Ransomware Prevention Guide

No single technology or policy can provide complete protection against ransomware. Effective defence requires a layered approach that combines technical controls, organisational processes, and human awareness. This guide outlines the most effective, evidence-based strategies for reducing your risk.

1. Backup Strategy: The 3-2-1-1-0 Rule

Backups remain the single most important defence against ransomware. If you can restore from clean backups, you eliminate the attacker's leverage entirely. The modern best practice is the 3-2-1-1-0 rule:

• 3 copies of your data
• 2 different storage media types
• 1 copy stored offsite
• 1 copy that is offline or immutable (air-gapped)
• 0 errors after automated backup verification testing

Critically, backups must be tested regularly. Many organisations discover their backups are corrupted or incomplete only during an actual emergency.

2. Patch Management

Unpatched software is one of the primary entry points for ransomware. The WannaCry outbreak of 2017 exploited a Windows vulnerability (EternalBlue / MS17-010) for which a patch had been available for two months before the attack.

• Establish a formal patch management programme with defined SLAs
• Prioritise critical and internet-facing systems
• Monitor vendor advisories and CVE databases daily
• Use automated patch deployment tools where possible
• Maintain an up-to-date asset inventory so no system is overlooked

3. Network Segmentation

Network segmentation limits the blast radius of a ransomware infection. If an attacker compromises one segment, properly configured segmentation prevents lateral movement to other parts of the network.

• Separate critical systems (financial data, patient records, backups) into isolated VLANs
• Implement strict firewall rules between segments
• Use micro-segmentation for high-value assets
• Restrict administrative access to dedicated management networks

4. Endpoint Detection and Response (EDR)

Traditional antivirus software is insufficient against modern ransomware. EDR solutions provide real-time monitoring, behavioural analysis, and automated response capabilities that can detect and contain ransomware before encryption begins.

• Deploy EDR on all endpoints, including servers
• Enable behavioural detection rules for file encryption patterns
• Configure automated isolation for endpoints exhibiting suspicious behaviour
• Integrate EDR with your SIEM for centralised visibility

5. Email Security and Phishing Defence

Phishing emails remain the most common delivery mechanism for ransomware. A multi-layered email security strategy significantly reduces this risk:

• Implement SPF, DKIM, and DMARC for your domains
• Use advanced email filtering with sandboxing for attachments
• Block dangerous file types at the email gateway (.exe, .js, .vbs, .iso, .img)
• Enable URL rewriting and time-of-click analysis
• Conduct regular phishing simulation exercises for all staff

6. Multi-Factor Authentication (MFA)

Compromised credentials, particularly for RDP and VPN services, are a major entry vector for ransomware. MFA adds a second layer of verification that prevents attackers from using stolen passwords alone.

• Enforce MFA on all remote access points (VPN, RDP, cloud services)
• Prefer hardware tokens or authenticator apps over SMS-based MFA
• Require MFA for all privileged/administrative accounts
• Consider passwordless authentication for maximum security

7. Principle of Least Privilege

Users and systems should have only the minimum permissions necessary to perform their functions. This limits the damage an attacker can do if they compromise any single account.

• Remove local administrator rights from standard user accounts
• Implement just-in-time (JIT) privileged access for administrative tasks
• Regularly audit and review access permissions
• Use Privileged Access Management (PAM) solutions for credential vaulting

8. Employee Security Awareness Training

People are both the weakest link and the strongest defence. Regular, engaging security awareness training transforms employees from potential victims into active defenders.

• Conduct training at onboarding and at least quarterly thereafter
• Cover phishing recognition, social engineering, and safe browsing habits
• Run realistic phishing simulations and measure improvement over time
• Create a blame-free reporting culture so employees report suspicious emails promptly

9. Zero Trust Architecture

The zero-trust security model operates on the principle of “never trust, always verify.” Rather than assuming that anything inside the network perimeter is safe, zero trust requires continuous verification of every user and device.

• Verify identity and device health before granting access to any resource
• Apply micro-segmentation and least-privilege access
• Monitor and log all network traffic, including east-west (internal) traffic
• Assume breach: design systems so that a single compromise cannot cascade

10. Incident Response Planning

Prevention will never be 100% effective. Having a well-documented, tested incident response plan is essential. See our dedicated Incident Response guide for a comprehensive framework.