|TABLE OF CONTENT|
Ransomware is a type of malware that can target your computer or organizational network and subsequently lock you out of either your data or your computer network, or potentially both. Ransomware will often try to spread itself across the network and infect as many PCs, file services, and database services as possible. The information in the system of the victim will be converted to an unknown form by the attacker in this category of attack. The attacker will ask for a ransom amount from the victim to bring the content to its original form. Law enforcement agencies across the world discourage people from paying ransom demands as it only continues to fuel the appetite of criminals involved in these activities. There are, however, several steps that you can take to prepare for such events. In this blog, we have explored how to mitigate Ransomware attacks using Microsoft Azure tools.
Implementing Best Backup Practices
The best way to handle this situation is to have a good backup of the content. The backup of the organizational data is to be taken at regular intervals. The backup content should be kept in a safe location as there is every chance of a ransomware attack to happen on the same. If the backup content becomes the victim of the target then it will be very difficult to recover the content. Azure Backup Centre can be used to take the backup of the content as shown in figure 1.
Figure 1: Screenshot of Azure Backup Center (Source:-portal.azure.com)
Often hackers will target organizations over a prolonged period of time, which means that backups might also be infected with malware. It is important that you scan your backups for any potential malware. It is advisable to stop malware from entering your network. There are certain types of files that are risker to send and receive via email due to the likelihood that they contain malware (for example, executable files). To make sure these file types don’t get through, enable the common attachment filter. You can use the default list of file types or customize it. The default file types are: .ace, .ani, .app, .docm, .exe, .jar, .reg, .scr, .vbe, .vbs. Messages with the specified attachment types are treated as malware and are automatically quarantined. This can be done by turning on the common attachments filter setting for anti-malware policies in Microsoft 365 Defender portal as shown in figure 2.
Figure:-2 Screenshot of Microsoft 365 Defender portal (Source:-admin.microsoft.com)
Granting Least Privileged Access
The usage of least privileged access will also help reduce the impact the ability of malware has to spread across the network. Administrative roles are used for granting access to privileged actions in Azure AD. It is recommended to use these built-in roles for delegating access to manage broad application configuration permissions without granting access to manage other parts of Azure AD not related to application configuration. This can be done by assigning Azure Active Directory (AD) roles at different scopes. We can get the various roles-related information in Azure AD and choose them for the assignment purpose as shown in below figure 3.
Figure 3: Screenshot of All roles in Azure AD (Source:- portal.azure.com)
Permissions should be reviewed on a regular basis and revoked when necessary. Keeping devices and software regularly patched and updated also helps to stop known vulnerabilities from being exploited by hackers, ensuring you have antivirus or anti-malware products installed across all endpoint devices where possible.
Put Microsoft Defender Endpoint to Action
There is a need for endpoint device management for the handling of ransomware. As there is every chance for these categories of attack to propagate using the endpoint devices. Microsoft Defender for Endpoint can be used as a solution to handle the various endpoint devices. Microsoft Defender for endpoint monitors windows 7, windows 8.1, Windows 10, Windows 11, Mach OS, Android, Linux, iOS devices, and server devices. The Microsoft Defender for Endpoint home page is shown in figure 4.
Figure 4: Screenshot of Microsoft Endpoint Manager admin center (Source:- https://endpoint.microsoft.com/)
Microsoft Azure Firewall at Work
Another service that can be used to prevent ransomware attacks is Azure Firewall. It is a managed cloud-based network security service that protects your Azure Virtual Network resources. Azure Firewall uses a static public IP address for your virtual network resources allowing outside firewalls to identify traffic originating from your virtual network. It ensures that access is restricted to particular IP address ranges. Figure 5 represents the Azure Firewall creation page in the Azure portal.
Figure 5: Screenshot of Azure Firewall in Azure portal (Source:-portal.azure.com)
Investigate Threats with Microsoft 365 Defender Portal
Running attack simulations is another important way to deal with a ransomware attack. It can allow you to revise your incident management plan accordingly. The realistic attack scenario can be created by attack simulations in Microsoft 365 Defender portal to investigate the threats. This will be very useful to provide a response in case of attacks of this category. Below figure 6 shows the Attack simulation training page in Microsoft 365 Defender.
Figure 6: Screenshot of Attack simulation training in Microsoft 365 Defender portal (Source:- https://security.microsoft.com/attacksimulator)
You will also need to check that your backups have not been infected during the attack. All the endpoints that are known to be infected should be wiped and reinstalled as needed. It’s important to identify the strain of ransomware which has infected your computer network to ensure you have the appropriate tools needed to remove the malware. There might be a number of other endpoint devices that have dormant malware waiting to execute, so it’s best to assume that all connected devices could have been exposed to the malware. Where possible, it’s best to reinstall software and operating systems from fresh rather than restoring from backups.
There are websites that can potentially help to remove ransomware, such as STOP RANSOMWARE. Figure 7 shows the home page of STOP RANSOMWARE. The cyberattack victims can try to use the help of this category of resources.
Figure 7: STOP RANSOMWARE Website Home Page Screenshot (Source:- https://www.cisa.gov/stopransomware)
CloudThat is a pioneer in the cloud-computing sphere in India with expertise in training and consulting services since 2012. The hallmark of our quality is evident with the strategic partnerships we have with major public cloud providers like AWS, Azure, GCP (Google Cloud Platform), and VMware.
We are a Microsoft Gold Partner, AWS Advanced Tier Partner, AWS DevOps Services Competency Partner, Authorized AWS Training Partner, Google Cloud Partner, and Authorized VMware Training Reseller. We are accoladed with Microsoft Partner of the Year Finalist-2022, Microsoft Learning Partner of the Year Finalist-2020, Winner of Microsoft Learning Partner of the Year Award-2017 a rare accomplishment for any organization.
Renowned as the first Cloud training & consulting organization from India, in our 10+ years of illustrative journey, we have delivered 200+ projects by serving clients from across the globe spanning 28+ countries and trained 5 Lakh professionals.
Q) What is ransomware and how do malicious cyber actors use ransomware to attack their victims?
A) Ransomware is an ever-evolving form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption.
Q) What are other best practices against ransomware?
A) Some of the best practices against ransomware attacks are the implementation of awareness and training programs, Categorizing data based on organizational value, and Patch operating systems, software, and firmware on devices.