Kurt Baker - July 6, 2021

What is Ransomware?

Ransomware is a type of malware attack that encrypts a victim’s important files in demand of a ransom to restore access. If the ransom payment is not made, the malicious actor publishes the data on the dark web or blocks access to the files in perpetuity.

A ransomware infection is usually done through social engineering, such as a phishing attack, that convinces the victim to click on a malicious attachment in an email.

Ransomware Protection – Tips to Prevent Ransomware Attacks

CrowdStrike has written about a number of very effective security controls and practices that you can put in place in your organization to drastically reduce your risk of a ransomware outbreak.

The following tips are supported by what the CrowdStrike has found to successfully prevent and combat ransomware:

  1. Practice Good IT Hygiene
  2. Improve Resiliency of Internet Facing Applications
  3. Implement and Enhance Email Security
  4. Harden Endpoints
  5. Ransomware-Proof Data with Offline Backups
  6. Restrict Access to Virtualization Management Infrastructure
  7. Implement an Identity and Access Management (IAM) Program
  8. Develop and Pressure-Test an Incident Response Plan
  9. Know When to Ask for Help

Tip #1. Practice Good IT Hygiene

Minimizing the attack surface is critical for every organization — it’s crucial that you gain visibility into every endpoint and workload running in your environment and then keep any vulnerable attack surfaces updated and protected.

IT hygiene’s primary benefit is to give you complete network transparency. This perspective provides a bird’s eye view, as well as the power to drill down and proactively clean out your environment. Once you achieve this level of transparency, the understanding of “who, what and where” that IT hygiene provides has tremendous benefits for your organization. You’re able to:

  • Identify gaps in your security architecture. The clarity that IT hygiene provides allows you to see what hosts are running on your environment and whether they are protected. Having complete visibility enables you to effectively deploy your security architecture and ensure no rogue systems are operating behind your walls. The larger and more distributed your environment becomes — such as with workforces going increasingly remote — the harder it is to have visibility across all of your endpoints and identities (including both human and service accounts). Identifying the unmanaged assets in your environment allows you to target vulnerabilities and protect your valuable assets before attackers can reach them.
  • See what is running in your environment. By proactively identifying outdated and unpatched applications and operating systems, you can manage your application inventory and solve security and cost problems simultaneously. Unpatched operating systems and applications have serious security and cost implications — make sure to identify which applications are running on your network and pinpoint unpatched apps to get ahead of attackers.
  • See who is running in your environment. Account monitoring allows you to see who is working in your environment and ensure they’re not violating their credential permissions (including detection of tools or behavior trying to subvert those policies). System administrators remain highly targeted, and combined with poor password renewal policies, credential theft is a harsh reality. With insight into password updates, you can prevent credential creep by removing old administrative accounts or making sure users update their passwords regularly. Taking this a step further, visibility into unusual admin behavior or privilege elevation can prevent silent failure by tipping off your security team as soon as something suspicious occurs.
  • Ensure user compliance. Making sure your users abide by your most up-to-date password policies keeps administrators and users compliant with your security requirements. Consistent and ongoing user education can ensure that password best practices are followed, and ridding your network of old accounts (including service accounts) can mitigate the risk of “credential creep” by former employees.
  • Add defense-in-depth. Implement real-time detection policies to monitor for anomalous credential behavior use, including detection of lateral movement even on workstations that may not have a Falcon agent installed. In addition, enable risk-based conditional access to trigger MFA for human and service accounts without adding burden to users, ensuring higher compliance.

Once you have full visibility and understanding of your environment, your organization can identify hygiene-related security deficiencies and resolve them immediately. From there, security teams can quickly pivot to address the critical elements of comprehensive endpoint protection: prevention, detection, hunting and threat intelligence. These capabilities are key to a complete solution that can protect your organization from the most motivated, sophisticated attackers. With a “hygiene-first” approach, and the right security solution in place, you can protect your organization from ransomware attacks and stop breaches.

Tip #2. Improve Resiliency of Internet-facing Applications

CrowdStrike has observed eCrime threat actors exploiting single-factor authentication and unpatched internet-facing applications. BOSS SPIDER, one of the initial big game hunting (BGH) ransomware threat actors, routinely targeted systems with Remote Desktop Protocol (RDP) accessible from the internet. Less sophisticated threat actors operating ransomware variants such as Dharma, Phobos and GlobeImposter frequently gain access through RDP brute-force attacks.

Tip #3. Implement and Enhance Email Security

Gaining an initial foothold into a victim organization through a phishing email is the most common tactic for BGH ransomware groups. Typically, these suspicious emails contain a malicious link or URL that delivers the ransomware payload to the recipient’s workstation.

