Deutsch Intern
  • 50-jähriges Jubiläum des Rechenzentrums
Information Technology Centre

Tips from the BSI on the subject of ransomware

Mandatory measures (must be observed for secure IT use):

- Regular information and sensitisation of users to the dangers of email attachments or links

The IT Service Center passes on information to users promptly via all possible channels (mailing lists, newsletters, homepage, etc.) in the event of an acute need. Passing on this security-critical information to all users via the network managers of the departments is useful in order to avoid or minimise incidents.

- Prompt installation of security updates for operating systems and application programmes provided by the manufacturers

Centralised software distribution is just as suitable for this as regular vulnerability scans to identify potentially vulnerable systems.

- Use of centrally administered AV software

  • Utilisation of all functionalities of the Sophos Enterprise Console, in particular checking whether updates are installed and protection is active.
  • Regular implementation of multi-level data backups (backups)
  • Backup also to tape / offline; testing the backups

- Monitoring of log data (manually on an ad hoc basis in the event of possible incidents and suspicious cases)

- Network segmentation

The layout of the subnets, some of which have been divided up historically, should be reviewed at regular intervals and adapted to new requirements or security challenges.

- Reduction of user authorisations

In addition, admin rights should be dispensed with where they are not necessary or not absolutely required (e.g. centrally managed PCs).

Other important (target) measures:

  • Disabling of macros and OLE objects in Microsoft Office, use of signed macros
  • Restriction or disabling of the Windows Script Host (WSH)
  • Use of application whitelisting, e.g. using Microsoft AppLocker
  • Avoidance of static local administrator passwords, e.g. using Microsoft Local Administrator Password Solution (LAPS).
  • Deactivation of administrative authorisations (Admin$, IPC$)
  • Use two-factor authorisation to log on to systems
  • File extensions should be displayed by default
  • Use of plain text instead of HTML for e-mails
  • Visibility of the sender's email address in the email applications
  • Email servers should reject emails with sender addresses from your own organisation that are sent from external sources
  • Emails with executable files (.exe, .scr, .chm, .bat, .com, .msi, .jar, .cmd, .hta, .pif, .scf, etc.) attached, even in archives such as .zip, should be blocked or moved to quarantine.
  • Encrypt emails using PGP or S/MIME to prevent potentially confidential email content from being spied on.
  • Direct connections between clients in a network should be prevented using a firewall (especially SMB connections, PowerShell, PsExec and RDP).