Don't listen to the vendors; you don't need to invest in a lot of new products to be safe from ransomware. Having conducted hundreds of successful ransomware investigations over the past years, we know that there is no magic software that would have saved you. You don’t have to blame the lack of budget anymore, as you likely already have all you need to stay safe; you just need to use it!
A few protective or low-cost enhancements can make a huge difference in preventing threat actors from deploying ransomware and increasing the speed of recovery without investing in many new products and tooling. In most cases, it's about utilizing functionality that you already have. What's important to remember is that cybersecurity is an ongoing battle and process. We must always work with the latest attack vectors and implement new mitigating defenses against those threats.
In this article, we have listed five key recommendations you can implement already today. By taking these steps, you will drastically improve your cybersecurity posture and create enough "speed bumps" that will give you time to act should you discover a potential intruder in your environment.
1. Use a Separate VLAN
Put your Hyper-V and VMWare Hosts on a separate VLAN that's not accessible from the client, server, Wi-Fi, or any other network. Make it only possible to access from one specific VLAN.
Have your PAW (Privileged Access Workstation) connected to that network. It can be a Virtual Windows Client on your laptop, which is connected to that VLAN and nothing else. Doing so will prevent a threat actor from accessing your hypervisor hosts and encrypting the environment. Furthermore, it will also speed up recovery.
On that same VLAN, put your backup server so you can access it from your Virtual PAW. Your backup server(s) should be part of a Workgroup and use NAT with specific accounts for EACH server it will access. Should a threat actor now manage to gain access to your servers or clients, they will never be able to access, encrypt, and delete your backups. Meanwhile, your backup server will securely access the servers, doing a pull backup.
By using unique accounts for each server it's backing, a threat actor won't be able to steal the backup server's high-privileged account to access all other servers.
If you want to take it one extra level, put your backup servers on a separate VLAN with its own PAW, so there's no direct connection between the hypervisor Hosts and backup servers or anything else; NAT outbound traffic only.
Ensure your virtualization hosts and management tools are not connected to the productivity Active Directory. In larger environments, by having them connected to a different Bastion Active Directory, you can easily prevent a breach simply by using different credentials.
Also, put your management interfaces for your SAN and other storage-related networks on the separate isolated and protected VLAN.
We recommend setting up automatic snapshots every 24 hours with at least five snapshot histories. A threat actor who manages to access your server or client networks will never be able to access your storage admin interface and delete snapshots. Should a ransomware attack occur, you can restore the snapshot to the day before and save considerable time that way rather than restoring backups.
2. Implement Tiering of Active Directory
You should never enable the use of a Domain Admin account on a server or a client. Keep the DA account actively blocked to prevent it from being used in the wrong place – and that a token that can be stolen is accidentally left behind.
15 Min Intro to Tiering: How to Secure Active Directory
- Implement one or more multiple Server Admin groups to ensure that someone with one Server Admin account can't jump around to all servers and deploy ransomware.
- Prohibit the possibility of using a Server Admin or Domain Admin account on a client PC to protect those high privileged accounts.
- Monitor and minimize lateral movement paths for privileged accounts and service accounts.
- Use dedicated workstations, Privileged Admin Workstations (PAWWs), for all privileged, administrative, and developer access.
- Enforce logon restrictions for privileged/administrative accounts using authentication silos and protocols with no exposure, such as remote administration protocols using Kerberos-based SSO from dedicated PAWs.
- Implementing LAPS (Local Administrator Password Solution) will ensure you have unique local Administrator passwords for all clients and servers.
Downloading LAPS from Microsoft Download Center is free and takes less than one hour to implement. It will also ensure that anyone who obtains a local administrator password won't be able to use it to access any other server or client PC. Whenever you require local administrator access on a client PC, request the latest password for that PC from LAPS, and it will generate a new one.
Should you find the built-in tool insufficient or want more functionality, we can help implement our LAPS WebAdmin interface. For example, allow the owner of the client PC or helpdesk staff to request the admin password for a specific PC.
3. Protect the Identity of User Accounts and Remote Access
Enable MFA for all user accounts in the cloud, and on-prem remote solutions, like VPN. Using MFA will help mitigate password spray attacks and minimize the attack surface for externally exposed services. Most VPN providers either have native support for MFA or can use radius servers for the same effect. Other services, like websites and remote access solutions, such as Citrix or remote desktop services, can also be protected with MFA to strengthen your security posture.
Make sure you synchronize only what you need. Azure AD Sync of regular user accounts with Password Writeback. Don't synchronize any administrative accounts, only user accounts.
A user account should never have administrative roles in Azure AD or Office 365; make sure to use separate admin accounts. Should your on-prem account get hacked, you don't want the threat actor to have full admin access in the cloud.
4. Implement Automatic Patching of all Internet-Facing Services
It's better to fix problems arising during a bad patch than to be unprotected and get hacked. Any internet-facing server or service that doesn't support automatic patching must be handled manually and patched the same day a patch is released. To avoid human error and reduce administrative work, replace the product with one that supports automatic patching.
Ensure that no management interfaces are accidentally published externally. All admin interfaces should only be accessible from Privileged Admin Workstations (PAWs) to minimize exposure as, in most cases, the admin interfaces are vulnerable.
When we set up patching for customers, we configure automatic patching of critical and security patches on Day 0 for internet-facing systems and 3-5 days later for the production environment. That gives the vendors enough time to fix issues before it's rolled out to most systems and minimizes risk. Deploying patches on Saturday gives you time to resolve any issues or rollback on Saturday-Sunday before it impacts users.
We never patch anything manually; a built-in feature in Windows called WSUS is sufficient to manage that with some configuration and tuning.
Keeping third-party applications up to date is also critical. There are many vulnerabilities in third-party products, including but not limited to VPN applications, productivity tools, and utilities used by end-users.
Should you rely heavily on TeamViewer or similar remote administrative tools, ensure it's always up to date as there have been many vulnerabilities in that product. Above all, make sure your products are still receiving patches and aren't out of extended support.
5. Endpoint Detection and Response
Deploy an EDR (such as Defender for Endpoint) solution to your clients and servers. If possible, monitor Active Directory events using Defender for Identity, which will help greatly against malicious threat actor activities.
Our strongest recommendation is to use a SOC that offers 24/7 monitoring of your EDR. Threat actors operate around the clock; your defense should too. It may be too late if there's an alert in the EDR and no one acts within an hour. SIEM is not enough; you also need the R – respond – in EDR to isolate and mitigate threats. Therefore, active monitoring is a must-have in today’s world to stay safe.
Summary of Steps to Avoid Ransomware
You may think all the above is NSA, NASA, or bank-level security, but we argue that it's standard IT hygiene that all companies should do to stay protected in a modern, digitalized world. Most importantly, besides EDR and MFA, there's no investment required. It's all about utilizing the functionality you already have.
There’s always more that can be done, but by taking these steps to complete the above-noted recommendations for IT hygiene, you’ll be much better protected than before. The threat actor may even decide to pick an easier target – or make enough sounds (hence the speed bumps and restrictions) so they will be easier to detect in time.
To summarize, here are the key actions to avoid ransomware (in no particular order as we recommend you do them all):
- Implement EDR and preferably also Defender for Identity.
- Implement Tiering and LAPS, plus MFA, on all external access.
- Automatic patching of all internet-facing systems on Day 0 and the remaining systems 3-5 days later.
- Isolate your Virtualization Hosts, storage, backup servers, and other management interfaces on a separate VLAN.
- Use Privileged Access Workstations (PAWs) to access your isolated systems.
Learn more about ransomware prevention and the services we provide to boost your ransomware attack resilience.