Best practices for preventing ransomware attacks

09 April 2024

Protecting your IT systems from ransomware attacks is a challenge as technical platforms used to process, transmit and store sensitive data can consist of on-premise datacenters, virtual environments hosted using a Cloud Service Provider, and SaaS services. In this article, I describe a general approach to preventing ransomware attacks, and which security controls should be used in Azure to protect your environment.

About the author: My name is Martin Dahlborg and I’ve been working as an IT security architect since 2009, and with cloud security specifically since 2017. Since then, I’ve worked as a consultant with banks, global brands, and organizations that have stringent security requirements. My main areas of expertise are information security policies, compliance, risk management, security architecture, and analysis of security postures in Azure, M365, AWS as well as GCP. Certifications: CISSP, IASA certified IT architect, SC-100, AZ-500.

Introduction to ransomware and data loss

A ransomware attack is when cybercriminals encrypt, or delete data, then demand a ransom payment (usually in bitcoin) to restore it. Threat actors use techniques, such as phishing for example, to find a way into an organization’s network and systems. Their end goal is to eventually gain access to a privileged account which could be a domain administrator in Active Directory, a global admin account in Entra ID (Azure AD), an account with the Owner role in IAM on Azure subscriptions, or the root account on Linux systems.

Here is a short list of a few well-known cases, and some additional information, that puts this into context regarding the severity of the problem and how widespread these attacks are:

CNA Financial is one of the largest insurance companies in the US, who is said to have paid $40 million in ransom following an attack in March 2021.
JBS Foods is the largest beef producer in the world, who was attacked in May 2021, and is said to have paid $11 million in ransom. Operations at their meat processing plants were temporarily shut down in the US, Canada, and Australia.
The UK’s Financial Conduct Authority (FCA) have stated that ransomware attacks against financial firms doubled during 2023.
Globally, it’s estimated that $1.1 billion was paid in ransom during 2023 in a recent surge in cloud ransomware attacks.

Risk (in the context of IT security), is the product of the probability of an incident occurring, and the severity of the consequences if it does. Therefore, it’s necessary to consider what the main consequences of ransomware attacks can be. These are some examples of how organizations are affected:

Data loss as data becomes inaccessible
Exfiltration/theft of customer data
Theft of intellectual property
Business disruption causing loss of revenue during the time it takes to recover
Costs related to managing the security incident response, and possible ransom payments
Loss of customers, and partnerships, due to reputational damages

Of these, the most severe consequences are data loss since that might result in the business having to cease operations. Many organizations can’t continue to function without access to the information that is required as ransomware strikes at core business processes.

Defending against ransomware attacks

Security incidents, which lead to a compromise, happen due to some sort of vulnerability being exploited. Vulnerabilities are mainly caused by misconfigurations, and security issues within software source code, when security best practices aren’t being followed. The main approach for IT security architects is to try to prevent vulnerabilities by building security from the ground up in layers, with compensating controls that will still prevent an attacker from gaining foothold in IT systems if there is a failure in one layer. Or at least to ensure that a potential ransomware incident is detected immediately and can be responded to before the worst case scenario comes true.

IT security architects work with ensuring that the types of environments and services listed below have been secured, i.e. that they are being managed according to governance and security best practices:

On-premise datacenters (physical locations)
Cloud environments (victim’s Azure tenant and subscriptions)
M365 environment and cloud storage (Exchange Online, SharePoint, Teams, OneDrive)
3rd party SaaS solutions used by the organization to process information and store data

Information security frameworks define the security controls that an organization should implement and each framework goes into details regarding specific security requirements. These security controls (such as vulnerability management, network access control, IAM, encryption, IT security monitoring, etc.) then have to be implemented for all types of environments in order to secure these types of assets that attackers try to gain access to. The shared responsibility model of using cloud services then factors in which security controls a cloud service provider is responsible for, and which security controls your organization still has to implement.

