Ransomware Prevention Playbook

Deploy EDR solutions that detect behavioral anomalies, not just known malware signatures. Modern ransomware evades traditional antivirus.

• Deploy EDR on all endpoints including servers
• Enable behavioral analysis and machine learning detection
• Configure automated response for suspicious activities
• Maintain 24/7 monitoring or managed detection service

The 3-2-1-1 rule protects against ransomware that targets backups: 3 copies, 2 media types, 1 offsite, 1 immutable/air-gapped.

• Maintain at least 3 copies of critical data
• Store backups on 2 different media types
• Keep 1 copy offsite or in cloud storage
• Keep 1 copy immutable or air-gapped (cannot be encrypted)
• Test restoration monthly; document recovery time

Limit ransomware spread by segmenting networks. An infection in one segment shouldn't reach crown jewels.

• Segment production from development environments
• Isolate backup infrastructure from main network
• Implement micro-segmentation for critical assets
• Control lateral movement with internal firewalls

Ransomware operators target admin credentials. Protecting privileged access limits their damage potential.

• Implement just-in-time admin access
• Use separate admin accounts from daily-use accounts
• Deploy MFA on all privileged access
• Monitor and alert on privilege escalation
• Remove unnecessary admin rights from endpoints

91% of ransomware attacks begin with phishing. Robust email security is your first line of defense.

• Deploy advanced email filtering with sandboxing
• Enable safe links and safe attachments
• Implement DMARC, DKIM, and SPF
• Block macro-enabled documents by default
• Train users on phishing recognition monthly

Known vulnerabilities are entry points. The Log4j and MOVEit incidents showed how quickly attackers exploit CVEs.

• Patch critical vulnerabilities within 24-48 hours
• Maintain vulnerability scanning weekly
• Prioritize internet-facing systems
• Document and track patch compliance