Defense measures against human-operated ransomware attacks
Microsoft advises security teams and admins at organizations that
might be targeted in the future by this type of ransomware campaigns to take defensive measures designed to bock common attack techniques or at
least dramatically reduce their effectiveness.
The Microsoft Defender Advanced Threat Protection (ATP) Research Team recommends implementing these mitigation measures against human-operated ransomware attacks:
– Apply latest security updates
– Use threat and vulnerability management
– Perform regular audit remove privileged credentials
• Thoroughly investigate and remediate alerts:
– Prioritize and treat commodity malware infections as potential full compromise
• Include IT Pros in security discussions:
– Ensure collaboration among SecOps, SecAdmins, and IT admins to configure servers and other endpoints securely
• Build credential hygiene:
– Use MFA or NLA, and use strong, randomized, just-in-time local admin passwords
– Apply principle of least-privilege
• Monitor for adversarial activities:
– Hunt for brute force attempts
– Monitor for cleanup of Event logs
– Analyze logon events
• Harden infrastructure:
– Use Windows Defender Firewall
– Enable tamper protection
– Enable cloud-delivered protection
– Turn on attack surface reduction rules and AMSI for Office VBA