The main assets that require protection against ransomware threats are:

Identity (user, admin, and service accounts)
Applications and data (running on IaaS, PaaS, containers, or serverless services)
Compute resources (endpoints, Windows servers, Linux servers) and infrastructure endpoints (storage accounts, API’s, cloud services)
Network assets (physical, wireless, and virtual)
Source code repositories and services such as Azure DevOps and GitHub

Cyber security kill chain

To be able to protect these environments and assets, it is necessary to consider how attacks are usually carried out. The concept of a “cyber security kill chain” is often used to illustrate the different steps in an attack. A “cloud security kill chain” can also be said to involve the steps below, despite there being differences based on the type of environment or cloud service that is used.

Reconnaissance
Compromise
Lateral Movement
Domain Dominance
Data Consolidation, Exfiltration, and Encryption

The idea behind this is making it easier to understand the different attacks that occur in each stage, and which countermeasures are applicable. This applies to different type of assets, depending on the exposure to threats given where they originate from (external, internal, partner, or a provider based attack vectors).

Below are examples of common ways assets are attacked, and also how they can be defended against in each step in the kill chain. This is not an exhaustive list but explains some of the risks and threats organizations face. I’ve provided it here to give you some idea of how systems are attacked and how they can be protected. The key point being that it’s necessary to understand all the work that has to be done if a ransomware attack is to be prevented, or at least to ensure that the organization can survive by being able to resume normal operations if a ransomware attack does happen. You can read more about attack techniques by visiting the MITRE website (the link is provided in the references section).

Reconnaissance

The goal is to collect information about user accounts, applications, and cloud services used. Threat actors collect information from publicly available sources, including the company website. This also includes information about Azure resources since many resource types have public network access enabled by default, such as storage accounts (mainly file and blob storage), web apps, database services, or virtual machines. Many of these issues arise from using default configuration options, not following best practices specified in security benchmarks, and not following Microsoft’s recommendations.

Examples of information collection techniques:

Information in the DNS service and the WHOIS registrar information
Finding user accounts by browsing official website for contact emails, information on LinkedIn, or mentions in social media
Looking through user information leaked in previous data breaches (names, email addresses, and passwords) to find stolen Azure credentials
Finding and scanning the wired, wireless, and virtual network perimeters
Finding infrastructure resources with public network access enabled
Finding Internet facing applications running on servers or PaaS services

Safeguards:

Enabled privacy protection for DNS WHOIS information
Investigate Attack paths in Defender for Cloud (requires the Defender CSPM plan)
Disable public network access on resources on Azure infrastructure and application assets (use private endpoints instead)
Scan your environment to detect public IP addresses and to ensure all assets have been placed behind an Azure Firewall, Front Door, WAF or a gateway
Block inbound management traffic to Azure environments and use a VPN gateway, a Bastion, or DNAT firewall rules
Implement naming and tagging conventions, based on internal guidelines, to establish control of the environment which makes it easier to detect high risk assets when it’s obvious that correct procedures haven’t been followed

Compromise

The next goal is to gain a foothold within the organization’s network or systems using different techniques. This step is based on the information collected during the reconnaissance phase.

Examples of techniques:

Brute force attacks against user or admin accounts
Using default built-in credentials in network hardware (such as Wi-Fi equipment) if the password hasn’t been changed
Using default built-in credentials in line-of-business applications, or application servers/services
Using leaked app registration credentials to extract information from Entra ID
Targeting employees with spoofed emails to deceive users that they come from a legitimate source/sender
Targeting employees with malware phishing attempts by email, team chat invites, or the link in QR codes that lead to malicious websites
Disabling the malware threat protection on endpoints
Planting malware on USB devices and dropping them close to the company offices
Targeting browsers, and browser extensions, by luring users to visit a malicious web site
Attacking applications that contain vulnerabilities either in the application layer, in dependencies (such as with the Log4J exploit), or in the underlying OS
Using social engineering to steal credentials by targeting employees who might be too trusting
Credential theft from the browser credential store, or from a vulnerable password manager
Using phishing and man-in-the-middle attacks to steal login credentials and MFA cookies
Installing malware, trojans to gain a foothold that remains after restarts/reboots using autostart or logon scripts
Enumerating cached credentials and local Windows credential dumping (LSASS memory, LSA secrets)

