{
	"id": "2042ba00-3085-47cb-97ff-f4bedbe4a748",
	"created_at": "2026-04-06T00:17:58.894916Z",
	"updated_at": "2026-04-10T13:11:34.266114Z",
	"deleted_at": null,
	"sha1_hash": "f7f1c16bf2b5c0f70f4acec1ecfb7d7ed13dd8ff",
	"title": "How to Defend Against Conti, DarkSide, REvil and Other Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 78332,
	"plain_text": "How to Defend Against Conti, DarkSide, REvil and Other\r\nRansomware\r\nBy Josh Dalman - Heather Smith\r\nArchived: 2026-04-05 15:16:04 UTC\r\nCrowdStrike predicted in 2020 that the ransomware threat would only worsen, and news reports since have borne\r\nthis out. Stories of ransomware attacks since the start of May 2021 alone include:\r\nDarkSide ransomware being used to disrupt a major U.S. pipeline that transports almost half of all fuel\r\nconsumed on the East Coast of the United States\r\nThe claimed theft of 3 terabytes of sensitive data from part of the Asian operations of a global insurance\r\nsubsidiary in attacks using Avaddon ransomware\r\nThe shutting down of the IT systems of Ireland’s Health Service Executive — another victim of a DarkSide\r\nattack — disrupting patient care throughout the country\r\nThe U.S. Federal Bureau of Investigations (FBI) alerting of a spate of Conti ransomware attacks targeting\r\nAmerican healthcare organizations and first responder agencies\r\nThe world’s largest meatpacking company finding its North America and Australia operations disrupted by\r\na REvil ransomware attack thought to have originated in Russia\r\nIn addition, not all ransomware attacks make the news, as reflected in CrowdStrike-sponsored research: in a 2020\r\nsurvey 56% of respondents admitted that their organization had suffered from a ransomware attack in the previous\r\n12 months. Ransomware attacks may go unreported for a variety of reasons, including a desire for confidentiality\r\nor a fear of negative business effects for a company. Ransomware attacks can and do occur in every industry and\r\nare increasingly pernicious. The potential financial impact can be staggering. For example, the City of Atlanta\r\nestimated that a single ransomware incident in March 2018 cost taxpayers up to $17 million in response and\r\nrecovery — an estimate that didn’t quantify the cost to the community of lost services.\r\nThis blog aims to help any organization better prepare its defenses against ransomware attacks and explains how\r\nto properly configure your CrowdStrike Falcon®® deployment for optimal protection.\r\nProtecting Against Ransomware\r\nThe CrowdStrike Services team has written about a number of very effective security controls and practices that\r\nyou can put in place in your organization to drastically reduce your risk of a ransomware outbreak. Another great\r\nsource of recommended security controls can be found in SANS CIS Controls version 8. These recommendations\r\ncan dramatically reduce the risk to your operating environment.\r\nThe following recommendations are supported by what the CrowdStrike Falcon® Complete™ team has found to\r\nsuccessfully prevent and combat ransomware. Additionally, we have included details to assist CrowdStrike\r\ncustomers in making the best decisions for your prevention policies.\r\nhttps://www.crowdstrike.com/blog/how-to-defend-against-conti-darkside-revil-and-other-ransomware/\r\nPage 1 of 5\n\nPractice Good IT Hygiene\r\nFundamentally, you can’t secure what you can’t see. Blind spots, in the form of rogue assets, applications and\r\nusers, become high-risk attack vectors (and Conti ransomware is particularly good at exploiting these\r\nweaknesses). Minimizing the attack surface is critical for every organization — it’s crucial that you gain visibility\r\ninto every endpoint and workload running in your environment and then keep any vulnerable attack surfaces\r\nupdated and protected.\r\nIT hygiene’s primary benefit is to give you complete network transparency. This perspective provides a bird’s eye\r\nview, as well as the power to drill down and proactively clean out your environment. Once you achieve this level\r\nof transparency, the understanding of \"who, what and where\" that IT hygiene provides has tremendous benefits for\r\nyour organization. You’re able to:\r\nIdentify gaps in your security architecture. The clarity that IT hygiene provides allows you to see what\r\nhosts are running on your environment and whether they are protected. Having complete visibility enables\r\nyou to effectively deploy your security architecture and ensure no rogue systems are operating behind your\r\nwalls. The larger and more distributed your environment becomes — such as with workforces going\r\nincreasingly remote — the harder it is to have visibility across all of your endpoints and identities\r\n(including both human and service accounts). Identifying the unmanaged assets in your environment\r\nallows you to target vulnerabilities and protect your valuable assets before attackers can reach them.\r\nSee what is running in your environment. By proactively identifying outdated and unpatched\r\napplications and operating systems, you can manage your application inventory and solve security and cost\r\nproblems simultaneously. Unpatched operating systems and applications have serious security and cost\r\nimplications — make sure to identify which applications are running on your network and pinpoint\r\nunpatched apps to get ahead of attackers.