Halt Ransomware Propagation

Actions

1. 1.Block SMB laterally across all VLANs immediately: apply firewall rules `deny tcp any any eq 445` on all inter-VLAN ACLs. This is the primary propagation vector for most ransomware families.
2. 2.Block RDP between endpoints: `deny tcp any any eq 3389` on inter-VLAN ACLs. Allow RDP only from designated jump servers if needed for IR operations.
3. 3.Deploy EDR containment on all systems showing active encryption: CrowdStrike `containment enable` or Defender device isolation. Kill the ransomware process: `Stop-Process -Name <ransomware_proc> -Force`.
4. 4.Disable the compromised service accounts or distribution mechanisms: if Group Policy was used for deployment, lock the GPO immediately: `Set-GPLink -GpoId <gpo_id> -Target "OU=Workstations" -LinkEnabled No`.
5. 5.Deploy a ransomware kill switch if applicable: some variants check for a mutex or specific file before encrypting. Create the mutex or file across all systems via SCCM/Intune push.

Queries

DeviceFileEvents | where Timestamp > ago(1h) | where ActionType == "FileRenamed" | summarize RenameCount=count() by DeviceName, bin(Timestamp, 5m) | where RenameCount > 100 | order by Timestamp desc

DeviceNetworkEvents | where Timestamp > ago(1h) | where RemotePort == 445 | where ActionType == "ConnectionSuccess" | summarize SMBConnections=count(), TargetHosts=dcount(RemoteIP) by DeviceName | where TargetHosts > 5 | order by TargetHosts desc

index=firewall dest_port=445 action=allowed | timechart span=5m count by src_ip | where count > 50