Lessons learned at Microsoft: Five steps you can take to reduce your ransomware risk

As a part of our journey to reduce our ransomware risk internally here at Microsoft, we’ve identified five principles that we believe every enterprise should follow to make themselves more secure from these attacks. We call these our Foundational Five of Ransomware.

While we use Microsoft products to secure our systems, infrastructure, data, and identities, the Foundational Five are product agnostic and can be scaled to meet the needs and requirements of organizations of any size. This is especially important for smaller organizations, with 70 percent of encounters with human-operated ransomware happening in organizations with fewer than 500 employees, according to the Microsoft Digital Defense Report 2023.

The five principles for fighting ransomware: Modern authentication, automatic cloud back up file-syncing, threat- and risk-free environments, posture management, and least privileged access. — We’ve learned that adhering to these five principles is the key to fighting ransomware.

Our Foundational Five are:

Move to modern authentication with phishing-resistant multi-factor authentication.
Always use automatic cloud backup and file syncing.
Work towards having threat- and risk-free environments.
Upgrade your posture management to improve the health of your devices, services, and assets.
Apply least privileged access standards to your full technology stack.

Modern authentication with phishing-resistant multi-factor authentication

It’s a well-known fact that today’s threat actors don’t break in, they sign in. Whether done through illicitly acquired credentials, brute force attacks, or phishing, inadequate protective measures for authentication are like leaving the front door wide open for attackers to walk through.

Microsoft Incident Response observed that 21 percent of customers who experienced ransomware didn’t have MFA or didn’t mandate MFA for privileged accounts, while 37 percent didn’t have advanced MFA protection mechanisms enabled.

—2023 Microsoft Digital Defense Report

The growth in password-based identity attacks on Microsoft Entra is startling, with a 10-fold increase observed between 2022 and 2023. While the use of multi-factor authentication (MFA) adds an extra layer of security, threat actors are increasingly turning to techniques such as MFA bombing to catch unwitting users off guard. Earlier in 2023, we observed 6,000 MFA fatigue attempts per day on customer identities. This is why we strongly advise using phishing-resistant MFA.

Phishing-resistant MFA differs from traditional MFA by binding the token to the legitimate user’s device. Windows Hello for Business and FIDO2 services, like physical tokens and Passkey, are examples of technologies that can be used for added protection. When combined with conditional access policies and step-up authentication, this can be an effective method to protect users who have access to sensitive resources or high-risk roles.

Microsoft Incident Response observed that 21 percent of customers who experienced ransomware didn’t have MFA or didn’t mandate MFA for privileged accounts, while 37 percent didn’t have advanced MFA protection mechanisms enabled.

Phishing-resistant MFA with conditional access can help prevent:

Spear phishing: Attackers craft tailored phishing emails that are sophisticated and challenging to identify, aiming to deceive specific individuals.
Remote Desktop Protocol (RDP) brute force attacks: Unauthorized remote access to resources is attempted through the exploitation of stolen credentials.
Local password storage: Measures are in place to prevent passwords stored locally on devices from being read or downloaded.
Unencrypted credential storage: Credentials are safeguarded against being stored without encryption, which would otherwise allow easy unauthorized access.
Credential and cookie theft: Security protocols are enforced to protect against the theft of credentials or cookies directly from browsers.
Unauthorized account creation: Systems are secured to prevent the unauthorized addition of new user accounts.

What we use:

Windows Hello for Business enhances multifactor authentication by offering secure sign-in capabilities and enabling a passwordless experience.

Authenticator app is a secure and encrypted application that facilitates multifactor authentication to safeguard access to accounts and services.

Entra ID serves as a comprehensive identity and access management solution.

Secure Service Edge functions as a unified security point for protecting data and users across all network traffic.

FIDO keys offer a form of hardware-based authentication that is resistant to phishing and other forms of account compromise.

