Protect your organization from ransomware

Learn how to prevent, detect, and remediate ransomware.

The growing threat of ransomware

Ransomware is a financially motivated type of cyberattack that destroys or blocks access to critical organizational data, networks, or even physical infrastructure. Adversaries use this tactic to hold systems for ransom, threatening to destroy data, or release sensitive information to the public.

How to combat ransomware

Bolster security and stop ransomware with a combination of the right tools and processes.

Build a security culture

Assume breach and adopt Zero Trust frameworks. Build resiliency with consistent training and processes that empower people to make secure decisions.

Prepare a recovery plan

Know what to do if an attack occurs. A recovery plan helps you quickly get business processes back to normal.

Stop ransomware in its tracks

Invest in comprehensive solutions that block ransomware before it harms your business.

The anatomy of a ransomware attack

Learn more about the different types of ransomware and what motivates these attacks. Explore how to respond in a step-by-step demo.

Overview
Guided Tour

Ransomware defined

A threat with global impact

Ransomware is a type of extortion that can have a crippling impact on individuals, organizations, and national security. Attackers often use ransomware to target sectors like public health and critical infrastructure, but every industry is vulnerable.

Technology designed for extortion

Ransomware is a type of malware that encrypts files, folders, or infrastructure, preventing access to critical data or assets. It can target any endpoint, such as home computers, mobile devices, enterprise PCs, or servers.

A payoff that’s difficult to trace

Criminals use ransomware to demand money in exchange for releasing encrypted files. They may also threaten to leak sensitive data to the public. Because attackers usually insist on payment in cryptocurrency, tracing is extremely difficult.

Everyone’s a target

The three most frequently targeted sectors are consumer, financial, and manufacturing. However, this represents only 37 percent of total ransomware attacks, indicating no industry is immune. Even healthcare continues to be attacked during the pandemic.

Global costs continue to rise

In the last year, there was a 130 percent increase in the number of organizations hit with ransomware. The impact has been felt globally with ransom demands running into the many millions of dollars and few legal options available to victims.

Organizational compromise from a single device

Attackers use a variety of techniques to gain access, including malicious emails and documents and vulnerable devices, identities, and software. Then, they seek out administrator credentials or other accounts with privileged access, so they can compromise the entire organization.

Encryption, exfiltration, and extortion

Some ransomware attacks will encrypt a victim’s files or assets, demanding a ransom for the decryption key. Others will also exfiltrate data, which carries extensive reputational risk because the stolen data may be released to the public.

The stakes have changed

The growth trajectory for ransomware and extortion is enormous, and a successful attack can be expensive for those who fall victim. Mitigating these attacks is now an urgent priority for organizations around the globe.
 

Low effort, high profit

Commodity ransomware is a highly automated tactic designed to spread indiscriminately, exploiting devices with relative weaknesses. A single attack may target millions of users in the hope that a small percentage fall victim.

Email is the entryway

Phishing emails are a common entry point. They often appear to be from a trusted sender or source and use social engineering and malicious content to trick unsuspecting people into unintentionally compromising their security.

Spear phishing targets high-value employees

Spear phishing is a phishing technique characterized by customized content tailored to certain recipients. Attackers use public information to identify individuals and research their backgrounds. They use this information to write emails that will motivate the target to act.

It starts with one compromised identity

For ransomware to be successful, attackers must steal credentials and compromise an identity. This can take many forms. For example, some people inadvertently provide their username and password by entering them into a site that appears legitimate.

Broader identity theft

Once attackers have compromised someone’s device, they may immediately begin encrypting data. However, more ambitious attackers will use this access to download more malware and look for opportunities to extract additional usernames and passwords.

Worms facilitate further compromise

Worms, another type of malware, enable ransomware to move throughout a network using techniques, such as stealing credentials and sessions, accessing file shares, exploiting vulnerabilities, or using legitimate administrative functions.

Data is now at risk

In many cases, simply connecting the infected endpoint to an organizational network is enough to see widespread compromise and significant business disruption.

Automate your defenses

Commodity ransomware relies on well-known techniques and common vulnerabilities to replicate at scale. To stay head, organizations need to automate their defense, through education and a multilayered threat detection and response strategy.

A hands-on attack against an organization

As security solutions have gotten better at blocking techniques like phishing, attackers are starting to move away from commodity ransomware. Human-operated ransomware is spread by an attacker moving inside the compromised network of the target organization.

Vulnerable targets provide a foothold

Human-operated ransomware uses many of the same techniques as commodity ransomware to establish an initial foothold in a network, such as malicious emails and documents, vulnerable endpoints, compromised identities, and software weaknesses.

Additional accounts are compromised

From their initial access point, attackers deploy malware to steal additional credentials that facilitate moving through the network. If antivirus protection is entirely missing from server-class endpoints, this step is trivial for the attacker.

