Ransomware Defense: Prevention & Recovery Guide

Ransomware Threat Landscape
Prevention Strategies
Backup Best Practices
Detection & Response
Recovery Procedures
Should You Pay?

Current Threat Level: HIGH

Ransomware attacks increased 150% in 2023. Average ransom: $1.5M. Average downtime: 21 days.

Ransomware Threat Landscape

Top Ransomware Groups (2024)

LockBit 3.0	Most active, RaaS model, double extortion
BlackCat/ALPHV	Rust-based, cross-platform
Cl0p	Known for MOVEit exploit
Play	Targets VMware ESXi
Royal	Targets healthcare, education

Attack Vectors

Phishing emails (most common)
RDP exposure (exposed port 3389)
Vulnerable VPNs (unpatched Fortinet, Pulse)
Supply chain (compromised software updates)
Malvertising (drive-by downloads)

Prevention Strategies

1. Email Security

# Block dangerous attachments
Block: .exe, .js, .vbs, .ps1, .bat, .cmd, .scr, .hta

# Enable email authentication
SPF: v=spf1 include:_spf.google.com ~all
DKIM: Enable signing for all outbound mail
DMARC: v=DMARC1; p=reject; rua=mailto:[email protected]

2. Endpoint Hardening

# Disable macros by default (GPO)
User Configuration > Administrative Templates > 
Microsoft Office > Security Settings >
"Block macros from running in Office files from the Internet" = Enabled

# Enable ASR rules (Attack Surface Reduction)
Set-MpPreference -AttackSurfaceReductionRules_Ids `
    BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 `
    -AttackSurfaceReductionRules_Actions Enabled

3. Network Segmentation

Isolate critical systems from general network
Limit lateral movement with firewall rules
Separate backup network from production
Implement Zero Trust architecture

Backup Best Practices

3-2-1 Backup Rule

3 copies of your data
2 different storage types
1 offsite (air-gapped or immutable cloud)

Immutable Backups

# AWS S3 Object Lock (immutable)
aws s3api put-object-lock-configuration \
    --bucket my-backup-bucket \
    --object-lock-configuration '{
        "ObjectLockEnabled": "Enabled",
        "Rule": {
            "DefaultRetention": {
                "Mode": "COMPLIANCE",
                "Days": 30
            }
        }
    }'

Backup Testing

Test restoration monthly
Document recovery time
Verify data integrity
Store recovery procedures offline

Detection & Response

Early Warning Signs

Unusual file encryption activity
Mass file renaming (.locked, .encrypted extensions)
Deletion of shadow copies
Unusual outbound traffic (data exfil)
Disabled security tools

Detection Rules

# Sigma Rule - Ransomware File Extension
title: Ransomware File Rename
logsource:
  product: windows
  service: sysmon
detection:
  selection:
    EventID: 11  # FileCreate
    TargetFilename|endswith:
      - '.locked'
      - '.encrypted'
      - '.cry'
      - '.crypt'
  condition: selection

Recovery Procedures

Isolate: Disconnect affected systems immediately
Assess: Determine scope of encryption
Report: Notify leadership, legal, law enforcement
Restore: Recover from clean backups
Rebuild: If no backups, rebuild from scratch
Harden: Fix the initial access vector

Should You Pay the Ransom?

FBI recommends: DO NOT PAY.

No guarantee you'll get data back (20% don't)
Funds criminal operations
Makes you a target for repeat attacks
May violate OFAC sanctions (legal liability)

If considering payment, consult with legal counsel and law enforcement first.

Updated: December 2024

Ransomware Defense

Table of Contents