Automatic cloud backup and file-syncing for user and business-critical data

Microsoft has observed that approximately 16 percent of human-operated ransomware activity involved both encryption and exfiltration, while 13 percent used exfiltration exclusively.

—2023 Microsoft Digital Defense Report

Much of the Foundational Five is about setting up preventative measures to secure your organization. But in the event of a successful breach, it’s important that your data remains secure and accessible. For many organizations that have suffered a ransomware attack the biggest costs associated are restoring business continuity, including access to the files and resources vital to your organization.

Setting up automatic cloud backup and file-syncing is one of the simplest ways to help achieve this, and arguably delivers the biggest bang for the buck in a ransomware prevention strategy. Active automatic backups can thwart common ransomware tactics including the disabling of system recovery capabilities and the deletion of , which are essential for business continuity. In some cases, it might be effective in preventing the exfiltration of documents, which can be used for data dumping, or double and triple extortion.

“Microsoft has observed that approximately 16 percent of human-operated ransomware activity involved both encryption and exfiltration, while 13 percent used exfiltration exclusively,” states the 2023 Microsoft Digital Defense Report.

We recommend at a minimum setting up automatic cloud backup and file-syncing on all user devices for key folders such as Desktop, Documents, and other locations where user data and business-critical data are stored.

Automatic cloud backup and file-syncing protects people from:

Deletion of shadow copy files: These are built-in local backup copies in Windows that aid in device restoration in the event of a compromise.
Disabling of recovery features: It ensures that features enabling individual device recovery remain active and cannot be turned off.
Document exfiltration for double extortion: It protects against scenarios where malicious actors not only demand a ransom to decrypt files but also threaten to release sensitive documents publicly unless an additional ransom is paid.

What we use:

OneDrive for Business is used for cloud-based device backups, ensuring data recovery in case of device compromise.

Azure Backup Center (also known as Azure Cloud Backup) is used for the automated backup of Azure infrastructure and data, providing a reliable disaster recovery solution.

Threat- and risk-free environments

As there are always new and evolving cyber-risks, it’s a continual effort to create an environment that’s protected from ransomware by proactive measures. And while it might not be possible to guarantee an environment entirely free of threats and risks, it’s something worth striving towards.

Creating a threat- and risk-free environment starts with ensuring that the devices joining your network are healthy, and that controls are put in place to ensure vulnerabilities and threats are managed. We ensure this through the comprehensive use of endpoint detection and response (EDR) and our device management policy for all devices and operating systems. Our device health policy includes mandatory encryption, antimalware, tamper protection, specific mandatory hardware configurations, and minimum operating system version requirements. Devices that aren’t patched, updated, or properly configured are frequently exploited by threat actors and are vulnerable to cyberattacks. These devices aren’t allowed on our network—no exceptions permitted.

Threat- and risk-free environments protect against:

Platform and supply chain-based attacks: These are sophisticated attacks that target vulnerabilities in the hardware and software supply chain, potentially compromising the integrity of platforms and services.
Threat actor reconnaissance: This refers to the preliminary activities of threat actors to gather information about systems and networks, identifying potential vulnerabilities to exploit.
Disabling of security features or systems: Prevent unauthorized attempts to disable or circumvent security measures that are in place to protect data and systems.
Deployment of ransomware: By maintaining a secure posture, the environment is protected against the deployment of ransomware, which can encrypt data and disrupt operations, demanding a ransom for decryption.

What we use:

Microsoft Entra Privileged Identity Management is used for managing and monitoring privileged roles within our organization.

Microsoft Defender for Cloud offers comprehensive protection across cloud services to secure infrastructure and data.

Microsoft Defender for Endpoint provides advanced threat defense and post-breach detection for endpoints.

Microsoft Entra Identity Protection uses automated responses to detected identity risks, safeguarding user identities within the organization.

Posture management for compliance and the health of devices, services, and assets

The standards and policies an organization uses to protect against ransomware are only as good as the degree of adherence. This is where security posture management can help drive down the risk of a successful ransomware attack.