The goal is administrative access

Rather than an automated, opportunistic approach like commodity ransomware, human-operated attacks typically move laterally through the network, compromising endpoints and identities, and using malware to obtain complete organizational compromise.

The attack is escalated

By compromising an administrative account, attackers can move with impunity within the network, accessing any resource and disabling any security control. Critical data centers and cloud resources essential to business operations are vulnerable.

Maximum pressure

Attackers increase the pressure to pay by exfiltrating sensitive data. This puts an organization in legal jeopardy if personally identifiable information is leaked, and competitive disadvantage through the loss of trade secrets.

Complete compromise

By carefully navigating the network, attackers ensure their compromise of the organization is complete. No endpoints or backups are left untouched, leaving organizations crippled and without access to the very tools needed to effectively recover.

Defend with comprehensive protection

To defend against the sophisticated adversaries behind human-operated ransomware, organizations need a comprehensive strategy, including a ransomware response plan, best-in-class detection and prevention, and holistic breach remediation.

Detect and respond to a sophisticated attack

With recent moves to the cloud, demand for remote working, and an aging application portfolio, Tim and his SecOps team at an online retailer are busier than ever. Microsoft threat protection helps them detect, respond, and mitigate new threats.

Achieve enterprise-wide insight into attacks

Tim uses Microsoft Sentinel to see a high priority incident needing investigation. The active human-operated ransomware attack has been identified through detections from Microsoft 365 Defender and Microsoft Defender for Cloud.

Visualize the attack

From the investigation graph, Tim sees the data collected from various enterprise systems, the users and infrastructure under threat, the attack techniques in use, and the connections between each.

Understand which resources are impacted

By bringing together information from multiple data sources, Tim understands more about the target and the actions leading up to the breach.

Get actionable recommendations

From the Microsoft 365 Defender incident screen, Tim gains deeper insight into the attack through 22 automatically correlated alerts and expert threat advice.

Trace and remediate across systems

Through the graph view, Tim sees how the spear phishing email led an employee to click on a link and download a malicious document. From there, the attacker moved laterally. Automated remediation fixed affected endpoints and mailboxes.

Delve into attack details

By drilling into the initial alert, Tim learns how the attacker used their access from the malicious document and Mimikatz to gather credentials and move laterally.

Resolve the complex attack

With fully automated and policy-driven manual remediation, Tim’s able to stop this attack in its tracks. The incident has been quickly resolved, leaving Tim and his team with time to focus on more proactive defense.

Proactively deploy preventative mitigations

By learning more from Microsoft Threat Experts about the class of attack and how it works, Tim quickly identifies a number of vulnerable devices.

Understand organizational vulnerabilities

Using a Zero Trust security strategy, Tim enforces granular access control and implements multifactor authentication. This helps him protect his Microsoft 365 estate against attacks like this in the future.

Improve defenses with expert recommendations

Microsoft 365 Defender helps Tim deploy a specific mitigation for ransomware attacks to use client and cloud heuristics to determine if a file resembles ransomware. This protects endpoints from even the most recent variations.

Protect cloud resources and workloads

Tim now turns his focus to fortifying his security perimeter. Microsoft Defender for Cloud accelerates this process by analyzing his infrastructure environment to provide a set of actionable recommendations.

Automatically detect and fix vulnerabilities

Microsoft Defender for Cloud identifies a series of servers without endpoint protection. Tim deploys the same automated remediation and cloud-based protection offered by Microsoft Defender for Endpoint across every device.

Improve security without impacting operations

With just one click, Tim deploys endpoint protection across at-risk machines. And with the continuous monitoring by Microsoft Defender for Cloud, he’ll be ready to maintain compliance throughout his IT estate over time.

Comprehensive threat detection and response

Microsoft solutions helped Tim detect and respond to a sophisticated ransomware attack. Microsoft Sentinel provided an overview, Microsoft 365 Defender correlated alerts, and Microsoft Defender for Cloud helped him secure his infrastructure.

