With the increase of recent activity from the Conti and PYSA ransomware, here are a few recommendations and reminders to ensure your organization minimizes its chances of a harmful breach.
Tips for Protecting Against Conti and PYSA Ransomware
- Ensure VPNs are configured to log the IP address and username of the person who is using a connection.
- Ensure you have a strict system process on new account creation, with alerts if any accounts are created from outside that system, via VPN or remotely performed.
- Enable script control blocking on your endpoint security solution. Scripts that are required for operations should be given exceptions.
- Ensure that MFA is in place on all admin accounts, accounts that have domain admin level privileges, or elevated privileges.
- It is recommended that all user accounts have MFA enabled, but if that is not possible, then at a minimum we advise the admin accounts.
- Separate accounts for admin users to perform admin activity. These should be separate from standard user accounts performing standard work like email, web browsing, etc.
- Lock down PowerShell to ONLY PowerShell scripts you know and have validated to be known good.
- All other PowerShell scripts must be denied until you can verify and validate if they are good or malicious.
- Backups: You must have known good backups of Domain Controllers, and all critical important servers, systems, and data. Please make sure you also have a second set of backups off-site, not connected to the local area network. The second set of backups must be remote, not through a VPN, 100% remote from the original source of backup data.
These steps outlined above help you minimize the risk of getting attacked with fast moving malware or ransomware that can execute quickly through PowerShell scripts and other methods that are difficult to detect or stop.