Full Report
Written by: Matthew McWhirt, Omar ElAhdan, Glenn Staniforth, Brian Meyer Multi-faceted extortion via ransomware and/or data theft is a popular end goal for attackers, representing a global threat targeting organizations in all industries. The impact of a successful ransomware event can be material to an organization, including the loss of access to data, systems, and prolonged operational outages. The potential downtime, coupled with unforeseen expenses for restoration, recovery, and implementation of new security processes and controls can be overwhelming.Since the initial launch of our report in 2019, data theft and ransomware deployment tactics have continued to evolve and escalate. This evolution marks a shift from manual or script-based ransomware deployment to sophisticated, large-scale operations, including: Weaponizing Trusted Service Infrastructure (TSI): Adversaries are increasingly abusing legitimate infrastructure and security tools (TSI) to rapidly propagate malware or ransomware across entire networks. Targeting Virtualization Platforms: Attackers are actively focusing on the virtualization layer, aiming to mass-encrypt virtual machines (VMs) and other critical systems at scale. Targeting Backup Data / Platforms: Threat actors are exploiting misconfigurations or security gaps in backup systems to either erase or corrupt data backups, severely hindering recovery efforts. Based upon these newer techniques, it is critical that organizations identify the span of the attack surface, and align proper security controls and visibility that includes coverage for protecting: Identities Endpoints Network Architectures Remote Access Platforms Trusted Service Infrastructure (TSI) Cascading weaknesses across these layers create opportunities for attackers to breach an organization's perimeter, gain initial access, and maintain a persistent foothold within the compromised network. In our updated report, Ransomware Protection and Containment Strategies, we have expanded the strategies organizations can proactively take to identify gaps and harden their environment(s)to prevent the downstream impact of a ransomware event. The strategies represent practical and scalable methods to protecting organizations, and are the same strategies that are leveraged by Mandiant when working with clients across the globe. The report covers several areas to help organizations mitigate the risk of and contain ransomware events including: Attack Surface Identification and Reduction Endpoint Hardening Credential Protections Domain Controller Protections Group Policy Objects (GPOs) Virtualization Infrastructure Protections Backup Infrastructure Protections If you are reading this report to aid your organization’s response to an existing ransomware event, it is important to understand how the ransomware was deployed through the environment and design your ransomware response appropriately. This guide should help organizations in that process. Download the report today. *Note: The recommendations in this report can help organizations mitigate the risk of and contain ransomware events. However, this report does not cover all aspects of a ransomware incident response. We do not discuss investigative techniques to identify and remove backdoors (ransomware operators often have multiple backdoors into victim environments), communicating and negotiating with threat actors, or recovering data once a decryptor is provided.
Analysis Summary
# Best Practices: Ransomware Protection and Containment
## Overview
These practices address the evolution of modern ransomware attacks, specifically targeting the shift from manual scripts to large-scale operations. They focus on neutralizing threat actor tactics such as weaponizing Trusted Service Infrastructure (TSI), compromising virtualization layers, and sabotaging backup systems to prevent recovery.
## Key Recommendations
### Immediate Actions
1. **Secure Backup Access:** Change administrative passwords for backup consoles and implement Multi-Factor Authentication (MFA) on all backup platform access points immediately.
2. **Audit Highly Privileged Accounts:** Review and reduce the number of Domain Admins and Enterprise Admins. Ensure no service accounts have these high-level privileges.
3. **Disable Unnecessary Remote Access:** Shut down unused VPN tunnels and decommission legacy remote access platforms that do not support modern MFA.
4. **Harden TSI:** Identify "Trusted Service Infrastructure" (e.g., SCCM, PDQ Deploy, RMM tools) and restrict who can push scripts or software to the entire fleet.
### Short-term Improvements (1-3 months)
1. **Endpoint Hardening:** Deploy Attack Surface Reduction (ASR) rules and ensure EDR tools are in "Enforcement/Prevention" mode rather than "Audit" mode.
2. **Credential Protection:** Implement "Credential Guard" (for Windows) and restrict the storage of credentials in cleartext or reversible formats (e.g., LSA Secrets).
3. **Virtualization Security:** Segment the Management Network for hypervisors (ESXi, Hyper-V). Ensure the management interface is not accessible from the general workstation network.
4. **GPO Audit:** Review Group Policy Objects for "GPO Overlap" or "GPO Bloat" that might be inadvertently granting local admin rights to users across the domain.
### Long-term Strategy (3+ months)
1. **Immutable Backups:** Transition to backup solutions that offer "Write-Once-Read-Many" (WORM) or immutable storage to prevent attackers from deleting or encrypting backup data.
2. **Tiered Administrative Model:** Implement a tiered access model (Tier 0, 1, 2) where Domain Admin credentials never touch lower-security workstations or servers.
3. **Zero Trust Architecture:** Pivot network architecture toward micro-segmentation to prevent lateral movement after an initial breach.
## Implementation Guidance
### For Small Organizations
- **Focus on MFA:** Prioritize MFA for every external-facing service.
- **Cloud-First Backups:** Use managed cloud backup providers with built-in versioning and immutability.
- **SaaS Security:** Audit permissions for Office 365/Google Workspace administrators.
### For Medium Organizations
- **TSI Control:** Centralize software deployment and strictly audit the service accounts used by these tools.
- **Identity Focus:** Implement a dedicated local administrator password solution (e.g., Windows LAPS) to prevent credential harvests.
### For Large Enterprises
- **Virtualization Perimeter:** Air-gap or strictly firewall virtualization management consoles (vCenter, Prism).
- **Active Directory Hardening:** Perform deep-dive audits of Domain Controllers and implement "Domain Isolation" techniques.
- **Red Teaming:** Regularly test the containment capabilities of the SOC by simulating ransomware lateral movement.
## Configuration Examples
- **Remote Access:** Configure Conditional Access policies to require "Compliant Devices" and MFA for all VPN connections.
- **Endpoint:** Enable `PPL` (Protected Process Light) for `LSASS` to prevent memory dumping of credentials.
- **Backups:** Configure an "Air-Gapped" or offline copy of critical data that is updated at least weekly.
## Compliance Alignment
- **NIST Cybersecurity Framework (CSF):** Aligns with "Protect" (Identity Management) and "Recover" (Backup Integrity) functions.
- **CIS Critical Security Controls (v8):** Direct alignment with Control 11 (Data Recovery) and Control 4 (Secure Configuration).
- **ISO/IEC 27001:** Supports Annex A controls regarding access control and information security incident management.
## Common Pitfalls to Avoid
- **"The Backup Illusion":** Assuming backups are safe while they are connected to the main domain with the same admin credentials.
- **TSI Over-Trust:** Leaving security tools (EDRs/Deployment suites) wide open, allowing attackers to use your own security software to deploy ransomware.
- **Audit-Only Mode:** Gathering logs but failing to configure automated blocking/containment actions for known ransomware signatures.
## Resources
- **Google Cloud/Mandiant Report:** `services.google[.]com/fh/files/misc/ransomware-protection-and-containment-strategies-report-en.pdf`
- **CISA Ransomware Guide:** `cisa[.]gov/stopransomware`
- **NIST Ransomware Resource Center:** `nist[.]gov/ransomware`