{"sites":[{"pages":[{"order":0,"position":0,"slides":[],"tiles":[],"arialabel":null,"id":"Introduction","isImage2x":false,"imageHref":"","imageAlt":"","imageHeight":0,"imageWidth":0,"itemIndex":2,"name":"Technology designed for extortion","videoHref":"https://www.microsoft.com/en-us/videoplayer/embed/RE4VoC7","content":"<p>Ransomware is a type of malware that encrypts files, folders, or infrastructure, preventing access to critical data or assets. It can target any endpoint, such as home computers, mobile devices, enterprise PCs, or servers.</p>","isLogo2x":false,"links":null,"logoHref":"","logoAlt":"","logoHeight":0,"logoWidth":0,"title":"Technology designed for extortion"},{"order":0,"position":0,"slides":[],"tiles":[],"arialabel":null,"id":"What-it-is","isImage2x":false,"imageHref":"","imageAlt":"","imageHeight":0,"imageWidth":0,"itemIndex":3,"name":"A payoff that’s difficult to trace","videoHref":"https://www.microsoft.com/en-us/videoplayer/embed/RE4Vrj3","content":"<p>Criminals use ransomware to demand money in exchange for releasing encrypted files. They may also threaten to leak sensitive data to the public. Because attackers usually insist on payment in cryptocurrency, tracing is extremely difficult.</p>","isLogo2x":false,"links":null,"logoHref":"","logoAlt":"","logoHeight":0,"logoWidth":0,"title":"A payoff that’s difficult to trace"},{"order":0,"position":0,"slides":[],"tiles":[],"arialabel":null,"id":"Why-it-matters","isImage2x":false,"imageHref":"","imageAlt":"","imageHeight":0,"imageWidth":0,"itemIndex":4,"name":"Everyone’s a target","videoHref":"https://www.microsoft.com/en-us/videoplayer/embed/RE4Vmqg","content":"<p>The three most frequently targeted sectors are consumer, financial, and manufacturing. However, this represents only 37 percent of total ransomware attacks, indicating no industry is immune. Even healthcare continues to be attacked during the pandemic.</p>","isLogo2x":false,"links":null,"logoHref":"","logoAlt":"","logoHeight":0,"logoWidth":0,"title":"Everyone’s a target"},{"order":0,"position":0,"slides":[],"tiles":[],"arialabel":null,"id":"How-it-works","isImage2x":false,"imageHref":"","imageAlt":"","imageHeight":0,"imageWidth":0,"itemIndex":5,"name":"Global costs continue to rise","videoHref":"https://www.microsoft.com/en-us/videoplayer/embed/RE4Vh48","content":"<p>In the last year, there was a 130 percent increase in the number of organizations hit with ransomware. The impact has been felt globally with ransom demands running into the many millions of dollars and few legal options available to victims.</p>","isLogo2x":false,"links":null,"logoHref":"","logoAlt":"","logoHeight":0,"logoWidth":0,"title":"Global costs continue to rise"},{"order":0,"position":0,"slides":[],"tiles":[],"arialabel":null,"id":"summary","isImage2x":false,"imageHref":"","imageAlt":"","imageHeight":0,"imageWidth":0,"itemIndex":6,"name":"Organizational compromise from a single device","videoHref":"https://www.microsoft.com/en-us/videoplayer/embed/RE4Vmqh","content":"<p>Attackers use a variety of techniques to gain access, including malicious emails and documents and vulnerable devices, identities, and software. Then, they seek out administrator credentials or other accounts with privileged access, so they can compromise the entire organization.</p>","isLogo2x":false,"links":null,"logoHref":"","logoAlt":"","logoHeight":0,"logoWidth":0,"title":"Organizational compromise from a single device"},{"order":0,"position":0,"slides":[],"tiles":[],"arialabel":null,"id":"introduction-encryption","isImage2x":false,"imageHref":"","imageAlt":"","imageHeight":0,"imageWidth":0,"itemIndex":7,"name":"Encryption, exfiltration, and extortion","videoHref":"https://www.microsoft.com/en-us/videoplayer/embed/RE4Vmqi","content":"<p>Some ransomware attacks will encrypt a victim’s files or assets, demanding a ransom for the decryption key. Others will also exfiltrate data, which carries extensive reputational risk because the stolen data may be released to the public.</p>","isLogo2x":false,"links":null,"logoHref":"","logoAlt":"","logoHeight":0,"logoWidth":0,"title":"Encryption, exfiltration, and extortion"},{"order":0,"position":0,"slides":[],"tiles":[],"arialabel":null,"id":"summary1","isImage2x":false,"imageHref":"http://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4V9ZC?ver=8262","imageAlt":"[noalt]","imageHeight":730,"imageWidth":1297,"itemIndex":8,"name":"Summary","videoHref":"","content":"<p>The growth trajectory for ransomware and extortion is enormous, and a successful attack can be expensive for those who fall victim. Mitigating these attacks is now an urgent priority for organizations around the globe.