\r\nSee who is running in your environment. Account monitoring allows you to see who is working in your\r\nenvironment and ensure they’re not violating their credential permissions (including detection of tools or\r\nbehavior trying to subvert those policies). System administrators remain highly targeted, and combined\r\nwith poor password renewal policies, credential theft is a harsh reality. With insight into password updates,\r\nyou can prevent credential creep by removing old administrative accounts or making sure users update\r\ntheir passwords regularly. Taking this a step further, visibility into unusual admin behavior or privilege\r\nelevation can prevent silent failure by tipping off your security team as soon as something suspicious\r\noccurs.\r\nEnsure user compliance. Making sure your users abide by your most up-to-date password policies keeps\r\nadministrators and users compliant with your security requirements. Consistent and ongoing user education\r\ncan ensure that password best practices are followed, and ridding your network of old accounts (including\r\nservice accounts) can mitigate the risk of \"credential creep\" by former employees.\r\nAdd defense-in-depth. Implement real-time detection policies to monitor for anomalous credential\r\nbehavior use, including detection of lateral movement even on workstations that may not have a Falcon\r\nagent installed. In addition, enable risk-based conditional access to trigger MFA for human and service\r\naccounts without adding burden to users, ensuring higher compliance.\r\nOnce you have full visibility and understanding of your environment, your organization can identify hygiene-related security deficiencies and resolve them immediately. From there, security teams can quickly pivot to\r\nhttps://www.crowdstrike.com/blog/how-to-defend-against-conti-darkside-revil-and-other-ransomware/\r\nPage 2 of 5\n\naddress the critical elements of comprehensive endpoint protection: prevention, detection, hunting and threat\r\nintelligence. These capabilities are key to a complete solution that can protect your organization from the most\r\nmotivated, sophisticated attackers. With a \"hygiene-first\" approach, and the right security solution in place, you\r\ncan protect your organization from ransomware attacks and stop breaches. In addition to the general best practices\r\noutlined above, the following are specific IT hygiene steps to take to protect against ransomware in particular:\r\nDo not allow hosts on the internet with exposed RDP port 3389. If you must have RDP internet-facing\r\nfor business productivity purposes, there are many compensating controls you will want to consider (see\r\nthe 2FA/MFA recommendation below).\r\nDisable host-to-host communications as strictly as possible. Commonly, lateral movement occurs via\r\nauthenticated SMB connections. Remote service creation allows for an attacker to create a service on a\r\nremote host, then they can drop a binary into the path where they’ve told the service to point to. This is a\r\nvery common malware lateral movement technique that is also highly associated with ransomware of late.\r\nEnable behavioral detection controls to flag anomalous activity such as service account usage from\r\nworkstation to workstation (and block service account usage for any interactive login, such as RDP). In\r\naddition, enable key adversary tool detection use (like Mimikatz) through identity-centric protocol\r\nanalysis.\r\nConsider all administrative activities to occur via a jump host (and enable identity policy to force\r\nadministrative use via jump host only). Your host-based firewall (or Falcon Firewall Management™) can\r\nbe configured to allow SMB, remote PowerShell, etc., from your jump host IP address. This jump host\r\nshould be the source for your administrative activity or changes. Adversaries will know this and may target\r\nthat host, so we’ll point you back to SANS CIS Controls and recommend that you do not skip a beat on\r\nyour jump host.\r\nApply two-factor authentication (2FA)/multifactor authentication (MFA). 2FA and MFA are typically\r\nat the top of recommended security controls, but we regularly see adversaries accessing networks via\r\nsingle-factor VPN authentication as well as single-factor internet-exposed RDP. Prioritizing MFA\r\neverywhere is critical to this conversation. To ensure use of MFA everywhere, also consider enabling\r\nconditional access policies that trigger based on key conditions and risk factors to reduce the burden of\r\nMFA and thus wider adoption.\r\nConfigure the Falcon Platform Properly\r\nUse Proper Prevention Policy Settings.\r\nIn many organizations, security personnel must balance the needs and productivity tolerances of the business with\r\nthe implementation of security controls. The Falcon Complete team recommends enabling most, if not all, of the\r\nconfigurations within the Falcon platform’s Prevention Policy Settings, yet we realize this won’t happen for every\r\nasset at every organization. For example, some organizations have assets where any disruption whatsoever could\r\nlead to thousands of dollars of revenue loss every second. It’s common for the demands of productivity to require\r\nprevention policy settings to be dialed back. It’s also common for attackers to find the dark corners of the network\r\nand conduct their attacks on, or from, these types of systems. (CrowdStrike customers who would like additional\r\ninformation about the specific prevention policy settings recommended by the Falcon Complete team can log in\r\nhere.) Keep Up With Sensor Updates.