities. Prevent this by keeping devices well-configured and up to date. The NCSC suggests you:
- Install security updates as soon as they become available in order to fix exploitable bugs in your products. The NCSC has produced guidance on how to manage vulnerabilities within your organisation.
- Enable automatic updates for operating systems, applications, and firmware.
- Use the latest versions of operating systems and applications.
- Configure host-based and network firewalls, disallowing inbound connections by default.
Provide security education and awareness training to your people, for example NCSC’s top tips for staff.
How we can help
Moving to a modern OS and applications will improve the overall security posture of your organisation and will lessen your attack surface. Both Windows 10 (Defender, Secure Boot) and Microsoft 365, including client software, have several protection mechanisms that mitigate against common malware threats. Staying current, patched, and up to date will reduce your vulnerability to malware. Tools like Microsoft Windows Applocker and Defender ATP leverages the cloud to protect your enterprise from ransomware attacks.
Strongly consider if you need macros across your estate. If not, disable them for those users who do not need to run them. You can also only allow digitally signed macros to run. This, as well as moving to the Open XML document formats, will significantly improve your security posture.
Updates for Windows 10 as part of Windows as a service, and Microsoft Pro Plus are automatic if left on their default settings. This significantly improves your security posture by ensuring the latest security features and updates are protecting your users.
Microsoft Azure Sentinel automates responses to threats in your environment on-premise and in the cloud. This enables you take mitigation action more rapidly than a human-led response.
The quicker you can prevent ransomware spreading through your network, the easier it is to recover. The NCSC advises you to never pay a ransom, as there’s no guarantee you’ll get access to your device or your data back. However, if you put in mitigations in place, your incident responders can help your organisation to recover quickly.
- Follow the NCSC guidance on preventing lateral movement. Once in your network, attackers aim to move across machines. This might include targeting authentication credentials or perhaps abusing built-in tools.
- Use two-factor or multi-factor authentication so that if malware steals credentials they can’t be reused.
- Ensure obsolete platforms (OS and apps) are properly segregated from the rest of the network (refer to NCSC guidance on obsolete platforms for further details).
- Regularly review and remove user permissions that are no longer required, to limit malware’s ability to spread.
- System administrators should avoid using their administrator accounts for email and web browsing, to avoid malware being able to run with their high levels of system privilege.
- Architect your network so that management interfaces are minimally exposed. The NCSC blog post on protecting management interfaces may help.
- Practice good asset management, including keeping track of which versions of software are installed on your devices so that you can target security updates quickly if you need to.
- Keep your infrastructure patched, just as you keep your devices patched, and prioritise devices performing a security-related function on your network (such as firewalls), and anything on your network boundary.
- Develop an incident response plan and exercise it.
How we can help
Multi-factor authentication stops 99.9 percent of attacks, so it’s important to enable that for all users. Additionally, a Windows Hello gesture will help maximise protection, as it minimises the ability for malware to steal credentials as it doesn’t utilise a password for verification.
For the best protection against all malware, make sure you’re using the latest available version of an operating system or application. Utilise tools like InTune to ensure all users are up to date.
And use the least privilege for all operations on-premises or in the cloud with Azure PIM. Tools like Conditional Access can also be used to evaluate user and machine health at the point of access to services.
Defence in depth
These are a few things you can do to have a healthy security plan. Remember to check, test, and update your security plan regularly as well as keeping employees educated and aware. You can use Azure Advanced Threat Protection and its Intelligent Security Graph to help detect and prevent malware running on devices and entering into your organisation.
For more in-depth resources, take a look at:
Finally, the Microsoft Azure Sentinel will help improve your organisation’s situational awareness. This enables you collect data and detect, investigate, and respond rapidly to threats.
Find out more
About the authors
Stuart has been with Microsoft in the UK since 1998 and is the National Security Officer for Microsoft in the UK. Prior to that, he has worked as strategy consultant to a variety of UK Government customers, mostly within the defence arena, and run a number of Government Programs with the UK including the Government Security Program, the Security Co-Operation Program, and the Welsh Language Program. He still continues to run the UK GSP program today. Prior to joining Microsoft, Stuart worked as a consultant for ICL in their Power of 4 Consultancy, mostly focused in the defence and government spaces. Before ICL, he worked for Barclays Bank in a number of application development and IT infrastructure roles. He has been actively involved in computer security-related activities since the early 1980’s.
Lesley is an experienced security incident responder with a demonstrated history of working on investigations into cases of hacking, compromise, and breach. She is skilled in Security Incident Response, Computer Security, Forensic Investigations, Crisis and Program Management. Strong information technology professional with a Master of Science (MSc) focused in Forensic Computing from Cranfield University. She is passionate about sharing her knowledge by speaking at events and training industry and law enforcement.