<br />\n&nbsp;</p>","isLogo2x":false,"links":null,"logoHref":"","logoAlt":"","logoHeight":0,"logoWidth":0,"title":"The stakes have changed"}],"arialabel":null,"id":"ransomware","isImage2x":false,"imageHref":"","imageAlt":"","imageHeight":0,"imageWidth":0,"itemIndex":1,"name":"Ransomware defined","videoHref":"https://www.microsoft.com/en-us/videoplayer/embed/RE4U8Qy","content":"<p>Ransomware is a type of extortion that can have a crippling impact on individuals, organizations, and national security. Attackers often use ransomware to target sectors like public health and critical infrastructure, but every industry is vulnerable.</p>","isLogo2x":false,"links":null,"logoHref":"","logoAlt":"","logoHeight":0,"logoWidth":0,"title":"A threat with global impact"},{"pages":[{"order":0,"position":0,"slides":[],"tiles":[],"arialabel":null,"id":"initial-access-email ","isImage2x":false,"imageHref":"","imageAlt":"","imageHeight":0,"imageWidth":0,"itemIndex":10,"name":"Email is the entryway","videoHref":"https://www.microsoft.com/en-us/videoplayer/embed/RE4Vkzl","content":"<p>Phishing emails are a common entry point. They often appear to be from a trusted sender or source and use social engineering and malicious content to trick unsuspecting people into unintentionally compromising their security.</p>","isLogo2x":false,"links":null,"logoHref":"","logoAlt":"","logoHeight":0,"logoWidth":0,"title":"Email is the entryway"},{"order":0,"position":0,"slides":[],"tiles":[],"arialabel":null,"id":"initial-access-spear","isImage2x":false,"imageHref":"","imageAlt":"","imageHeight":0,"imageWidth":0,"itemIndex":11,"name":"Spear phishing targets high-value employees","videoHref":"https://www.microsoft.com/en-us/videoplayer/embed/RE4VuvK","content":"<p>Spear phishing is a phishing technique characterized by customized content tailored to certain recipients. Attackers use public information to identify individuals and research their backgrounds. They use this information to write emails that will motivate the target to act.</p>","isLogo2x":false,"links":null,"logoHref":"","logoAlt":"","logoHeight":0,"logoWidth":0,"title":"Spear phishing targets high-value employees"},{"order":0,"position":0,"slides":[],"tiles":[],"arialabel":null,"id":"credential-theft","isImage2x":false,"imageHref":"","imageAlt":"","imageHeight":0,"imageWidth":0,"itemIndex":12,"name":"Credential theft","videoHref":"https://www.microsoft.com/en-us/videoplayer/embed/RE4VrNI","content":"<p>For ransomware to be successful, attackers must steal credentials and compromise an identity. This can take many forms. For example, some people inadvertently provide their username and password by entering them into a site that appears legitimate.</p>","isLogo2x":false,"links":null,"logoHref":"","logoAlt":"","logoHeight":0,"logoWidth":0,"title":"It starts with one compromised identity"},{"order":0,"position":0,"slides":[],"tiles":[],"arialabel":null,"id":"the-impact-broader","isImage2x":false,"imageHref":"","imageAlt":"","imageHeight":0,"imageWidth":0,"itemIndex":13,"name":"Broader identity theft","videoHref":"https://www.microsoft.com/en-us/videoplayer/embed/RE4VrNR","content":"<p>Once attackers have compromised someone’s device, they may immediately begin encrypting data. However, more ambitious attackers will use this access to download more malware and look for opportunities to extract additional usernames and passwords.</p>","isLogo2x":false,"links":null,"logoHref":"","logoAlt":"","logoHeight":0,"logoWidth":0,"title":"Broader identity theft"},{"order":0,"position":0,"slides":[],"tiles":[],"arialabel":null,"id":"the-impact-worm","isImage2x":false,"imageHref":"","imageAlt":"","imageHeight":0,"imageWidth":0,"itemIndex":14,"name":"Worms facilitate further compromise","videoHref":"https://www.microsoft.com/en-us/videoplayer/embed/RE4Vmxu","content":"<p>Worms, another type of malware, enable ransomware to move throughout a network using techniques, such as stealing credentials and sessions, accessing file shares, exploiting vulnerabilities, or using legitimate administrative functions.</p>","isLogo2x":false,"links":null,"logoHref":"","logoAlt":"","logoHeight":0,"logoWidth":0,"title":"Worms facilitate further compromise"},{"order":0,"position":0,"slides":[],"tiles":[],"arialabel":null,"id":"the-impact-data","isImage2x":false,"imageHref":"","imageAlt":"","imageHeight":0,"imageWidth":0,"itemIndex":15,"name":"Data is now at risk","videoHref":"https://www.microsoft.com/en-us/videoplayer/embed/RE4Vmxw","content":"<p>In many cases, simply connecting the infected endpoint to an organizational network is enough to see widespread compromise and significant business disruption.