CISA updates ransomware guidance

The Cybersecurity and Infrastructure Security Agency (CISA) has updated its #StopRansomware guide to account for the fact that ransomware actors have accelerated their tactics and techniques since the original guide was released in September of 2020.

The #StopRansomware guide is set up as a one-stop resource to help organizations reduce the risk of ransomware incidents through best practices to detect, prevent, respond, and recover from them, including step-by-step approaches to address potential attacks.

Specifically, the agency added:

  • Recommendations for preventing common initial infection vectors
  • Updated recommendations to address cloud backups and zero trust architecture (ZTA).
  • Threat hunting tips for detection and analysis of ransomware actors

Since the CISA list of recommendations is huge we will focus on the new points, with links to further Malwarebytes resources, and add our own set of recommendations at the end.

Updated CISA guidance

  • Limit the use of RDP and other remote desktop services. If RDP is necessary, apply best practices. Threat actors often gain initial access to a network through exposed and poorly secured remote services, and later traverse the network using the native Windows RDP client. Threat actors also often gain access by exploiting virtual private networks (VPNs) or using compromised credentials.
  • Implement phishing-resistant multi-factor authentication (MFA) for all services, particularly for email, VPNs, and accounts that access critical systems. Escalate to senior management upon discovery of systems that do not allow MFA, systems that do not enforce MFA, and any users who are not enrolled with MFA.
  • Consider employing password-less MFA that replace passwords with two or more verification factors (e.g., a fingerprint, facial recognition, device pin, or a cryptographic key).
  • Consider subscribing to services that monitor the dark web for compromised credentials.
  • Create policies to include cybersecurity awareness training about advanced forms of social engineering for personnel that have access to your network. Training should include tips on being able to recognize illegitimate websites and search results. It is also important to repeat security awareness training regularly to keep your staff informed and vigilant.
  • Consider using a multi-cloud solution to avoid vendor lock-in for cloud-to-cloud backups in case all accounts under the same vendor are impacted.
  • Implement a zero trust architecture (ZTA) to prevent unauthorized access to data and services. Make access control enforcement as granular as possible. ZTA assumes a network is compromised and provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per request access decisions in information systems and services.
  • Employ logical or physical means of network segmentation by implementing ZTA and separating various business units or departmental IT resources within your organization and maintain separation between IT and operational technology.

CISA consider the following to be advanced forms of social engineering:

For organizations that have their own threat hunters and do not use an external Managed Detection and Response (MDR) service, CISA added the following points for enterprise and cloud environments.

For enterprise environments

  • Newly created Active Directory accounts or accounts with escalated privileges, and recent activity related to privileged accounts such as Domain Admins.
  • Anomalous VPN device logins or other suspicious logins.
  • Endpoint modifications that may impair backups, shadow copy, disk journaling, or boot configurations. Look for anomalous usage of built-in Windows tools such as bcdedit.exe, fsutil.exe (deletejournal), vssadmin.exe, wbadmin.exe, and wmic.exe (shadowcopy or shadowstorage). Misuse of these tools is a common ransomware technique to inhibit system recovery.
  • Signs of the presence of Cobalt Strike beacon/client. Cobalt Strike is a commercial penetration testing software suite. Malicious actors often name Cobalt Strike Windows processes with the same names as legitimate Windows processes to obfuscate their presence and complicate investigations.
  • Signs of any unexpected usage of remote monitoring and management (RMM) software (including portable executables that are not installed). RMM software is commonly used by malicious actors to maintain persistence.
  • Any unexpected PowerShell execution or use of PsTools suite.
  • Signs of enumeration of AD and/or LSASS credentials being dumped (e.g., Mimikatz or NTDSutil.exe).
  • Signs of unexpected endpoint-to-endpoint (including servers) communications.
  • Potential signs of data being exfiltrated from the network. Common tools for data exfiltration include Rclone, Rsync, various web-based file storage services (also used by threat actors to implant malware/tools on the affected network), and FTP/SFTP.
  • Newly created services, unexpected scheduled tasks, unexpected software installed, etc.

For cloud environments

  • Enable tools to detect and prevent modifications to IAM, network security, and data protection resources.
  • Use automation to detect common issues (e.g., disabling features, introduction of new firewall rules) and take automated actions as soon as they occur. For example, if a new firewall rule is created that allows open traffic (, an automated action can be taken to disable or delete this rule and send notifications to the user that created it as well as the security team for awareness. This will help avoid alert fatigue and allow security personnel to focus on critical issues.

Malwarebytes’ tips to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
  • Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.