Getting Specific with Ransomware Preparedness

by Michael Polise | Oct 1, 2020

Getting Specific with Ransomware Preparedness

Most industry ransomware guidance is focused on SMB protections for commodity malware that exploits low-hanging fruit via worming and trashing share drives and document folders. “Have good backups” is still good advice, but there is much more we can do and with more specificity.

Major industry ransomware attacks resulting in catastrophic operational impacts are often due to privileged accounts being compromised and abused to issue broad network instructions to deploy encryption tools throughout the environment. Many technologies include limitations on privileged accounts, but these are frequently highly consolidated and hence the organization is still at risk. Attackers are increasingly destroying systems and/or exfiltrating sensitive data to further extort payments.

The escalation path of a ransomware attack across the kill chain.

The CL0P group is known for several ransomware attacks in the past year, most notably their attack against ExecuPharm where they stole and destroyed data. The attack against Cognizant is a prominent example of how crippling a ransomware attack can be on an organization. This incident resulted in significant financial impacts with estimated losses between $50m-$70m along with difficult-to-quantify reputation damage.

Organizations need more specific action to help prevent these types of losses. This post aims to outline specific technology and process controls to improve our detection, prevention, and preparedness for ransomware attacks.


Backup and Storage Teams

  1. Use vendor-provided hardening guides for backup systems.
    1. An example of a guide can be found here,
  2. Guides include access controls for the backup system.
    1. Some platforms can generate SIEM alerts when backup routines have changed or are deleted.
  3. Settings can affect MFA capabilities.
    1. Some backup systems can also generate MFA challenges within the application when key settings are changed.
  4. Use snapshots and immutable snap lock solutions.
    1. In production servers, set snapshot volumes to a high frequency to capture changes on a frequent basis. Publishing snapshot directories for your organization ahead of time can enable self-service rollbacks at scale when safely using snap lock settings. Educate your organization ahead of time on how to use snapshots and restoration procedures.
  5. Domain-joined backup systems can fall in a ransomware attack.
    1. Consider having backup systems and their storage unit controllers not joined to the domain to insulate them.
  6. Use offline backups as a secondary backup mechanism.
    1. Since online backups can become infected, creating offline backups provides an additional layer by effectively segmenting backups of critical systems and data to avoid corruption during a ransomware event.
  7. Data management tools can aid resilience against ransomware.
    1. Tools such as Varonis can be effective in assisting with resilience against ransomware attacks. Their ransomware modules detect changes and keep file versioning in place for rollback.
  8. Exercise recovery procedures and have a plan.
    1. Maintain a list of the priority of systems and test restore speed from backup. Have a plan to rebuild workstations at scale and increase IT Operations support.
  9. Inform staff how to safely restore their files at scale.
    1. Socialize self-service features and viewable snapshots or MsFt OneDrive. Prepare your helpdesk and support teams with cybersecurity.


Applications Management and Change Management

MFA…enough said, right? MFA must be used consistently and more effectively. Do not forget to disable basic authentication, which can be used to bypass MFA. Consider implementing conditional access to restrict access further on o365.

  1. Privileged access management is a must-have.
    • Passwords need to be one-time, have a short lifespan, and domain admins should never hold passwords on their computers or their clipboards.
    • Require Hashicorp Vault for secrets management and fully segment use of privileged accounts within applications and containers. Never hard code secrets into source code or in a non-secure shared manner. Do not use or share accounts for different tasks (i.e. TSGOps). Create new accounts for each task with least privilege roles.
    • Require MFA prior to accessing Domain Admin, DBO or Enterprise Admin accounts. Enforce it vigorously on all Cloud CSP privileged accounts and restrict ability to accountable platform teams away from developers. Beware of DA-like privileges and use account discovery tools to look for non-DA accounts that may have widespread local admin rights. Privileged access management tools have discovery capabilities to help identify privileged Windows credentials.
    • Microsoft’s segmentation of administrative rights with the PAWS model can be effective against ransomware by using privileged access workstations for administrators and special accounts. These PAW kiosk workstations should not be allowed to use the Internet, get email, or be pingable from any other devices on the network. Your PAM tool should not be accessible except from this PAW network (the clean source principle), and likewise, your servers and systems management interfaces should not be accessible except from your PAM platform.
    • Use advanced PAM features to examine and manage application context privileges (running as admin) as well as system to system accounts and interfaces.
    • In addition to tightly managing DA privileges, vault and rotate local admin credentials including built-in admin accounts. This can be accomplished through CyberArk. Microsoft also provides a free solution (LAPS).
  2. Review UNIX reliance on NFS and consider resilience delivery speed to immutable snapshots.
    1. Maintaining backups is a fundamental strategy intended to support operational continuity. However, without the proper considerations a ransomware event can render your backups useless.
  3. Review your change management strategy.
    1. Change management based on the clean source strategy and a Red Forest/ESAE style architecture with well-thought out trust levels make ransomware compromise significantly more challenging for an attacker while increasing your operational resilience. The ESAE Active Directory architecture introduces segmentation to isolate privileged credentials. Additional details around this architecture and enhanced change management strategy can be found here,