Safeguards to implement:

Windows update management and patching 3rd party software
Malware protection
Removing old accounts in Azure IAM on subscriptions, and implement Azure RBAC (Azure role-based access control) roles according to the “least privileges” principle
Manage endpoints with Intune and define strict policies on what’s required for a device to be compliant
Security recommendations generated by Microsoft Defender for Endpoints
Email and web traffic filtering gateways that block spam, malicious websites, and attachments infected with malware
Adaptive Application Controls (AAC) to block malware and unwanted applications
Entra ID security (Conditional Access policies and Privileged Identity Management) combined with Windows Hello for Business for password-less authentication
Enable multi-factor authentication (using authenticator app as MFA and a FIDO2 key) for staff in either key positions who have access to sensitive information, or IT staff that performs system management with privileged access
Using security baselines (based on security benchmarks) to ensure that hardened configurations are used in Windows, Linux, and for mobile devices
Using security baselines (based on security benchmarks) to ensure that M365 and Azure have been configured with secure settings
Domain and email protection with SPF, DMARC, DKIM

Lateral Movement

The goal here is to gather information that is available on systems and services connected to the internal network.

Examples of techniques:

Scanning the network to discover domain controllers, servers, and services running on those servers
Targeting other Windows endpoints across the network when possible
Accessing IT management systems and internal network services
Manipulating system processes to become root, local admin or gain system privileges
Access data stored on network shares that have too broad permissions
File and directory enumeration to search for sensitive information, such as clear text username and password information related to service accounts
Redirecting clear text network protocols (ARP cache poisoning, DHCP spoofing) with man-in-the-middle attacks to sniff internal network traffic in search of credentials during authentication/logins

Safeguards to implement:

Microsoft Defender to see recommendations for securing Azure cloud services
Creating security baselines (based on security benchmarks) to ensure that M365 and Azure have been configured with secure settings
Using security baselines (based on security benchmarks) to ensure that AD DS, AD CS, IIS, SQL, and other Microsoft services for Windows server are securely configured
IT security monitoring to detect anomalies in network traffic using a network tap, gathering flow data, and analyzing it using an intrusion detection system (IDS)
IT security monitoring to detect anomalies in system behavior using a host based IDS (HIDS), application whitelisting, configuration/change management

Domain Dominance

At this stage, the goal is to elevate the level of access to the highest trusted status possible. The attacker’s ultimate goal is to access all services and data using the most privileged credentials possible.

Examples of techniques:

Manipulating remote processes such as Active Directory, including certificate authority services
Targeting services that use weak network protocols (SMB, SNMP, NTLM, NTLMv2, HTTP, FTP)
Attacks against PowerShell and scripts (argument injection, path interception)

Safeguards to implement:

Using security baselines (based on security benchmarks) to ensure that AD DS, AD CS, IIS, SQL, and similar services have been securely configured
Provide additional protection for privileged accounts such as risky sign-ins alerts
Emergency break glass accounts that can still be used to regain access to the environment
Entra ID Identity Protection

Data Consolidation, Exfiltration and Encryption

When the attacker has full access, the goal is to package data, transfer it to a remote store, and to delete or encrypt the data that remains. This can be set in motion and might have to go on for a long period of time to make sure the organization won’t have access to any non-affected data or intact backups.

