Microsoft addresses the rising threat of ransomware
- Date: 11 October, 2021
Microsoft has announced a new technical solution and valuable guidance, both aimed at helping organisations protect themselves against the growing threats posed by ransomware.
At the technology level, there is Fusion detection for ransomware which is now publicly available.
This new feature for Azure uses machine learning to spot potential attacks. It will send alerts to security teams when it observes actions that are potentially associated with ransomware activities.
The alerts will explain what has happened along with details of the devices or hosts on which the actions were seen. As part of its activities, the Fusion system correlates data from other Azure services, such as Azure Defender, Microsoft Defender for Endpoint, Microsoft Defender for Identity, Microsoft Cloud App Security and Azure Sentinel scheduled analytics rules.
Speed is key to the Fusion system, since the sooner security teams can be alerted to the threats, the faster the ransomware attacks can be contained and remediated, thus preventing more machines or the entire network from being compromised.
And the need for such speed is becoming ever-more critical, with Microsoft citing a recent report from PurpleSec that revealed the downtime associated with ransomware attacks has increased by over 200% since 2019, with the cost being 23x higher over the same period.
On a more general level, Microsoft has also published an advisory note intended to help organisations of all sizes to improve their defences against ransomware.
The guidance comes in the form of a three-step process, with the individual steps being:
- Prepare a recovery plan, with the aim of recovering without paying: This might involve restoring all systems from backups, so critical assets should be automatically backed-up and these back-ups should be protected to safeguard against deliberate erasure and encryption. It’s also recommended to reduce your on-premises exposure by moving data to cloud services with automatic backup and self-service rollback.
- Limit the scope of damage: The intention here is to ensure you have strong controls (prevent, detect, respond) for privileged accounts, since this will slow or block attackers from gaining complete access to steal and encrypt your resources. This can be achieved by enabling elevated security for privileged accounts.
- Make it harder to get in by incrementally removing risks: Here the aim is to prevent a ransomware attacker from entering your environment, as well as rapidly detecting and evicting attackers (see the ‘Fusion detection for ransomware’ feature mentioned above). Microsoft recommends following the principles outlined in Zero Trust strategy as part of this activity.
The guidance concludes by stressing the value of obtaining buy-in from the top executives of your organisation and getting IT and security stakeholders working together to counter the threats posed by ransomware.
And the importance of these two new announcements is reinforced by this cautionary note from Mark Simos, Lead Cybersecurity Architect in the Microsoft Cybersecurity Solutions Group: “One common misconception about ransomware attacks is that they only involve ransomware – ‘pay me to get your systems and data back’ - but these attacks have actually evolved into general extortion attacks. While ransom is still the main monetisation angle, attackers are also stealing sensitive data (yours and your customers’) and threatening to disclose or sell it on the dark web or internet (often while holding onto it for later extortion attempts and future attacks)”.