</p>","isLogo2x":false,"links":null,"logoHref":"","logoAlt":"","logoHeight":0,"logoWidth":0,"title":"Data is now at risk"},{"order":0,"position":0,"slides":[],"tiles":[],"arialabel":null,"id":"summary","isImage2x":false,"imageHref":"http://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4VhtS?ver=ce0e","imageAlt":"[noalt]","imageHeight":730,"imageWidth":1297,"itemIndex":16,"name":"Summary","videoHref":"","content":"<p>Commodity ransomware relies on well-known techniques and common vulnerabilities to replicate at scale. To stay head, organizations need to automate their defense, through education and a multilayered threat detection and response strategy.</p>","isLogo2x":false,"links":null,"logoHref":"","logoAlt":"","logoHeight":0,"logoWidth":0,"title":"Automate your defenses"}],"arialabel":null,"id":"commodity","isImage2x":false,"imageHref":"","imageAlt":"","imageHeight":0,"imageWidth":0,"itemIndex":9,"name":"Commodity ransomware","videoHref":"https://www.microsoft.com/en-us/videoplayer/embed/RE4Vmqn","content":"<p>Commodity ransomware is a highly automated tactic designed to spread indiscriminately, exploiting devices with relative weaknesses. A single attack may target millions of users in the hope that a small percentage fall victim.</p>","isLogo2x":false,"links":null,"logoHref":"","logoAlt":"","logoHeight":0,"logoWidth":0,"title":"Low effort, high profit"},{"pages":[{"order":0,"position":0,"slides":[],"tiles":[],"arialabel":null,"id":"initial-access-vulnerable ","isImage2x":false,"imageHref":"","imageAlt":"","imageHeight":0,"imageWidth":0,"itemIndex":18,"name":"Vulnerable targets provide a foothold","videoHref":"https://www.microsoft.com/en-us/videoplayer/embed/RE4VkA7","content":"<p>Human-operated ransomware uses many of the same techniques as commodity ransomware to establish an initial foothold in a network, such as malicious emails and documents, vulnerable endpoints, compromised identities, and software weaknesses.</p>","isLogo2x":false,"links":null,"logoHref":"","logoAlt":"","logoHeight":0,"logoWidth":0,"title":"Vulnerable targets provide a foothold"},{"order":0,"position":0,"slides":[],"tiles":[],"arialabel":null,"id":"initial-access-additional","isImage2x":false,"imageHref":"","imageAlt":"","imageHeight":0,"imageWidth":0,"itemIndex":19,"name":"Additional accounts are compromised","videoHref":"https://www.microsoft.com/en-us/videoplayer/embed/RE4VrQ2","content":"<p>From their initial access point, attackers deploy malware to steal additional credentials that facilitate moving through the network. If antivirus protection is entirely missing from server-class endpoints, this step is trivial for the attacker.</p>","isLogo2x":false,"links":null,"logoHref":"","logoAlt":"","logoHeight":0,"logoWidth":0,"title":"Additional accounts are compromised"},{"order":0,"position":0,"slides":[],"tiles":[],"arialabel":null,"id":"credential-theft-the-goal","isImage2x":false,"imageHref":"","imageAlt":"","imageHeight":0,"imageWidth":0,"itemIndex":20,"name":"The goal is administrative access","videoHref":"https://www.microsoft.com/en-us/videoplayer/embed/RE4VrQ3","content":"<p>Rather than an automated, opportunistic approach like commodity ransomware, human-operated attacks typically move laterally through the network, compromising endpoints and identities, and using malware to obtain complete organizational compromise.</p>","isLogo2x":false,"links":null,"logoHref":"","logoAlt":"","logoHeight":0,"logoWidth":0,"title":"The goal is administrative access"},{"order":0,"position":0,"slides":[],"tiles":[],"arialabel":null,"id":"credential-theft-the-attack","isImage2x":false,"imageHref":"","imageAlt":"","imageHeight":0,"imageWidth":0,"itemIndex":21,"name":"The attack is escalated","videoHref":"https://www.microsoft.com/en-us/videoplayer/embed/RE4VkAz","content":"<p>By compromising an administrative account, attackers can move with impunity within the network, accessing any resource and disabling any security control. Critical data centers and cloud resources essential to business operations are vulnerable.</p>","isLogo2x":false,"links":null,"logoHref":"","logoAlt":"","logoHeight":0,"logoWidth":0,"title":"The attack is escalated"},{"order":0,"position":0,"slides":[],"tiles":[],"arialabel":null,"id":"the-impact-maximum","isImage2x":false,"imageHref":"","imageAlt":"","imageHeight":0,"imageWidth":0,"itemIndex":22,"name":"Maximum pressure","videoHref":"https://www.microsoft.com/en-us/videoplayer/embed/RE4V9yd","content":"<p>Attackers increase the pressure to pay by exfiltrating sensitive data. This puts an organization in legal jeopardy if personally identifiable information is leaked, and competitive disadvantage through the loss of trade secrets.</p>","isLogo2x":false,"links":null,"logoHref":"","logoAlt":"","logoHeight":0,"logoWidth":0,"title":"Maximum pressure"},{"order":0,"position":0,"slides":[],"tiles":[],"arialabel":null,"id":"the-impact-complete","isImage2x":false,"imageHref":"","imageAlt":"","imageHeight":0,"imageWidth":0,"itemIndex":23,"name":"Complete compromise","videoHref":"https://www.microsoft.com/en-us/videoplayer/embed/RE4Vmyf","content":"<p>By carefully navigating the network, attackers ensure their compromise of the organization is complete. No endpoints or backups are left untouched, leaving organizations crippled and without access to the very tools needed to effectively recover.</p>","isLogo2x":false,"links":null,"logoHref":"","logoAlt":"","logoHeight":0,"logoWidth":0,"title":"Complete compromise"},{"order":0,"position":0,"slides":[],"tiles":[],"arialabel":null,"id":"summary","isImage2x":false,"imageHref":"http://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Vy6d?ver=26d2","imageAlt":"[noalt]","imageHeight":730,"imageWidth":1297,"itemIndex":24,"name":"Summary","videoHref":"","content":"<p>To defend against the sophisticated adversaries behind human-operated ransomware, organizations need a comprehensive strategy, including a ransomware response plan, best-in-class detection and prevention, and holistic breach remediation.</p>","isLogo2x":false,"links":null,"logoHref":"","logoAlt":"","logoHeight":0,"logoWidth":0,"title":"Defend with comprehensive protection"}],"arialabel":null,"id":"human","isImage2x":false,"imageHref":"","imageAlt":"","imageHeight":0,"imageWidth":0,"itemIndex":17,"name":"Human-operated ransomware","videoHref":"https://www.microsoft.com/en-us/videoplayer/embed/RE4VcgT","content":"<p>As security solutions have gotten better at blocking techniques like phishing, attackers are starting to move away from commodity ransomware. Human-operated ransomware is spread by an attacker moving inside the compromised network of the target organization.</p>","isLogo2x":false,"links":null,"logoHref":"","logoAlt":"","logoHeight":0,"logoWidth":0,"title":"A hands-on attack against an organization"},{"pages":[{"order":0,"position":0,"slides":[{"order":0,"position":0,"tiles":[],"arialabel":null,"id":"01","isImage2x":false,"imageHref":"http://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4V9Bj?ver=efbe","imageAlt":"A high severity incident investigation in Microsoft Sentinel.","imageHeight":658,"imageWidth":1096,"itemIndex":27,"name":"Visualize the attack","videoHref":"","content":"<p>From the investigation graph, Tim sees the data collected from various enterprise systems, the users and infrastructure under threat, the attack techniques in use, and the connections between each.</p>","isLogo2x":false,"links":null,"logoHref":"","logoAlt":"","logoHeight":0,"logoWidth":0,"title":"Visualize the attack"},{"order":0,"position":1,"tiles":[],"arialabel":null,"id":"02","isImage2x":false,"imageHref":"http://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4VmzV?ver=f8fb","imageAlt":"A high severity incident investigation in Microsoft Sentinel showing a specific user and how they are connected.","imageHeight":658,"imageWidth":1096,"itemIndex":28,"name":"Understand which resources are impacted","videoHref":"","content":"<p>By bringing together information from multiple data sources, Tim understands more about the target and the actions leading up to the breach.</p>","isLogo2x":false,"links":null,"logoHref":"","logoAlt":"","logoHeight":0,"logoWidth":0,"title":"Understand which resources are impacted"}],"tiles":[],"arialabel":null,"id":"microsoft-sentinel-achieve","isImage2x":false,"imageHref":"http://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4VeiW?ver=56fa","imageAlt":"Incidents sorted by severity in Microsoft Sentinel.","imageHeight":658,"imageWidth":1096,"itemIndex":26,"name":"Microsoft Sentinel","videoHref":"","content":"<p>Tim uses Microsoft Sentinel to see a high priority incident needing investigation. The active human-operated ransomware attack has been identified through detections from Microsoft 365 Defender and Microsoft Defender for Cloud.</p>","isLogo2x":false,"links":null,"logoHref":"","logoAlt":"","logoHeight":0,"logoWidth":0,"title":"Achieve enterprise-wide insight into attacks"},{"order":0,"position":0,"slides":[{"order":0,"position":0,"tiles":[],"arialabel":null,"id":"03","isImage2x":false,"imageHref":"http://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4V9Bs?ver=1d86","imageAlt":"An incident graph showing the users involved and how they are all connected.","imageHeight":658,"imageWidth":1096,"itemIndex":30,"name":"Trace and remediate across systems","videoHref":"","content":"<p>Through the graph view, Tim sees how the spear phishing email led an employee to click on a link and download a malicious document. From there, the attacker moved laterally. Automated remediation fixed affected endpoints and mailboxes.