Examples of techniques:

Gaining access to confidential information, trade secrets, pre-publication financial reports for stock market manipulation (insider trading)
Issuing money transfers (theft)
Manipulating data stored in Azure blob and file storage
Bitcoin mining (mainly misusing capacity)
AD DS credential dumping on domain controllers (NTDS.dit database)
Corrupting backup (destroying the data integrity) to prevent that the backups can be used to restore data
Deleting backups from backup storage
Encrypting data (transparently) using a cryptographic key that is then removed once all backups contain encrypted data
Making all data inaccessible as this is the last step before extorting a ransom

Safeguards to implement:

Perform a business impact analysis (BIA) for business critical systems
Create disaster recovery plans and test/verify that the plans are accurate
Microsoft Purview Information Protection to prevent data loss
Using your own Azure storage account keys for encryption, stored in an Azure Key Vault
A firewall should block some outbound protocols by default (LDAP, SMB, FTP/S)
Azure data backup services
Securing access to backups and restrict access to backup services
Use immutable vaults to protect your data with Azure backups
Performing restore tests each month to ensure that the backups are viable
Disaster and site recovery combined with geo redundant storage
Contain affected systems by disabling or blocking network access until they can be dealt with
Disable compromised user accounts and change admin account passwords
Perform a root cause analysis to see what caused the attack
Ransomware protection in Microsoft Azure and M365

Microsoft provides a number of security services/portals that helps you protect against ransomware attacks, and the Azure portal itself contains quite a few protection capabilities. Azure offers protection with a wide range of technical security controls that should be implemented in your Entra ID tenant, and for your Azure subscriptions to reduce risks in general. There are also a set of security measures that mitigate the threat of ransomware specifically.

As mentioned previously, the main idea is to build security in layers. There is also a concept of “lines of defense” which is based on a risk management model. The model ties into the different responsibilities within the organization regarding who is responsible for the different assets, for providing proof of compliance, or for performing audits (internal and external). The implementation of this model in an Azure context is:

First line of defense

First line of defense is responsible for remediating and mitigating risks. Performs security operations covering endpoints such as laptops, mobile devices, and virtual servers. Implements Azure and M365 secure configurations aligned with security benchmarks and other Microsoft recommendations. The main goals are to reduce attack surface, attack paths, and to eliminate vulnerabilities (caused by misconfigurations and software bugs). The challenge here is that some configuration settings might disrupt old systems that rely on outdated protocols to function.

Second line of defense

Second line of defenseis responsible for ensuring compliance with security recommendations and information security frameworks. Performs analysis using Microsoft Defender XDR security services (Defender portal: security.microsoft.com). This includes Microsoft Defender for Cloud, Microsoft Defender for Endpoint, Microsoft Defender for Identity, Microsoft Defender for Office 365, Microsoft Defender for Cloud Apps. The goal here is to get insights into best practices and to provide proof to auditors that everyone is following these. The challenge when performing analysis is the size of Azure environments, the constant change that can cause new security issues which might go undetected, and performing measurements required for reporting on security to stakeholders.

Third line of defense

Third line of defense is responsible for assurance through detection of security incidents that might indicate a security control failure. Focuses on IT security monitoring using Azure Sentinel which is a Security Incident and Event Management (SIEM) solution for ransomware detection and protection. Ensure that the necessary logs are being collected so that it can detect ransomware activities (usually large volumes of storage account reads and writes). The goal is to receive alarms when something happens so that it can be investigated. This includes eliminating false negatives, which is when an attack happens, but it isn’t detected since the log information isn’t being collected so that it can be analyzed. Also, to investigate false positives which are alarms that aren’t real security incidents. The latter is usually done by reconfiguring the SIEM so that the operators who do the security monitoring aren’t drowned in alarms which causes them to become desensitized.

Measuring the state of security

Monitoring and measuring security issues is necessary to provide proof of compliance, and to show progress in risk remediation. This can be done by defining Key Performance Indicators (KPI) for each technical security control. A KPI related to vulnerability management in Azure is to measure each month the total number of software vulnerabilities, present in software installed on virtual machines, classified as high severity that are also possible to target over a network. A KPI related to secure configuration management (hardening) is to track the number of technical misconfigurations (non-compliant with security benchmarks) for different types of Azure resources that are running in production environments.

