Sharing how Microsoft protects against ransomware

Nov 13, 2023   |  

Microsoft Digital storiesAnyone can fall victim to ransomware.

As cybercriminals shift from wide-net approaches to focus on precision attacks against high-dollar targets, there is extra pressure for companies and governments to evaluate and defend themselves against ransomware attacks.

This is why Microsoft is driving new priorities to protect our company, our people, and our customers. We launched our Ransomware Elimination Program (REP)—a multi-stakeholder effort built upon Zero Trust—to better understand our risk profile and deploy additional controls, processes, and practices to improve resiliency against intrusion.

This allowed us to weave our many different ransomware systems and processes into a single agile framework that we use to holistically guard against attacks.

It’s made a big difference for us—we’re now better able to analyze our systems, understand capabilities, and innovate on some of the solutions we rely on to stay safe.

[Read blog two in our ransomware series: Why Microsoft uses a playbook to guard against ransomware. | Read blog three in our ransomware series: Building an anti-ransomware program at Microsoft focused on an Optimal Ransomware Resiliency State. | Learn more about human-operated ransomware.Discover how Microsoft’s Zero Trust effort keeps the company secure.]

A new threat emerges

Ransomware today is a large and profitable business where technically skilled human operators work in unison to exploit high-value targets. Healthcare, government, utilities, businesses, and universities have all been victimized by gangs of hackers. It wasn’t always this way, though.

Historically, ransomware was a commodity effort, meaning attacks were automated and spread like a virus. Phishers spammed as many accounts as possible with the hopes of infecting a device with malware. Once inside the device, the ransomware encrypts files and folders, holding it hostage. Cybercriminals then extort the victim, selling restored access to the device.

By contrast, today’s human-operated ransomware attacks are a well-researched and coordinated effort to gain access to cloud and on-premises infrastructures. Cybercriminals work with intention, adapting and exploiting the environment as they move laterally in search of high-value business resources. And unlike commodity efforts, which can be cleaned up with malware remediation, human-operated ransomware poses a continuous threat. Left unchecked, the threat and costs associated will continue to grow.

The elimination of ransomware presents several challenges, with some of the most effective methods being out of our control. We can’t limit or remove motive; bad actors will always try to exploit others for gain. We can’t lock down the means either as hackers rely on the same tools and skills that developers utilize to bring good into this world.

What we can do is limit the opportunity and make it harder for ransomware to disrupt our lives.

Addressing the challenge with simple questions

Patton smiles in a portrait photo.
Carmichael Patton is a principal program manager on Microsoft’s internal enterprise security team.

Faced with addressing increasingly common attacks, we, the company’s internal enterprise security team, asked ourselves some basic questions, including, “How protected and resilient would we be if we were attacked,” and “How do we evolve past protecting against ransomware and aspire to a bigger goal of eliminating ransomware threats?”

Our foundation of Zero Trust provides a solid base to build upon. It ensures devices are registered, users are who they say they are, and verifies that devices are healthy and current. However, when it comes to ransomware, we realized there were opportunities to add additional controls and gain more stability across our systems.

We started investigating ourselves, looking for areas to improve, gaps to close, and ways to reduce risk.

We looked at everything. We looked at the tools, policies, and processes we have and made sure they were up and running. We checked configurations and adjusted settings to get the best outcomes. If we found a gap in place, we set out to fix it.

Put another way, we asked simple questions like, “What can we do, what should we do, and what can’t we do?”

Eliminating ransomware from the inside out

All that questioning led us to the conclusion that we needed to centralize our efforts.

Instead of each engineering or service group managing the threat on their own, we’d use a holistic, cohesive approach spanning devices and services. We developed a playbook, a way to test ransomware scenarios and build out a set of best practices for response, recovery, and remediation. We shifted our focus to catching human-operated ransomware in earlier stages, where it is less likely to cause real damage.

And, because human-operated ransomware is always changing, we knew this would need to be an ongoing effort. That’s why we created the Ransomware Elimination Program (REP).

The REP team drives the effort to boost resiliency across our company and for our customers. Within REP, we work towards creating an optimal ransomware resiliency state where Zero Trust is employed, Windows 11 is deployed, and tools like Microsoft Defender for Endpoint are configured with network and tamper protection in place.

Simplified, REP is about defining a requirement and building out implementations of core protections, pervasive backups, and comprehensive alerts across all our enterprise assets including identities, devices, services, and data stores.

It’s a perpetual alignment exercise in getting security information and event management (SIEM) up for the security operating center (SOC), enabling protections in Office 365, controlling standard and conditional access, and always asking, “What can we do, what should we do, and what can’t we do?”

Because Microsoft products are so pervasive across the planet, they’re also a main target for ransomware attacks. We want to make attacks against Windows, Microsoft Azure, and our other products as insurmountable as possible.

Making ransomware a top priority

REP’s most important impact is that it makes it harder for cyber criminals to commit ransomware attacks. We do this by incorporating industry trends and feedback from customers and continuing to build out our own security research and threat intelligence. At the same time, our increased resiliency––the ability to respond, recover, and remediate—diminishes the likelihood of attackers receiving any kind of reward.

Because we have centralized the response through the program, we’re also able to prioritize our efforts. Having the core practice of Zero Trust in place goes a long way toward making this possible. Evaluating our weaknesses and gaps is a constant project, but we’re also able to take the learnings we’ve gathered from these exercises and share it with our product and service teams to create better protections for the enterprise and the customer.

Ransomware is constantly evolving, and its elimination requires a holistic and cohesive approach. REP is an essential part of the front-line defense that protects devices against attacks.

Key Takeaways

  • To be successful and robust, a centralized ransomware team should continuously evaluate gaps and adjust the framework.
  • Having the framework in place for an optimal ransomware resiliency state focuses on some combination of Zero Trust but with a prioritization in place.
  • Give your teams a playbook to run tabletop exercises and regularly test your readiness for a human-operated ransomware attack.

Stay tuned for the next blog post in our series where we’ll share our playbook for responding to ransomware.

Related links

Tags: ,