</p>","isLogo2x":false,"links":null,"logoHref":"","logoAlt":"","logoHeight":0,"logoWidth":0,"title":"Trace and remediate across systems"},{"order":0,"position":1,"tiles":[],"arialabel":null,"id":"04","isImage2x":false,"imageHref":"http://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4VmzY?ver=14c0","imageAlt":"A timeline of possible lateral movement within an incident in Microsoft 365 Defender.","imageHeight":658,"imageWidth":1096,"itemIndex":31,"name":"Delve into attack details","videoHref":"","content":"<p>By drilling into the initial alert, Tim learns how the attacker used their access from the malicious document and Mimikatz to gather credentials and move laterally.</p>","isLogo2x":false,"links":null,"logoHref":"","logoAlt":"","logoHeight":0,"logoWidth":0,"title":"Delve into attack details"},{"order":0,"position":2,"tiles":[],"arialabel":null,"id":"05","isImage2x":false,"imageHref":"http://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4VmA1?ver=d3d9","imageAlt":"A summary of a resolved incident in Microsoft 365 Defender.","imageHeight":658,"imageWidth":1096,"itemIndex":32,"name":"Resolve the complex attack","videoHref":"","content":"<p>With fully automated and policy-driven manual remediation, Tim’s able to stop this attack in its tracks. The incident has been quickly resolved, leaving Tim and his team with time to focus on more proactive defense.</p>","isLogo2x":false,"links":null,"logoHref":"","logoAlt":"","logoHeight":0,"logoWidth":0,"title":"Resolve the complex attack"},{"order":0,"position":3,"tiles":[],"arialabel":null,"id":"06","isImage2x":false,"imageHref":"http://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4VkDk?ver=09d7","imageAlt":"An overview of a ransomware threat in Microsoft Defender.","imageHeight":658,"imageWidth":1096,"itemIndex":33,"name":"Proactively deploy preventative mitigations","videoHref":"","content":"<p>By learning more from Microsoft Threat Experts about the class of attack and how it works, Tim quickly identifies a number of vulnerable devices.</p>","isLogo2x":false,"links":null,"logoHref":"","logoAlt":"","logoHeight":0,"logoWidth":0,"title":"Proactively deploy preventative mitigations"},{"order":0,"position":4,"tiles":[],"arialabel":null,"id":"07","isImage2x":false,"imageHref":"http://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4V9Bw?ver=8484","imageAlt":"Mitigations and secure configurations for a ransomware threat in Microsoft 365 Defender.","imageHeight":658,"imageWidth":1096,"itemIndex":34,"name":"Understand organizational vulnerabilities","videoHref":"","content":"<p>Using a Zero Trust security strategy, Tim enforces granular access control and implements multifactor authentication. This helps him protect his Microsoft 365 estate against attacks like this in the future.</p>","isLogo2x":false,"links":null,"logoHref":"","logoAlt":"","logoHeight":0,"logoWidth":0,"title":"Understand organizational vulnerabilities"},{"order":0,"position":5,"tiles":[],"arialabel":null,"id":"08","isImage2x":false,"imageHref":"http://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4VejV?ver=fe12","imageAlt":"A security recommendation to request mediation for advanced protection against ransomware.","imageHeight":658,"imageWidth":1096,"itemIndex":35,"name":"Improve defenses with expert recommendations","videoHref":"","content":"<p>Microsoft 365 Defender helps Tim deploy a specific mitigation for ransomware attacks to use client and cloud heuristics to determine if a file resembles ransomware. This protects endpoints from even the most recent variations.</p>","isLogo2x":false,"links":null,"logoHref":"","logoAlt":"","logoHeight":0,"logoWidth":0,"title":"Improve defenses with expert recommendations"}],"tiles":[],"arialabel":null,"id":"microsoft-365-defender-get","isImage2x":false,"imageHref":"http://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4V9Bp?ver=0b2b","imageAlt":"An incident summary showing alerts, scope, impacted entities and more.","imageHeight":658,"imageWidth":1096,"itemIndex":29,"name":"Microsoft 365 Defender","videoHref":"","content":"<p>From the Microsoft 365 Defender incident screen, Tim gains deeper insight into the attack through 22 automatically correlated alerts and expert threat advice.</p>","isLogo2x":false,"links":null,"logoHref":"","logoAlt":"","logoHeight":0,"logoWidth":0,"title":"Get actionable recommendations"},{"order":0,"position":0,"slides":[{"order":0,"position":0,"tiles":[],"arialabel":null,"id":"09","isImage2x":false,"imageHref":"http://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Vek1?ver=578d","imageAlt":"A list of recommendations to impact your secure score in Microsoft Defender for Cloud.","imageHeight":658,"imageWidth":1096,"itemIndex":37,"name":"Automatically detect and fix vulnerabilities","videoHref":"","content":"<p>Microsoft Defender for Cloud identifies a series of servers without endpoint protection. Tim deploys the same automated remediation and cloud-based protection offered by Microsoft Defender for Endpoint across every device.