Defining such KPIs, performing measuring consistently, and monitoring changes makes it possible to track progress. Some KPIs will illustrate increase and decrease each month depending on when measurement is performed. Despite this, the overall trend should be an improvement over an extended period of time. Regarding vulnerabilities the goal is to come as close to the number 0 as technically possible. While Secure Score in Azure and regulatory compliance is measured in percentages with the goal of reaching 100%. A more realistic goal for secure score is to strive to keep it at least between 80% - 95% consistently.

It’s also necessary to measure the maturity of the different security controls. The maturity is usually determined by how detailed information security policies/guidelines are regarding the security requirements they include, how accountability and responsibility has been assigned within the organization, how clearly/formally security processes have been defined, and how security related reporting to stakeholders is being done. The quality of security reporting is always indicative of how mature each security control is.

Ransomware protection in M365

There are protection options and tools in Microsoft Office Online that should be used. Important to note that malware can’t be executed in SharePoint Online and other Microsoft 365 apps. These services can only be used as storage for ransomware. Ransomware has to be downloaded and opened on either an endpoint or a server to infect systems and perform encryption.

SharePoint and OneDrive for Business protection:

Retains 500 versions of files and can be configured to retain more
Recycle bin retains data for 93 days and Microsoft can help recover the data for additional 14 days after that
Self-service recovery that allows users to restore files from the last 30 days

Exchange online:

Provides a layered anti-virus protection which is powered by multiple anti-malware engines, against known malicious software
Performs scanning of messages in transit

Preventing ransomware attacks and protecting backups in Azure

The security and protection services available within Azure are necessary to use to secure Microsoft Azure cloud based assets. Also, Defender offers the capability of integration with AWS and Azure DevOps. This level of holistic overview of your environments if you truly leverage all applicable Azure services.

Here is a list of the solutions and services to implement which helps with ensuring that it will be possible to resume business operations:

Base implementations based on Microsoft’s reference architectures, such as landing zones
Make sure data is secured with Azure Backups and Recovery services vault for: on-premises data (files, folders, and system state), Windows/Linux VMs running critical workloads, Azure Managed Disks (to protect data stored within data disks), Azure file shares in Azure storage accounts, and also storage blobs, SQL Server databases running on Azure SQL Virtual Machines, Azure SQL databases and transaction logs
Configure soft delete data protection to retain backup data for 14 additional days
Enable enhanced soft delete protection (14 days up to 180 days)
Use immutable storage for backup retention to prevent them from being deleted or modified
Use immutable vaults with Azure backups and make the immutability irreversible to make sure that they can’t be deleted or manipulated until the expiry date
Implement multi-user authorization for Azure Backup using Resource Guard
Perform data recovery tests by performing restores from backups to ensure that they aren’t encrypted or have been corrupted

Conclusion on preventing ransomware attacks in Azure

Having to make tough decisions on where to focus your efforts is inevitable but should be done based on first collecting factually correct information and then performing a risk analysis to see which assets are most probably attacked, and which assets of these are most critical to the business. However, it’s essential to start out by establishing control over the IT environment to ensure that you are aware of everything that needs to be protected. Then it’s usually necessary to prioritize securing the data, or systems, which are business critical.

The ultimate failure is having to pay the ransom demands to restore access to data, systems, and services. Organizations might not have an option not to pay if they have failed to perform due diligence with ensuring that their security posture is adequate in preventing ransomware attacks. This is why you need to protect all assets, or at least the most critical, and make sure that they can’t be compromised. This includes defining clear and understandable guidelines on how to provide security for assets, to automate security related configurations when possible, to define KPIs related for the security controls that mitigate the prioritized risks, and finally to mature your organization’s security processes to the extent that reporting can be done on a monthly or even weekly basis.

Subscribe to our newsletter here to be notified when new articels are published, and to get access to the Azure governance and security guidelines that we provide to our subscribers:

Additional Reading

Read more on the topics mentioned in this article by visiting these links: