Ransomware Infection Vector: Phishing
■ Implement a cybersecurity user awareness and training program that
includes guidance on how to identify and report suspicious activity (e.g.,
phishing) or incidents. Conduct organization-wide phishing tests to gauge
user awareness and reinforce the importance of identifying potentially
malicious emails.
■ Implement lters at the email gateway to lter out emails with known
malicious indicators, such as known malicious subject lines, and block
suspicious Internet Protocol (IP) addresses at the rewall.
■ To lower the chance of spoofed or modied emails from valid domains,
implement Domain-based Message Authentication, Reporting and
Conformance (DMARC) policy and verication. DMARC builds on the
widely deployed sender policy framework and Domain Keys Identied Mail
protocols, adding a reporting function that allows senders and receivers
to improve and monitor protection of the domain from fraudulent email.
■ Consider disabling macro scripts for Microsoft Ofce les transmitted via
email. These macros can be used to deliver ransomware.
Ransomware Infection Vector: Precursor Malware Infection
■ Ensure antivirus and anti-malware software and signatures are up to
date. Additionally, turn on automatic updates for both solutions. CISA
recommends using a centrally managed antivirus solution. This enables
detection of both “precursor” malware and ransomware.
□ A ransomware infection may be evidence of a previous, unresolved
network compromise. For example, many ransomware infections are the
result of existing malware infections, such as TrickBot, Dridex, or Emotet.
□ In some cases, ransomware deployment is just the last step in a
network compromise and is dropped as a way to obfuscate previous
post-compromise activities.
■ Use application directory allowlisting on all assets to ensure that only
authorized software can run, and all unauthorized software is blocked
from executing.
□ Enable application directory allowlisting through Microsoft Software
Restriction Policy or AppLocker.
□ Use directory allowlisting rather than attempting to list every
possible permutation of applications in a network environment.
Safe defaults allow applications to run from PROGRAMFILES,
PROGRAMFILES(X86), and SYSTEM32. Disallow all other locations
unless an exception is granted.
■ Consider implementing an intrusion detection system (IDS) to detect
command and control activity and other potentially malicious network
activity that occurs prior to ransomware deployment.
CISA offers a no-cost Phishing
Campaign Assessment and other
no-cost assessments: https://
www.cisa.gov/cyber-resource-hub.
For more information on
DMARC, see:
https://www.cisecurity.org/
blog/how-dmarc-advances-email-
security/ and
https://www.cisa.gov/sites/
default/les/publications/
CISAInsights-Cyber-
EnhanceEmailandWebSecurity_
S508C.pdf.
Funded by CISA, the MS-
ISAC and EI-ISAC provide the
Malicious Domain Blocking and
Reporting (MDBR) service at
no-cost to members. MDBR is a
fully managed proactive security
service that prevents IT systems
from connecting to harmful
web domains, which helps limit
infections related to known
malware, ransomware, phishing,
and other cyber threats. To sign
up for MDBR, visit: https://www.
cisecurity.org/ms-isac/services/
mdbr/.
CISA and MS-ISAC encourage
SLTT organizations to consider
the Albert IDS to enhance a
defense-in-depth strategy. CISA
funds Albert sensors deployed by
the MS-ISAC, and we encourage
SLTT governments to make
use of them. Albert serves as
an early warning capability for
the Nation’s SLTT governments
and supports the nationwide
cybersecurity situational
awareness of CISA and the
Federal Government. For more
information regarding Albert,
see: https://www.cisecurity.
org/services/albert-network-
5
monitoring/.
5