Finance, Legal, and Compliance Teams

  1. Include ransomware as a scenario in your next incident response tabletop exercise.
    1. We recommend that you have your cyber insurance, retained forensics, retained legal counsel vendors defined and rehearsed with a tabletop. Make sure your scenario also includes corporate communications to test your communications plan.
  2. Cybersecurity and Senior management with key control functions (legal, finance, technology, security) must establish a defined payment procedure ahead of time.
    1. This process should prepare for financial payment approvals and decisions on how to involve law enforcement. Reinforcing payment processes through a 3rd party vendor capable of making the payments if determined appropriate can provide key experience to negotiate or de-risk the situation. Verify their crypto wallets with your finance and AML/KFC process.


SOC Team

  1. Create and tune alerts in your SIEM to monitor the following:
    • Privileged account use
    • File creation with ransomware extensions, including but not limited to, .crypto, .kratos, .ecc, .exx, .encrypted, .locked, .locky, .wcry, or an extension with random characters
    • Detection of a single process writing to many files
    • Use of PsExec, Mimikatz, Cobalt Strike, and Bloodhound
    • Use of encoded PowerShell commands
    • Ransomware IOCs from threat intel sources
  2. Perform attack simulations to model attacker TTPs.
    1. Regularly perform attack simulations including Purple Teams to model attacker TTPs and evaluate the effectiveness of your controls in detecting activities that could lead to a compromise of admin credentials – Pass the Hash, Kerberoasting, retrieving an Activity Directory database, etc.
  3. Data Access Monitoring tools can help detect ransomware attacks
    1. When correctly configured, these tools can use an aggressive response process for anomalous file browsing as where attackers try to exfiltrate data to create greater leverage. Detection can be based on file classification for targeted monitoring of sensitive data, or more broadly.
  4. Monitor for less common IOCs and terminate processes.
    1. Monitor for common IOCs associated with known ransomware campaigns but also for specific IOCs such as ransom notes that might include Bitcoin addresses, TOR URLs, etc. Use EDR automation to terminate processes that try to create these items.
  5. Turn on prevention mode in EDR.
    1. An effective EDR toolset is invaluable when it comes to protecting against ransomware attacks. Work with IT Ops to identify needs for encoded PowerShell within the environment and develop an allow on an exception basis.
  6. Automate PsKill to neutralize PsExec threats.
    1. The use of PsExec to deploy ransomware across a network is the most commonly used mechanism for distributing ransomware. Automate the opposite command, PsKill, as a scripted way to neutralize PsExec threats. Many response teams have not learned to do this yet.
      • Consider disabling remote execution through PsExec where possible and only allow it explicitly. Regardless, make sure your EDR is configured to detect PsExec usage.
Michael Polise
Director, MSIA | Archive

Mike specializes in program strategy and execution for Blue Team controls. He has a broad focus across capabilities such as logging and monitoring, data protection, endpoint, perimeter, cloud, and data security with an emphasis on architecture and engineering.

Mike has extensive experience encompassing a wide range of technical and procedural controls, including program development. His experience allows him to focus on long-term strategic goals by identifying cross-platform synergies and developing comprehensive, effective approaches for defending against today’s security threats.