Microsoft best practices for ransomware protection
1) Prepare your recovery plan
This is the first phase, planning your recovery in the event of a ransomware attack. This will help the organization in limiting the damage and handle the situation efficiently and reduce the monetary loss. Ensure procedure to make accessing and disrupting the systems harder.
Identify and categorize your business-critical systems and apply best practices. Ensure that you have a working backup. For this make use of the Azure Backup services. It also provides built-in monitoring and alerting capabilities to view and configure actions for events related to Azure Backup. Make sure to implement steps to protect the integrity of the backup, implement principle of least privilege and adding an extra layer of authentication for critical operations, you're prompted to enter a security PIN before modifying online backups.
2) Limit the scope of the damage
Assume breach scenario. In the event of a successful attack, implement measure to limit the scope of damage. Principle of least privilege will ensure that accessing storage or systems requires elevation of privilege or additional privileged roles/Azure RBAC. This also limit the scope of access. The more the limitation, the more the noise gets generated. This will also helps in detecting the attacker activities through anomalies and enables to trigger your organization's Incident Management procedure.
3) Make it hard to get in
The goal of this phase is to make the attackers' work much harder as they try to obtain access to your infrastructures at the various common points of entry. If you confirmed the attack, prioritize your backup and restore strategy. Verify the integrity of the last known good backup. Also perform your prioritized procedures as you planned in the Phase 1. Also trigger your incident response team.
After the attack:
1) Identify lessons learned. What worked and what didn't. What and where to improve. Document everything.
2) Perform root cause analysis.
3) Investigate and remediate the original breach and engage the Microsoft Detection and Response Team (DART) to help.
4) Update your backup and restore strategy based on lessons learned and opportunities and document it.
This is just an overview of the best practice. Implement necessary tools and services to protect, detect and mitigate attacks.
Reference : MS Learn