Back to blog
4 min read

Ransomware Defense: What Actually Works

The security controls that prevent ransomware from spreading and the backup strategies that enable recovery without paying.

SecurityRansomware

Ransomware is a business problem, not just a technical one. Modern attackers encrypt your data and threaten to publish it. Either way, you're paying.

I've seen organizations recover in hours with good preparation, and I've seen others down for weeks without it.

Patch Faster

Most ransomware exploits known vulnerabilities. Patches exist. Organizations just don't apply them fast enough.

  • Enable automatic updates everywhere possible
  • Critical patches deployed within 48 hours
  • Track what's installed and what needs updates

Every day between patch release and deployment is exposure. Attackers are scanning for exactly these gaps.

Backup for Recovery

Backups are your ransomware insurance. Without them, your choices are pay or lose the data.

Make backups immutable. Attackers specifically target backup systems. If your backups can be deleted or encrypted, they will be. Cloud storage with object lock, air-gapped offline copies.

Follow 3-2-1. Three copies, two media types, one offsite. Ransomware that hits your network shouldn't touch all copies.

Test restoration. I've seen backup systems that hadn't actually worked in months. Verify you can restore from backups before you need to.

Disconnect backup drives. External drives connected to your network are just more targets. Connect, back up, disconnect.

Segment Your Network

Ransomware spreads through lateral movement. Flat networks let it encrypt everything.

Segment by function. Workstations in one segment, servers in another, backups isolated completely.

Control inter-segment traffic. Firewalls between segments, with explicit allow rules. Default deny.

Isolate backup infrastructure. Backup systems should only be accessible from dedicated management interfaces.

Good segmentation turns "enterprise-wide incident" into "contained compromise in one segment."

Block the Entry Points

Most ransomware arrives through phishing or exposed services.

Email filtering. Block executable attachments. Quarantine documents with macros. These are primary delivery mechanisms.

MFA everywhere. Attackers can't use stolen credentials if they don't have the second factor.

Don't expose management ports. RDP on the internet is an invitation. VPN first, then RDP.

EDR/Antivirus

Modern endpoint detection tools catch ransomware behavior patterns - mass file modification, known encryption routines.

  • Deploy EDR across all systems
  • Keep signatures current
  • Enable real-time protection
  • Alert on detections, don't just log

Have a Plan

When ransomware hits, you don't have time to figure out what to do.

Document response steps. Who to call, how to contain, where backups are, how to restore.

Practice before it happens. Tabletop exercises reveal gaps. Better to find them in simulation than during an actual incident.

Know your communication plan. Internal, external, legal, PR. Everyone needs to know their role.

Key Takeaways

  • Patch quickly - most ransomware exploits known vulnerabilities
  • Immutable, tested backups are your recovery path
  • Network segmentation contains the blast radius
  • MFA and email filtering stop most initial access
  • EDR detects ransomware behavior patterns
  • Have a documented, practiced response plan
BT

Written by Bar Tsveker

Senior CloudOps Engineer specializing in AWS, Terraform, and infrastructure automation.

About meGet in touch

Thanks for reading! Have questions or feedback?

Get in touchMore posts