Defending against ransomware

Defense strategies

Effective ransomware defense is layered. No single control stops every attack. The goal is to make each phase of the attack chain harder and more likely to be detected, so that even if an attacker gains initial access, they fail to reach their objective before being discovered and contained.

Immutable backups

The most fundamental defense. Backups must be:

  • Immutable: impossible to modify or delete for a defined retention period (WORM storage)
  • Offline: at least one copy disconnected from the network (air gap)
  • Tested: restoration tested regularly, not just the backup process itself
  • 3-2-1 rule: 3 copies, 2 different media types, 1 offsite

The most common backup failure in ransomware incidents is not the absence of backups — it is backups that cannot be restored at the required speed or that were also encrypted by the attacker. Organizations frequently discover that their backup solution was accessible from the same Active Directory domain as production systems, allowing attackers to encrypt or delete backups alongside primary data.

Restoration testing is non-negotiable. A backup that has never been tested is a backup that may not work. Test full system restoration, not just file recovery. Measure restoration times for critical systems and ensure they align with your Recovery Time Objectives (RTO). Organizations that test restoration quarterly are significantly better positioned than those that have never run a full recovery exercise.

Immutable storage means the backup data cannot be altered or deleted during the retention window, even by an administrator. Cloud providers offer object lock features (AWS S3 Object Lock, Azure Immutable Blob Storage) that satisfy this requirement without requiring on-premises WORM hardware.

Network segmentation

Limiting lateral movement is critical to containing a ransomware outbreak:

  • Separate networks by function (users, servers, management, OT/ICS)
  • Micro-segmentation for critical assets
  • Block lateral communications between workstations
  • Isolate backup infrastructure on a dedicated segment

Network segmentation requires both technical controls (VLANs, firewalls, software-defined networking) and administrative controls (policies governing what can connect to what). Many organizations have theoretical segmentation that collapses in practice because of legacy flat network configurations, emergency exceptions that became permanent, or undocumented trust relationships between systems.

Auditing network flows to understand what actually communicates with what — rather than what should communicate — reveals gaps between intended and actual segmentation. Tools like network traffic analysis can identify workstation-to-workstation communication that enables ransomware lateral movement.

EDR and monitoring

Endpoint Detection and Response (EDR) tools are essential for detecting suspicious behavior before encryption begins:

  • Unusual process execution chains
  • Mass file access patterns
  • Shadow copy deletion attempts
  • Communications to known command-and-control (C2) infrastructure

Modern EDR platforms use behavioral analysis rather than signature matching. A new piece of ransomware with no known signature is still detectable if it exhibits characteristic behaviors: spawning unusual child processes, accessing large numbers of files in sequence, calling the Volume Shadow Copy service to delete snapshots, or communicating with newly-registered domains.

EDR is most effective when alerts are acted upon promptly. Security teams that ignore medium-severity EDR alerts because of alert fatigue miss the early indicators that could stop an attack before encryption occurs. Tuning alert thresholds and ensuring 24/7 coverage — either through an internal SOC or a managed detection and response (MDR) provider — is essential.

User training

Phishing remains the primary entry vector. Training must be:

  • Regular: at minimum quarterly
  • Practical: phishing simulations, not just slide presentations
  • Measured: track click rates and improvement over time

Security awareness training that consists of annual slide decks produces minimal behavioral change. Realistic phishing simulations that test employees under normal working conditions, followed by immediate educational feedback when someone clicks a link, are significantly more effective.

Train users specifically on the modern tactics they will encounter: Teams and Zoom vishing, QR code phishing, callback phishing that establishes trust through a phone call before sending a malicious link, and AI-generated impersonation of colleagues or executives. The attack surface has shifted substantially toward voice and collaboration platforms.

Privileged access management

Ransomware that reaches a domain administrator account can encrypt an entire Active Directory environment in minutes. Protecting privileged accounts requires:

  • Dedicated admin accounts used exclusively for administrative tasks
  • Multi-factor authentication on all privileged accounts, using phishing-resistant methods (FIDO2)
  • Privileged Access Workstations (PAWs) for sensitive operations
  • Just-in-time access: temporary privilege elevation rather than permanent membership in privileged groups
  • Regular review and removal of stale privileged accounts

Active Directory hardening is specifically important because so many ransomware attacks involve AD compromise. Disabling legacy protocols (NTLM, LM hashing), enforcing SMB signing, monitoring for DCSync attacks and Kerberoasting, and implementing tiered administration models all reduce the blast radius of credential compromise.

Incident response plan

Document and test your response BEFORE an incident occurs:

  • Who has authority to isolate the network?
  • Who contacts authorities (CISA, FBI, relevant national CERT)?
  • Who manages internal and external communications?
  • What is the restoration sequence and priority?
  • Do you have a relationship with a specialized incident response firm and legal counsel?

A plan that has never been exercised will fail under the pressure of a real attack. Tabletop exercises and full simulations are not optional.

The incident response plan should also address the ransom payment decision process: who has authority to authorize payment, what legal counsel must be consulted (particularly regarding sanctions compliance), and what criteria would lead to payment versus not paying. Making this decision for the first time under the pressure of an active attack, with systems down and executives demanding immediate answers, produces poor outcomes.

Relationships with an incident response firm and a ransomware-specialized legal counsel should be established before an incident. Incident response retainer agreements provide guaranteed response time and priority access to resources when you need them most.

Advertisement