Ransomware Defense Strategy: Prevention, Detection, and Recovery

Ransomware attacks surged 45% in 2025, with the average ransom demand exceeding $2 million. This guide covers a layered defense strategy spanning prevention, detection, and recovery.

Modern Ransomware Threat Landscape

Modern ransomware operations are run by organized groups using a Ransomware-as-a-Service (RaaS) model. Affiliates purchase or rent ransomware toolkits from developers and split ransom payments. Most attacks now involve double extortion, where attackers encrypt data and threaten to publish it. Some groups have adopted triple extortion, adding DDoS attacks or contacting victims’ customers directly.

Common Initial Access Vectors

Phishing emails with malicious attachments or links remain a top entry point. Attackers also exploit public-facing applications like VPN appliances, web servers, and remote access tools. Compromised credentials from infostealers or credential stuffing provide another avenue, as does supply chain compromise through software updates or managed service providers. Remote Desktop Protocol (RDP) exposed to the internet with weak credentials continues to be exploited.

Prevention Controls

Email Security

Deploy an email security gateway with attachment sandboxing and URL rewriting. Block macro-enabled Office documents (.docm, .xlsm) at the email gateway. Implement DMARC, DKIM, and SPF to reduce spoofing. Train users to recognize phishing, but do not rely on training as a primary control.

Patch Management

Prioritize patching of internet-facing systems including VPNs, firewalls, and web applications. Track CISA’s Known Exploited Vulnerabilities (KEV) catalog and remediate entries within the mandated timeframes. Automate patching for endpoints and standard server configurations. Maintain an inventory of end-of-life software and plan replacements.

Identity and Access Controls

Enforce multi-factor authentication (MFA) on all remote access, email, VPN, and administrative accounts. Use phishing-resistant MFA (FIDO2/WebAuthn hardware keys) for privileged accounts. Implement privileged access management (PAM) with just-in-time access and session recording. Disable or heavily restrict RDP; if required, gate it behind a VPN with MFA. Review and remove dormant accounts quarterly.

Network Segmentation

Segment networks to limit lateral movement by separating IT, OT, user, and server segments. Restrict SMB (port 445), RDP (port 3389), and WMI/WinRM traffic between segments. Deploy internal firewalls or microsegmentation solutions like VMware NSX, Illumio, or Zscaler. Isolate backup infrastructure on a separate network segment with restricted access.

Endpoint Hardening

Deploy EDR (Endpoint Detection and Response) on all endpoints and servers. Enable attack surface reduction (ASR) rules on Windows systems. Disable PowerShell for users who do not need it and enable constrained language mode where possible. Block execution from user-writable directories (AppData, Temp, Downloads) via application control policies. Disable Windows Script Host for non-administrative users.

Detection and Monitoring

Indicators to Monitor

Indicator	Detection Method
Mass file renames or encryption	EDR behavioral detection, file integrity monitoring
Volume Shadow Copy deletion	SIEM rules for `vssadmin delete shadows` or `wmic shadowcopy delete`
Lateral movement (PsExec, WMI, RDP)	Network traffic analysis, authentication logs
Credential dumping (LSASS access)	EDR process monitoring, Windows Event ID 4688
Data exfiltration	DLP, network flow analysis, unusual outbound transfer volumes
Ransomware notes or wallpaper changes	EDR file creation monitoring
Disabling of security tools	Tamper protection alerts, service stop monitoring

SIEM Detection Rules

Key detection rules for ransomware activity include multiple failed logins followed by a successful login from the same source, new service installation on multiple hosts within a short window, execution of living-off-the-land binaries (LOLBins) in unusual contexts, large outbound data transfers to new external destinations, group policy modifications from non-standard accounts, and backup deletion commands or service stops.

Threat Intelligence Integration

Subscribe to ransomware-focused threat intelligence feeds. Monitor dark web leak sites for your organization’s name and data. Track IOCs (hashes, IPs, domains) associated with active ransomware groups. Share indicators with ISACs and trusted peer organizations.

Backup and Recovery Strategy

Backups are the primary defense against ransomware’s encryption payload. A compromised backup strategy means the only recovery option is paying the ransom.

The 3-2-1-1-0 Rule

Keep 3 copies of data on 2 different storage media types with 1 copy offsite and 1 copy offline or immutable. Verify 0 errors through regular restoration testing.

Immutable Backups

Use write-once-read-many (WORM) storage for backup repositories. Cloud providers offer immutability features: AWS S3 Object Lock, Azure Immutable Blob Storage, and GCP Bucket Lock. Set retention locks that cannot be shortened even by administrators. Isolate backup administrative credentials from the primary Active Directory.

Backup Testing

Perform monthly restoration tests of critical systems. Conduct quarterly full disaster recovery exercises. Measure and document Recovery Time Objective (RTO) and Recovery Point Objective (RPO) for each critical system. Test restoration to isolated environments to verify data integrity without risking production.

What to Back Up

Beyond file data, ensure you can restore Active Directory and identity infrastructure, DNS and DHCP configurations, application configurations and secrets, database systems with transaction-consistent snapshots, network device configurations, and hypervisor and container orchestration state.

Incident Response for Ransomware

Immediate Actions (First 60 Minutes)

Isolate affected systems by disconnecting from network but do not power off (preserve forensic evidence)
Activate incident response team and notify leadership
Determine scope: which systems are encrypted? Is encryption still spreading?
Preserve evidence by capturing memory dumps, ransom notes, and encrypted file samples
Engage external counsel since attorney-client privilege may protect investigation communications

Investigation Phase

Identify the initial access vector to understand how the attackers got in. Determine dwell time to understand how long the attackers were in the environment before deploying ransomware. Assess data exfiltration to determine whether data was stolen before encryption by checking the group’s leak site. Identify persistence mechanisms including backdoors, new accounts, and scheduled tasks. Determine the ransomware variant using ID Ransomware or threat intelligence consultation.

Recovery Phase

Rebuild affected systems from known-good images rather than decrypting and reusing compromised systems. Restore data from verified immutable backups. Reset all credentials, not just those known to be compromised. Implement additional monitoring for re-compromise indicators. Address the initial access vector before reconnecting restored systems.

Ransom Payment Considerations

Law enforcement agencies (FBI, CISA, NCA) advise against paying ransoms. Payment does not guarantee data recovery or deletion of stolen data. Paying may violate OFAC sanctions if the group is on the sanctions list. If considering payment, engage specialized ransomware negotiation firms through legal counsel. Report the incident to law enforcement regardless of payment decision.

Regulatory Reporting Obligations

Ransomware incidents may trigger mandatory reporting:

Public companies must file SEC material incident disclosure on Form 8-K within 4 business days. HIPAA requires breach notification within 60 days if PHI is involved. GDPR requires data protection authority notification within 72 hours if EU personal data is affected. Under CIRCIA (rules expected 2026), critical infrastructure entities will be required to report within 72 hours. State breach notification laws vary by jurisdiction, with many requiring notification within 30-60 days.