Ransomware Is Still the Biggest Threat to Businesses
Ransomware attacks cost businesses $20 billion in 2023. The average ransom payment exceeded $1.5 million. Recovery time averaged 21 days — during which businesses couldn't operate.
The mechanics are straightforward: attackers encrypt your data and demand payment to restore access. They often also steal the data and threaten to publish it (double extortion). Some target backups first to eliminate your recovery option.
Here's how to defend against it.
How Ransomware Gets In
Understanding the attack vectors is the first step to closing them:
Phishing emails (40% of attacks): Employee clicks a malicious link or attachment. Macro-enabled Office document runs code, installs ransomware.
RDP (Remote Desktop Protocol) attacks (25%): Internet-exposed RDP servers with weak credentials are systematically scanned and brute-forced. Once attackers are in, they move laterally.
VPN vulnerabilities (15%): Unpatched VPN appliances with known exploits. Pulse Secure, Fortinet, and Citrix have all had critical vulnerabilities exploited at scale.
Software supply chain (10%): Legitimate software updates contain malware (like the SolarWinds attack). Harder to defend against.
Compromised credentials (10%): Passwords bought on the dark web from previous breaches used to access company systems.
The 5-Layer Defense Strategy
Layer 1: Prevent Initial Access
Email security: Deploy email filtering that scans attachments in sandboxes before delivery. Microsoft Defender for Office 365 or Proofpoint are enterprise standards.
Disable macros: Macros are rarely needed for legitimate business use and are the most common initial access vector. Disable them by default in Office Group Policy.
Patch aggressively: Run unpatched systems only as long as you have no choice. VPN appliances, remote access tools, and internet-facing systems should be patched within 48-72 hours of critical vulnerabilities being announced.
RDP security: If you use RDP, put it behind a VPN or Zero Trust gateway. Never expose RDP directly to the internet (TCP 3389). Use network-level authentication.
Layer 2: Limit Lateral Movement
Least privilege access: Users should only have access to the systems and data they need. Domain admin rights should be granted to fewer than 1% of users.
Network segmentation: Separate your network. Servers in one VLAN, user workstations in another, guest WiFi isolated. Ransomware that infects a workstation shouldn't be able to reach your file servers directly.
Disable SMB v1: This legacy protocol is how WannaCry and NotPetya spread so rapidly. Disable it on all systems.
Local admin accounts: Use Microsoft LAPS (Local Administrator Password Solution) to ensure every machine has a unique local admin password. If one machine is compromised, attackers can't use the same credentials everywhere.
Layer 3: Detect Attacks in Progress
Endpoint Detection and Response (EDR): Modern EDR tools detect ransomware behavior (bulk file encryption, shadow copy deletion) before encryption is complete. CrowdStrike Falcon, SentinelOne, and Microsoft Defender for Endpoint all do this.
Security logging: Collect and monitor logs from endpoints, servers, and network devices. Look for: mass file renames, shadow copy deletion, lateral movement (PSEXEC, WMI), and new admin account creation.
Honeypots/canaries: Drop fake files or network shares with names like "employee_salaries_2025.xlsx." Any access to these files is a guaranteed indicator of compromise — fire the alarm immediately.
Layer 4: Protect Your Backups
Backups are your ultimate recovery mechanism. Attackers know this and target them first.
Immutable backups: Use backup solutions that create write-once copies. Cloud providers like AWS (S3 Object Lock) and Azure (immutable blob storage) offer this. Once written, even admins can't delete them.
Offline/air-gapped backups: Maintain at least one backup copy that is physically disconnected from your network. Tape is still used for this reason. An offline backup cannot be encrypted by ransomware.
3-2-1-1-0 Rule: 3 copies of data, 2 different media types, 1 offsite, 1 offline/immutable, 0 errors (tested regularly).
Test restores quarterly: Backups are worthless if they fail during recovery. Test full system restores quarterly.
Layer 5: Plan Your Response
Incident Response Plan: Document exactly what to do when ransomware is detected. Who gets called first? What gets isolated immediately? Who has authority to pay a ransom? Have this documented before you need it.
Cyber insurance: Policies cover ransomware losses, incident response costs, and business interruption. Review coverage carefully — many have sub-limits for ransomware.
Legal counsel on retainer: Ransomware incidents often have legal implications (breach notification requirements, potential regulatory issues). Have outside counsel you can call immediately.
When Ransomware Hits: First 24 Hours
- Isolate affected systems immediately: Disconnect from the network. Don't turn off — preserve forensic evidence.
- Call your incident response team: Internal or external. Don't try to recover alone.
- Don't pay immediately: Contact law enforcement (FBI, CISA). They may have decryptors. FBI recommends against paying but won't prevent it.
- Preserve all logs: Don't wipe systems before forensics are complete.
- Notify legal counsel: Determine breach notification obligations.
- Begin recovery from clean backups: Only from known-good, pre-incident backups.
The Real ROI of Ransomware Defense
The controls above cost money. EDR might cost $50/endpoint/year. Immutable backup storage adds a premium. An incident response retainer might be $15,000/year.
The math is simple: a mid-size business with 100 employees faces an average ransom of $1.5M, average recovery cost of another $1.5M, and 21 days of downtime. Total exposure: $3M+.
Annual defense investment: $100-200K.
The choice is clear.
Related Articles
- How to Protect Your Privacy Online: A Practical 2025 Guide
- How to Protect Your Phone from Hackers in 2025
- What Is a Man-in-the-Middle Attack? How It Works and How to Stay Safe
- Best Cybersecurity Tools in 2025: Essential Software for Every Security Team
- Cloud Security Best Practices 2025: How to Protect Your Cloud Environment
Comments
Share your thoughts, questions or tips for other readers.
No comments yet — be the first!