TL;DR: Ransomware now hits more than 60% of mid-sized organizations every year, and the average recovery cost crossed $1.8M in 2025. This guide walks through the seven defensive layers every business should have — from endpoint hardening to immutable backups — so a single click on a malicious email doesn’t become a multi-week outage.
What ransomware actually does
Modern ransomware no longer just encrypts files — it does three things at once: encrypts data, exfiltrates a copy for extortion, and disables your backups before you notice. The “triple-extortion” model means even if you have backups, the attackers threaten to publish or sell your data unless you pay.
The seven defensive layers
1. Email and identity hardening
Around 90% of ransomware enters through phishing. Enable DMARC, DKIM, and SPF on your domain. Require MFA on every account — especially email, VPN, and remote management tools. Disable legacy authentication protocols (POP, IMAP, basic auth) that bypass MFA.
2. Endpoint Detection & Response (EDR)
Traditional antivirus catches known signatures. EDR products like Bitdefender GravityZone, SentinelOne, or CrowdStrike watch behavior — encrypting many files in seconds, lateral movement, suspicious PowerShell — and can roll back the damage automatically.
3. Network segmentation
Flat networks let ransomware travel everywhere. Segment finance, HR, production, and IT management into separate VLANs with firewall rules between them. Disable SMBv1 entirely. Block lateral SMB and RDP traffic unless explicitly required.
4. Patch management
CISA’s known-exploited-vulnerabilities list is published weekly. Patch critical CVEs within 72 hours on internet-facing systems, 14 days on internal systems. Automate where possible (WSUS, Ansible, Intune).
5. Immutable, offline backups (3-2-1-1-0)
The new 3-2-1-1-0 rule: 3 copies, 2 different media, 1 offsite, 1 offline or immutable, 0 errors verified. Test restores monthly. Most ransomware-hit companies discover their “backups” don’t actually restore when the moment comes.
6. Privileged access management
Domain admins should be rare and audited. Use tiered admin models. Just-in-time access via tools like Microsoft PIM eliminates standing privileges that attackers love to abuse.
7. Security awareness training
Phishing simulations once a quarter measurably reduce click rates. KnowBe4, Hoxhunt, and Microsoft Attack Simulator all have free trials. The goal isn’t to shame employees — it’s to build muscle memory.
Quick comparison: free vs paid endpoint tools
| Tool | Type | Free Tier | Best For |
|---|---|---|---|
| Microsoft Defender | EDR (built-in Windows) | Yes | Small Windows shops |
| Bitdefender GravityZone | EDR + EPP | Trial | SMB/Mid-market |
| CrowdStrike Falcon | EDR/XDR | Trial | Enterprise |
| Wazuh | Open-source SIEM/HIDS | Fully free | Tech-capable teams |
Incident response in the first 60 minutes
- Isolate — disconnect infected machines from the network (don’t power off; you lose memory evidence).
- Identify scope — which accounts, which servers, which data.
- Preserve logs — copy firewall, EDR, and Windows Event logs to immutable storage.
- Notify — your legal team, cyber-insurance carrier, and if applicable regulators.
- Do not pay yet — most ransom payments don’t result in clean decryption keys, and they fund future attacks.
FAQ
Is paying the ransom illegal?
Not generally, but paying sanctioned groups (Conti, Lockbit affiliates linked to OFAC-listed entities) can carry legal liability. Always consult counsel.
How often should we run tabletop exercises?
At least twice a year, with IT, legal, communications, and one executive in the room.
Does cyber-insurance cover ransomware?
Most policies do, but premiums and exclusions have tightened sharply. Carriers now require MFA, EDR, and tested backups as preconditions.
Conclusion
Ransomware defense isn’t one product — it’s an assembly of small, boring, well-maintained controls. The organizations that recover fastest are the ones that practiced. If you’d like a free 30-minute assessment of your current posture, get in touch.