The monitoring of cloud-based systems and infrastructures creates visibility and improves control over policies and configurations. It highlights risks and misconfigurations, such as insecure secrets and keys, potential points of data exposure, and data flows and resources containing sensitive and shadow data to be discovered and remediated. Increasingly, remediation can be automated when triggered by security events.

Strong posture management can protect against:

Exploitation of vulnerable services: This prevents attackers from taking advantage of services that have known weaknesses or aren’t regularly updated with patches.
Unpatched vulnerabilities in applications: This ensures that applications are kept up to date with the latest security patches to mitigate the risk of exploitation.
Scheduled tasks leading to system compromise: This controls and monitors scheduled tasks to prevent them from being used as a pathway for system compromise.

What we use:

Microsoft Defender for Endpoint provides advanced protection for enterprise endpoints with threat prevention, detection, and response capabilities.

Microsoft Defender for Cloud secures cloud services by safeguarding infrastructure and data against threats.

Azure Policy enforces organizational standards and monitors compliance, providing automated remediation for policy violations.

Least privileged access applied to the entire technology stack

Least privileged access (LPA) involves limiting access to only what’s necessary to perform the intended function. This includes concepts such as removing admin from a workstation, limiting access to on-premises and cloud environments, and restricting access to critical services to only specific administrative roles. It’s a way of reducing the cyber-attack surface, stopping the spread of malicious activity. Additionally, LPA helps to prevent privilege creep, which happens when users accumulate unnecessary access to accounts over time.

LPA can help prevent ransomware attacks by limiting the access rights of users and devices to only the resources they need to perform their tasks. Should a user or device be compromised by ransomware, the impact and spread of the infection is minimized. Ransomware often relies on exploiting vulnerabilities or stealing credentials to gain access to sensitive data and systems. By applying the principle of least privilege, organizations can reduce the attack surface and the potential damage of ransomware attacks.

We recommend applying LPA over the entire technology stack as it ensures complete protection of all parts including devices, users, applications, systems, and data. Comprehensive application will require a solution that can manage and secure privileged credentials and controls.

When applied to the entire stack, LPA protects against:

Ransomware: By ensuring that users and devices have access only to the data and systems necessary for their roles, LPA prevents ransomware from encrypting or exfiltrating data.
Privilege creep: LPA combats the accumulation of unnecessary privileges by users over time, which can be exploited by ransomware and other malicious software.
Inappropriate access levels: Regular monitoring and reviews under LPA ensure that users and devices maintain appropriate access levels, reducing the risk of inappropriate access.

What we use:

Entra PIM manages roles and permissions, ensuring just-in-time access to critical resources in line with LPA.

Intune protects least privilege by enabling organizations to run users as standard while elevating privileges only when necessary.

Entra Conditional Access within Microsoft Entra secures resource access by enforcing rules based on user location, device status, and sign-in behavior.

Building an even stronger foundation

The Foundational Five are an excellent starting point to defending your enterprise against ransomware. However, it’s just the beginning of a broader, more involved strategy against cybercrime.

If your organization doesn’t already have one, consider developing a ransomware incident response playbook and pressure-test its efficacy with table-top exercises or attack simulations. Incident response preparedness has an outsized effect on business continuity and recovery.

Additionally, as phishing is a common starting point for ransomware threat actors, consider frequent phishing simulations, and education and awareness training for employees on topics including business email compromise and vendor email compromise—both of which are on the rise.

Here are some suggestions for getting started with the Foundational Five of ransomware elimination at your company:

Progressively build up and invest in your ransomware elimination strategy. The goal is to make incremental improvements to reduce your attack surface area.
While attackers commonly sign in using stolen credentials, MFA attacks are on the rise. Consider the use of phishing-resistant credentials such as FIDO2 tokens and ensure that users have the correct privileges to limit mobility.
Ensure that the technologies and systems you have in place are properly configured and fully operational. Test your systems to ensure they’re working as expected.