Login
September 29, 2022|
Voiced by Amazon Polly |
Overview
Ransomware is a type of malware that can target your computer or organizational network and subsequently lock you out of either your data or your computer network, or potentially both. Ransomware will often try to spread itself across the network and infect as many PCs, file services, and database services as possible. The information in the system of the victim will be converted to an unknown form by the attacker in this category of attack. The attacker will ask for a ransom amount from the victim to bring the content to its original form. Law enforcement agencies across the world discourage people from paying ransom demands as it only continues to fuel the appetite of criminals involved in these activities. There are, however, several steps that you can take to prepare for such events. In this blog, we have explored how to mitigate Ransomware attacks using Microsoft Azure tools.
Freedom Month Sale — Upgrade Your Skills, Save Big!
- Up to 80% OFF AWS Courses
- Up to 30% OFF Microsoft Certs
Implementing Best Backup Practices
The best way to handle this situation is to have a good backup of the content. The backup of the organizational data is to be taken at regular intervals. The backup content should be kept in a safe location as there is every chance of a ransomware attack to happen on the same. If the backup content becomes the victim of the target then it will be very difficult to recover the content. Azure Backup Centre can be used to take the backup of the content as shown in figure 1.
Figure 1: Screenshot of Azure Backup Center (Source:-portal.azure.com)
Often hackers will target organizations over a prolonged period of time, which means that backups might also be infected with malware. It is important that you scan your backups for any potential malware. It is advisable to stop malware from entering your network. There are certain types of files that are risker to send and receive via email due to the likelihood that they contain malware (for example, executable files). To make sure these file types don’t get through, enable the common attachment filter. You can use the default list of file types or customize it. The default file types are: .ace, .ani, .app, .docm, .exe, .jar, .reg, .scr, .vbe, .vbs. Messages with the specified attachment types are treated as malware and are automatically quarantined. This can be done by turning on the common attachments filter setting for anti-malware policies in Microsoft 365 Defender portal as shown in figure 2.
Figure:-2 Screenshot of Microsoft 365 Defender portal (Source:-admin.microsoft.com)
Granting Least Privileged Access
The usage of least privileged access will also help reduce the impact the ability of malware has to spread across the network. Administrative roles are used for granting access to privileged actions in Azure AD. It is recommended to use these built-in roles for delegating access to manage broad application configuration permissions without granting access to manage other parts of Azure AD not related to application configuration. This can be done by assigning Azure Active Directory (AD) roles at different scopes. We can get the various roles-related information in Azure AD and choose them for the assignment purpose as shown in below figure 3.
Figure 3: Screenshot of All roles in Azure AD (Source:- portal.azure.com)
Permissions should be reviewed on a regular basis and revoked when necessary. Keeping devices and software regularly patched and updated also helps to stop known vulnerabilities from being exploited by hackers, ensuring you have antivirus or anti-malware products installed across all endpoint devices where possible.
Put Microsoft Defender Endpoint to Action
There is a need for endpoint device management for the handling of ransomware. As there is every chance for these categories of attack to propagate using the endpoint devices. Microsoft Defender for Endpoint can be used as a solution to handle the various endpoint devices. Microsoft Defender for endpoint monitors windows 7, windows 8.1, Windows 10, Windows 11, Mach OS, Android, Linux, iOS devices, and server devices. The Microsoft Defender for Endpoint home page is shown in figure 4.
Figure 4: Screenshot of Microsoft Endpoint Manager admin center (Source:- https://endpoint.microsoft.com/)
Microsoft Azure Firewall at Work
Another service that can be used to prevent ransomware attacks is Azure Firewall. It is a managed cloud-based network security service that protects your Azure Virtual Network resources. Azure Firewall uses a static public IP address for your virtual network resources allowing outside firewalls to identify traffic originating from your virtual network. It ensures that access is restricted to particular IP address ranges. Figure 5 represents the Azure Firewall creation page in the Azure portal.
Figure 5: Screenshot of Azure Firewall in Azure portal (Source:-portal.azure.com)
Investigate Threats with Microsoft 365 Defender Portal
Running attack simulations is another important way to deal with a ransomware attack. It can allow you to revise your incident management plan accordingly. The realistic attack scenario can be created by attack simulations in Microsoft 365 Defender portal to investigate the threats. This will be very useful to provide a response in case of attacks of this category. Below figure 6 shows the Attack simulation training page in Microsoft 365 Defender.
Figure 6: Screenshot of Attack simulation training in Microsoft 365 Defender portal (Source:- https://security.microsoft.com/attacksimulator)
Conclusion
You will also need to check that your backups have not been infected during the attack. All the endpoints that are known to be infected should be wiped and reinstalled as needed. It’s important to identify the strain of ransomware which has infected your computer network to ensure you have the appropriate tools needed to remove the malware. There might be a number of other endpoint devices that have dormant malware waiting to execute, so it’s best to assume that all connected devices could have been exposed to the malware. Where possible, it’s best to reinstall software and operating systems from fresh rather than restoring from backups.
There are websites that can potentially help to remove ransomware, such as STOP RANSOMWARE. Figure 7 shows the home page of STOP RANSOMWARE. The cyberattack victims can try to use the help of this category of resources.
Figure 7: STOP RANSOMWARE Website Home Page Screenshot (Source:- https://www.cisa.gov/stopransomware)
Freedom Month Sale — Discounts That Set You Free!
- Up to 80% OFF AWS Courses
- Up to 30% OFF Microsoft Certs
About CloudThat
CloudThat is an award-winning company and the first in India to offer cloud training and consulting services worldwide. As a Microsoft Solutions Partner, AWS Advanced Tier Training Partner, and Google Cloud Platform Partner, CloudThat has empowered over 850,000 professionals through 600+ cloud certifications winning global recognition for its training excellence including 20 MCT Trainers in Microsoft’s Global Top 100 and an impressive 12 awards in the last 8 years. CloudThat specializes in Cloud Migration, Data Platforms, DevOps, IoT, and cutting-edge technologies like Gen AI & AI/ML. It has delivered over 500 consulting projects for 250+ organizations in 30+ countries as it continues to empower professionals and enterprises to thrive in the digital-first world.
FAQs
1. What is ransomware and how do malicious cyber actors use ransomware to attack their victims?
ANS: – Ransomware is an ever-evolving form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption.
2. What are other best practices against ransomware?
ANS: – Some of the best practices against ransomware attacks are the implementation of awareness and training programs, Categorizing data based on organizational value, and Patch operating systems, software, and firmware on devices.
References
WRITTEN BY Rajesh KVN
PREV
Comments