\r\nhttps://www.crowdstrike.com/blog/how-to-defend-against-conti-darkside-revil-and-other-ransomware/\r\nPage 3 of 5\n\nOne common miscalculation the Falcon Complete team observes organizations make is to continue to do sensor\r\nupdates manually through their existing solution such as SCCM. If you have a top-notch patching program and\r\ncan achieve sensor updates when they’re made available to the Falcon platform, by all means, continue achieving\r\nsuccess in this area. The cloud-delivered Falcon platform enables the ability to quickly toggle sensor versions to\r\nvarious host groups. Falcon Complete recommends utilizing the N-1 methodology to update all systems aside\r\nfrom a test group where you test the latest sensor when it becomes available within the platform. This\r\nconfiguration updates the sensor to the version released immediately prior to the latest release. This allows all\r\nCrowdStrike customers to test the sensor for bugs, and also for you to test with a sampling of systems within your\r\nnetwork. CrowdStrike is consistently updating detections, machine-learning models and functionality in our\r\nsensor. Going months without an update can leave your environment unprotected from the latest trends that\r\nsecurity engineers are tooling detections for. Deploy the Falcon Agent 100%.\r\nThe number one reason Falcon Complete customers become compromised is not having the agent deployed to all\r\ncompatible assets. We see lateral movement alerts nearly every day from that dark corner of customer networks,\r\neven when an agent cannot be installed on the endpoint. The Falcon Discover™ module has a dashboard that can\r\nhelp identify “Unmanaged Assets.” Again, this piece is fundamentally critical to the ransomware conversation.\r\nSpend the time to dig into the appropriate reports and track down assets that do not have the Falcon agent on\r\nthem. When it is not possible to place an agent on all assets, having a CrowdStrike Falcon® Identity Protection\r\nsolution to detect and enforce policy can stop lateral movement, detect anomalous use of service accounts (e.g.,\r\ninteractive logins as seen with RDP), and detect the use of certain tools such as Mimikatz that are commonly used\r\nin ransomware attacks.\r\nKnow When to Ask for Help\r\nIn the event that you believe your organization may be impacted by ransomware, calling in experts to help\r\ninvestigate, understand and improve the situation can make the difference between a minor incident and a major\r\nbreach. In some instances, organizations become aware of threat actor activity within their environment but may\r\nlack the visibility to address the problem or the right intelligence to understand the nature of the threat. Getting\r\neducated about the latest threats and seeking help by activating an incident response team or retainer, such as those\r\noffered by CrowdStrike Services, may allow for detection and remediation before the threat actor is able to deploy\r\nransomware or exfiltrate data from the environment. It’s better yet to seek out expert assistance before you truly\r\nneed it. A technical assessment can help you to proactively identify and understand factors about your\r\norganization’s network that could make future ransomware incidents more or less likely. It may take different\r\nforms, depending on your current needs and security maturity. For instance, if you experience an intrusion that\r\nwas confined to a specific network segment or specific business unit, an enterprise-wide compromise assessment\r\ncan give confidence that the attacker did not move into parts of the environment that were beyond the scope of the\r\ninitial investigation. Alternatively, an IT hygiene assessment can identify weak passwords, Active Directory\r\nconfigurations or missed patches that could open the door to the next attacker.\r\nAdditional Resources\r\nRead about recent intrusion trends, adversary tactics and highlights of notable intrusions in the\r\nCrowdStrike 2021 Global Threat Report.\r\nhttps://www.crowdstrike.com/blog/how-to-defend-against-conti-darkside-revil-and-other-ransomware/\r\nPage 4 of 5\n\nUnderstand the trends and themes that we observed while responding to and remediating incidents around\r\nthe globe in 2020 — download the latest CrowdStrike Services Cyber Front Lines Report.\r\nLearn more about Falcon Complete by visiting the product webpage.\r\nFind out more about the CrowdStrike Falcon® platform by visiting the product webpage.\r\nTest CrowdStrike next-gen AV for yourself. Start your free trial of Falcon Prevent™ today.\r\nSource: https://www.crowdstrike.com/blog/how-to-defend-against-conti-darkside-revil-and-other-ransomware/\r\nhttps://www.crowdstrike.com/blog/how-to-defend-against-conti-darkside-revil-and-other-ransomware/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.crowdstrike.com/blog/how-to-defend-against-conti-darkside-revil-and-other-ransomware/"
	],
	"report_names": [
		"how-to-defend-against-conti-darkside-revil-and-other-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434678,
	"ts_updated_at": 1775826694,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f7f1c16bf2b5c0f70f4acec1ecfb7d7ed13dd8ff.pdf",
		"text": "https://archive.orkl.eu/f7f1c16bf2b5c0f70f4acec1ecfb7d7ed13dd8ff.txt",
		"img": "https://archive.orkl.eu/f7f1c16bf2b5c0f70f4acec1ecfb7d7ed13dd8ff.jpg"
	}
}