</p>","isLogo2x":false,"links":null,"logoHref":"","logoAlt":"","logoHeight":0,"logoWidth":0,"title":"Automatically detect and fix vulnerabilities"},{"order":0,"position":1,"tiles":[],"arialabel":null,"id":"10","isImage2x":false,"imageHref":"http://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4VmA5?ver=9562","imageAlt":"A list of affected resources in Microsoft Defender for Cloud.","imageHeight":658,"imageWidth":1096,"itemIndex":38,"name":"Improve security without impacting operations","videoHref":"","content":"<p>With just one click, Tim deploys endpoint protection across at-risk machines. And with the continuous monitoring by Microsoft Defender for Cloud, he’ll be ready to maintain compliance throughout his IT estate over time.</p>","isLogo2x":false,"links":null,"logoHref":"","logoAlt":"","logoHeight":0,"logoWidth":0,"title":"Improve security without impacting operations"},{"order":0,"position":2,"tiles":[],"arialabel":null,"id":"11","isImage2x":false,"imageHref":"http://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4V9Bz?ver=27c5","imageAlt":"A chart outlining an attack that starts with a malicious email, an attacker gaining control through multiple steps and ending with the attacker grabbing data through data exfiltration.","imageHeight":658,"imageWidth":1096,"itemIndex":39,"name":"Comprehensive threat detection and response","videoHref":"","content":"<p>Microsoft solutions helped Tim detect and respond to a sophisticated ransomware attack. Microsoft Sentinel provided an overview, Microsoft 365 Defender correlated alerts, and Microsoft Defender for Cloud helped him secure his infrastructure.</p>","isLogo2x":false,"links":null,"logoHref":"","logoAlt":"","logoHeight":0,"logoWidth":0,"title":"Comprehensive threat detection and response"}],"tiles":[],"arialabel":null,"id":"microsoft-defender-for-cloud-protect","isImage2x":false,"imageHref":"http://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4VejY?ver=a38a","imageAlt":"An overview in Microsoft Defender for Cloud showing secure score, regulatory compliance measurements and more.","imageHeight":658,"imageWidth":1096,"itemIndex":36,"name":"Microsoft Defender for Cloud","videoHref":"","content":"<p>Tim now turns his focus to fortifying his security perimeter. Microsoft Defender for Cloud accelerates this process by analyzing his infrastructure environment to provide a set of actionable recommendations.</p>","isLogo2x":false,"links":null,"logoHref":"","logoAlt":"","logoHeight":0,"logoWidth":0,"title":"Protect cloud resources and workloads"}],"arialabel":null,"id":"demo","isImage2x":false,"imageHref":"http://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4VpaQ?ver=2460","imageAlt":"An infographic showing a malicious email as a place an attacker exploits vulnerability.","imageHeight":658,"imageWidth":1096,"itemIndex":25,"name":"Ransomware demo ","videoHref":"","content":"<p>With recent moves to the cloud, demand for remote working, and an aging application portfolio, Tim and his SecOps team at an online retailer are busier than ever. Microsoft threat protection helps them detect, respond, and mitigate new threats.</p>","isLogo2x":false,"links":null,"logoHref":"","logoAlt":"","logoHeight":0,"logoWidth":0,"title":"Detect and respond to a sophisticated attack"}],"itemsCount":39}

Protect your business from ransomware with SIEM and XDR products

Microsoft empowers your organization’s defenders by putting the right tools and intelligence in the hands of the right people. Combine security incidents and event management (SIEM) and extended detection and response (XDR) to increase efficiency and effectiveness while securing your digital estate against ransomware.

Get a bird’s-eye view across the enterprise with a cloud-native SIEM tool. Aggregate security data from virtually any source and apply AI to separate noise from legitimate ransomware events, correlate alerts across complex attack chains, and speed up threat response with built-in orchestration and automation. Eliminate security infrastructure setup and maintenance, elastically scale to meet your security needs, and reduce costs with the flexibility of the cloud.

An investigation in Microsoft Sentinel showing a high severity active threat.

Get a bird’s-eye view across the enterprise with a cloud-native SIEM tool. Aggregate security data from virtually any source and apply AI to separate noise from legitimate ransomware events, correlate alerts across complex attack chains, and speed up threat response with built-in orchestration and automation. Eliminate security infrastructure setup and maintenance, elastically scale to meet your security needs, and reduce costs with the flexibility of the cloud.

Additional resources

Stop breaches across your entire organization

Defend against modern attacks with a cloud-native SIEM (Security information and event management) and XDR (Extended detection and response) solution.