CrowdStrike recommends implementing an email security solution that conducts URL filtering and also attachment sandboxing. To streamline these efforts, an automated response capability can be used to allow for retroactive quarantining of delivered emails before the user interacts with them. In addition, organizations may want to restrict users from receiving password-protected zip files, executables, javascripts or Windows installer package files unless there is a legitimate business need. Adding an “[External]” tag to emails originating from outside of the organization and a warning message on top of the email’s body can help remind users to use discretion when handling such emails.

Tip #4. Harden Endpoints

Throughout an attack lifecycle that ultimately culminates in a ransomware deployment, threat actors will often leverage a number of endpoint exploitation techniques. These exploitation techniques vary from exploiting poor AD configurations to leveraging publicly available exploits against unpatched systems or applications.

The list below includes some key system-hardening actions for defenders to implement. It is important to note this is not an exhaustive list, and system hardening should be an iterative process.

  • Ensure full coverage across all endpoints on your network for endpoint security products, and for the endpoint detection and protection (EDR) platform. Each endpoint security platform should have strict anti-tampering protections and alerting in place if and when a sensor goes offline or gets uninstalled.
  • Develop a vulnerability and patch management program. Doing so will ensure that all endpoint applications and operating systems are kept up-to-date. Ransomware actors leverage endpoint vulnerabilities for many purposes, including but not limited to privilege escalation and lateral movement. Existing Falcon customers can leverage CrowdStrike Falcon Spotlight™ vulnerability management for a near real-time way to understand exposure to a particular vulnerability across the environment, without the need to deploy additional agents and security tools.
  • Follow Active Directory security best practices. Based on some of the most common AD downfalls observed by CrowdStrike Services during ransomware engagements, we recommend these steps:
    • Avoid easy-to-guess passwords with weak authentication methods.
    • Avoid having regular domain users with local administrator privileges, and local administrator accounts with the same passwords across the entire enterprise or large portions of the enterprise.
    • Limit workstation-to-workstation communication. While this can be achieved using group policy objects (GPOs), it can be also achieved through a number of micro-segmentation software options.
    • Avoid sharing privileged credentials. Poor security practices include shared administrative accounts and using administrator accounts for personal or day-to-day business activity that does not require administrator privileges.
    • Note that the first two points above can be accomplished using AD with little to no additional costs. At an additional cost, a privileged access management (PAM) solution can provide a much more scalable and robust solution to the same problem and is discussed more later in this blog post.

Tip #5. Ransomware-proof Data with Offline Backups

In recent years, and since the emergence of ransomware as a top method of monetizing attacks, the developers behind malicious code have become very effective at ensuring victims and security researchers cannot decrypt affected data without paying the ransom for the decryption key. Further, when developing a ransomware-proof backup infrastructure, the most important idea to consider is that threat actors have targeted online backups before deploying ransomware to the environment.

For these reasons, the only sure way of salvaging data during a ransomware attack is through ransomware-proof backups. For example, maintaining offline backups of your data allows for a quicker recovery in emergencies. The following points should be considered when developing a ransomware-proof offline backup infrastructure:

  • Offline backups, as well as the indexes (describing which volumes contain which data) should be completely separate from the rest of the infrastructure.
  • Access to such networks should be controlled via strict access control lists (ACLs), and all authentications should be performed using multifactor authentication (MFA).
  • Administrators with access to both offline and online infrastructures should avoid reusing account passwords and use a jump box when accessing the offline backup infrastructure.
  • Cloud storage services, with strict ACLs and rules, can also serve as offline backup infrastructure.
  • Emergency situations such as a ransomware attack should be the only time the offline infrastructure is allowed a connection to the live network.

Tip #6. Restrict Access to Virtualization Management Infrastructure

As mentioned earlier, threat actors engaged in big game hunting ransomware campaigns are continuously innovating to increase the effectiveness of their attacks. The most recent such development includes the ability to attack virtualized infrastructure directly. This approach allows for targeting of hypervisors that deploy and store virtual machines (VMDK). As a result, the endpoint security products installed on the virtualized machines are blind to malicious actions taken on the hypervisor.

To further understand how this attack would unfold, we will use some of VMware’s naming convention as it is the most common virtualizing product found in today’s enterprise environments.

Many ESXi systems (VMware hypervisors) do not have Secure Shell (SSH) protocol enabled by default and are usually managed via vCenter. If SSH is disabled, previously stolen administrative credentials are used to enable SSH on all ESXi systems. Once that is complete, a valid account is used to SSH into each ESXi system being targeted. Before the threat actor deploys the Linux-based ransomware, VMDKs hosted on the ESXi are stopped to allow the ransomware binary to access the files for encryption purposes. Systems impacted by the ransomware through this deployment method will be completely offline and inaccessible to the users.

