1. Patches and Updates

Exploiting a vulnerability in a software program (most of the time already fixed by the manufacturer) is one of the three most common vectors of entry for ransomware groups. attack vectors?

To protect against infections caused by exploitation of vulnerabilities that have already been fixed, updates should be applied to IT systems immediately after they are made available by the respective software manufacturer. Ideally, updates are distributed via a central distribution system. Updates that close highly critical vulnerabilities and/or relate to particularly exposed software (e.g. firewall products, web servers) should be prioritized.

Effect in Phase: 1

2. Remote Access

Attackers often try to install ransomware on systems via compromised remote accesses. Therefore, remote accesses should also be secured. As a general rule, these should only be used via VPNs in conjunction with two-factor authentication.

Effect in Phase: 1

3. Emails und macros

Email should be rendered as plain text only (often referred to as "text-only" or "plain text" as opposed to "HTML email"). Another security advantage of this representation is that web addresses can no longer be hidden in the text representation (in an HTML email, for example, a link labeled www.bsi.de External Link" could actually point to the address "www.malicioussoftwaredownload.de External Link"). If this is not possible, at least the execution of active content should be disabled when using HTML email so that malicious scripts can no longer be executed in the email. Employees should receive practical training on the risks involved in dealing with email as part of awareness-raising measures. This applies in particular to employees from corporate divisions that have to deal with a high volume of external email communication (e.g., staff recruitment).

The following setting should be configured on the client for handling MS Office document macros (consider MIME/HTML encoding):

• JS/VBS: prevent automatic execution on double click.Measures against an
• disable macros in client (via group policy)
• configure trusted locations for macros in AD
• use signed macros
  

Effect in Phase: 1

4. Execution of Software

The majority of ransomware infections could be prevented if the execution of unwanted software is forbidden. A whole range of measures exist for this purpose. The most important of these is so-called "application whitelisting". This allows only approved programs to be executed. The administration of such whitelists is very time-consuming, so that as a first step only "application directory whitelisting" could be activated instead.

At the very least, it should only be possible to execute programs (via group policy) from directories where the user has no write access to (execution directory whitelisting), which is an effective measure to protect against the initial infection.

5. Anti virus solutions

New versions of malware are rarely detected immediately via local Anti-Virus (AV) signatures. Most infections with new variants of ransomware are detected by the intrusion prevention (IPS) modules and cloud services of AV software. Therefore, antivirus software should take advantage of these modules.

Effect in Phase: 1

6. Administrator accounts

In principle, only administrator activities should be performed with privileged accounts. These accounts should not be used to read email or surf the Internet. Administrators must have normal user accounts for this purpose. This should be enforced technically. Privileged accounts should always be protected by two-factor authentication. Domain administration accounts should not be used for client administration.

Effect in Phase: 2

7. Network segmentation

Strong network segmentation helps limit the damage, as it allows the ransomware to reach only the systems in the immediate vicinity. In particular, the secure use of administrator accounts (see previous measure) is of key importance, as otherwise a central component of the security concept would be undermined.

Effect in Phase: 3

8. Backups

Backups are the most important protective measure that can be used to ensure data availability in the event of a ransomware incident. The data must be backed up in an offline backup. The backups must be technically separated from other systems within the network after the backup process. This protects the backups from attacks and encryption.

A backup always includes planning and preparation for restarting and restoring the data. This planning should also be subjected to a practical test in order to identify complications and challenges in the restore process before an emergency occurs.

Effect in Phase: 5

9. Network drives

Users should always store important data on network drives that are integrated into a centralized data backup. Important documents should never be stored just locally.

Network drives have the advantage of enabling assignment of access rights based on a need-to-know principle. It is also possible to change them at a later date. For example, users can be denied write access to archived old project data. This means that the data is still accessible, but encryption by a ransomware Trojan with user rights would no longer be possible.

Effect in Phase: 5