Tip #7. Implement a Robust Identity Protection Program

Organizations can improve their security posture by implementing a robust identity protection program to understand on-premises and cloud identity store hygiene (for example, Active Directory, Azure AD). Ascertain gaps, and analyze behavior and deviations for every workforce account (human users, privileged accounts, service accounts), detect lateral movement, and implement risk-based conditional access to detect and stop ransomware threats.

Tip #8. Develop and Pressure-test an Incident Response Plan

Organizations sometimes become aware of threat actor activity within their environment, but they lack the visibility to address the problem or the right intelligence to understand the nature of the threat. Recognizing the threat and responding quickly and effectively can be the difference between a major incident and a near miss.

Incident response plans and playbooks help facilitate that speedy decision making. Plans should cover all parts of the response effort, across the organization. For the security team, they should provide aids to decision-making so that front-line responders don’t overlook important details while triaging alerts. They should also outline the extent of the security team’s authority to take decisive actions — such as shutting down business-essential services — if a ransomware attack appears imminent.

For the crisis management team, plans should identify who will be involved and what their roles and responsibilities are. It should also tee up important decisions, like when to activate an incident response retainer, whether to notify insurance carriers, when and how to involve in-house or outside counsel, and how to discuss ransom demands with executives.

Consider conducting regular tabletop exercises to test the incident response plan and processes. Some organizations may benefit from simulated exercises such as “purple team” engagements, where red teamers mimic ransomware operators’ actions on objectives, including data exfiltration and ultimately ransomware deployment. CrowdStrike also recommends regular exercising of your incident response plan, both planned and unplanned, such as utilizing a red team to conduct a mock attack operation.

Tip #9. Know When to Ask for Help

In the event that you believe your organization may be impacted by ransomware, calling in experts to help investigate, understand and improve the situation can make the difference between a minor incident and a major breach. In some instances, organizations become aware of threat actor activity within their environment but may lack the visibility to address the problem or the right intelligence to understand the nature of the threat. Getting educated about the latest threats and seeking help by activating an incident response team or retainer, such as those offered by CrowdStrike Services, may allow for detection and remediation before the threat actor is able to deploy ransomware or exfiltrate data from the environment.

It’s better yet to seek out expert assistance before you truly need it. A technical assessment can help you to proactively identify and understand factors about your organization’s network that could make future ransomware incidents more or less likely. It may take different forms, depending on your current needs and security maturity. For instance, if you experience an intrusion that was confined to a specific network segment or specific business unit, an enterprise-wide compromise assessment can give confidence that the attacker did not move into parts of the environment that were beyond the scope of the initial investigation. Alternatively, an IT hygiene assessment can identify weak passwords, Active Directory configurations or missed patches that could open the door to the next attacker.

CrowdStrike’s Ransomware Solutions

CrowdStrike’s offers a suite of cybersecurity solutions that help organizations prevent ransomware:

How It Stops Ransomware
Learn More

Falcon Complete

Backed by the industry’s strongest Breach Prevention Warranty*

Falcon Complete MDR builds on the cloud-native Falcon platform, and augments your team with CrowdStrike’s elite cyber security experts, bringing laser focus to our shared mission, 24/7: Stop Breaches.

How Falcon Complete Stops Ransomware >

Request a Meeting >

CrowdStrike Endpoint Recovery Service


Have you experienced a breach?

Within hours of a breach, we can get you back to business faster, with zero impact to your environment or users, and with the confidence of knowing your attackers will not reappear.

Request Info >

CrowdStrike Zero Trust


Go frictionless for your hybrid enterprise.

Secure your modern enterprise with the industry’s only real-time, cloud-native solution to stop breaches on any endpoint, workload or identity — wherever they are.

Guide to Frictionless Zero Trust >

CrowdStrike Falcon X Recon


Know your Adversary.

Monitor ransomware and adversary activity with unrivaled coverage of the open, deep and dark web to better protect your brand, employees and sensitive data.

White Paper: Exposing the Dark Web >

CrowdStrike Cloud Security


Think it. Build it. Secure it.

Go beyond ad-hoc approaches by unifying your cloud security posture management with breach protection for cloud workloads and containers for any cloud, in a single platform.

The CrowdStrike Security Cloud eBook >

*The Breach Prevention Warranty is not available in all regions.

Get to Know the Author

Kurt Baker is the senior director of product marketing for Falcon Intelligence at CrowdStrike. He has over 25 years of experience in senior leadership positions, specializing in emerging software companies. He has expertise in cyber threat intelligence, security analytics, security management and advanced threat protection. Prior to joining CrowdStrike, Baker worked in technical roles at Tripwire and had co-founded startups in markets ranging from enterprise security solutions to mobile devices. He holds a bachelor of arts degree from the University of Washington and is now based in Boston, Massachusetts.