28 Ransomware Defense Actions for Windows, Linux & Cloud
Ransomware is projected to hit a target every 2 seconds by 2031. When it lands, you are staring at weeks of downtime and recovery costs that run into the millions. These 28 actions are what actually moves the needle, grounded in CIS Controls v8.1, MITRE ATT&CK, and NIST 800-53, not vendor brochures.
Data verified: June 8, 2026 · Framework IDs validated against source data
0 / 28 done
Run behavior-based EDR, not signature AV
Signature antivirus does not stop modern ransomware. You need behavioral detection that flags the encryption behavior itself, not a hash it has seen before. Tools like CrowdStrike Falcon or SentinelOne catch what traditional AV misses. Pair it with Sysmon using the SwiftOnSecurity config so you log what matters instead of everything and nothing.
Framework grounding & sources
Drill phishing monthly, retrain on the spot
Someone in accounting will open the urgent invoice. That is not a character flaw, it is a base rate. Phishing is still a top ransomware entry vector in the Verizon DBIR year after year. Run simulations monthly, not once a year, and retrain a failed click the same week instead of at the annual review.
Framework grounding & sources
Treat Active Directory like the crown jewels
AD compromise is game over, because it hands an attacker the keys to every machine at once. Most shops hand out Domain Admin like candy. Use tiered administration so desktop support can reset a password without owning the forest. Audit the directory for the service accounts from 2015 that nobody remembers but everybody trusts.
Framework grounding & sources
Make backups they cannot delete
Online backups are worthless if the ransomware encrypts them too. Inhibiting recovery is a named ATT&CK technique because attackers go after your backups on purpose. Keep at least one copy offline or immutable, isolated from the production domain. Test a real restore monthly, because a backup you have never restored is a hope, not a plan.
Framework grounding & sources
Segment the network like it matters
Most networks are flat, so one infected laptop can reach file servers, domain controllers, and the coffee machine. That flatness is what turns one workstation into an enterprise outage. Block SMB and RDP between segments unless there is a real business reason. Marketing does not need a direct route to the payroll servers.
Framework grounding & sources
Force MFA everywhere that counts
Stolen and reused passwords are how attackers walk in the front door. MFA stops most credential-based attacks cold, which is why it sits across three separate CIS safeguards. Yes, users complain. They complain a lot more during the three weeks they cannot work because one password was Password123.
Framework grounding & sources
Patch what is exposed first
You cannot patch everything at once, so triage by exposure. Exploiting a public-facing application is a top initial-access technique, so internet-facing services go first. The 2019 Exchange box is getting hit. So is the WordPress install IT forgot it owned.
Framework grounding & sources
Alert on the warning signs, then actually respond
PowerShell firing at 3am is suspicious. Mass file modification is suspicious. Someone disabling the AV is very suspicious. CISA's #StopRansomware guidance calls out exactly these precursors. Set the alerts and staff the response, because an alert nobody answers is just an expensive log entry.
Framework grounding & sources
Lock down PowerShell
Ransomware loves PowerShell because it ships with Windows and Windows trusts it. Turn on Constrained Language Mode and script block logging so you can both limit and see what runs. Developers will grumble. Give the ones who genuinely need it an isolated environment instead of leaving the capability open everywhere.
Framework grounding & sources
Control what is allowed to run
Application allowlisting is a pain to set up and brutally effective once it is. AppLocker or WDAC blocks most ransomware from executing at all when configured properly. Start with a pilot group and a small allowlist. Do not try to flip it on company-wide the first afternoon.
Framework grounding & sources
Secure SSH properly
Weak SSH is the front door on Linux. Disable root login outright, use keys instead of passwords, and put fail2ban in front of brute-force attempts. External remote services and brute force are both standard ATT&CK entry techniques, and SSH is where they meet on Linux.
Framework grounding & sources
Watch file changes obsessively
Use auditd to watch critical paths and AIDE or Tripwire for integrity monitoring. When encryption starts, you want the alert in seconds, not a help-desk ticket an hour later. File integrity monitoring is your early tripwire for the impact stage.
Framework grounding & sources
Patch like the job depends on it
Unpatched Linux servers running Apache, Nginx, or a database are sitting ducks for public-facing exploits. Automate security updates and test them in staging before they hit production. The goal is fast and boring, not heroic.
Framework grounding & sources
Stop handing out sudo
Linux admins love full sudo, and that is exactly the problem. Most users need a specific command set, not unrestricted root. Scope the sudoers file and audit who holds what, because every standing privilege is a path an attacker can borrow.
Framework grounding & sources
Lock down network traffic both ways
Default Linux installs are too trusting. Configure iptables or ufw to block everything except what the box actually needs, and do not forget egress. A web server with no reason to call random external IPs is also a web server that cannot quietly exfiltrate your data.
Framework grounding & sources
Deploy monitoring you actually tune
OSSEC or Wazuh catch a lot of malicious activity when the rules fit your environment. Installing and forgetting is the common failure. Tune the rules, route the alerts somewhere a human looks, and revisit them as the environment drifts.
Framework grounding & sources
Use mandatory access controls
SELinux and AppArmor are annoying to configure and they limit blast radius when something gets in. Confined processes cannot reach everything, so even a foothold does less damage. Enforcing, not permissive, is the setting that matters.
Framework grounding & sources
Secure your containers
Running Docker or Kubernetes workloads as root is asking for an escape to the host. Run non-root, use read-only filesystems where you can, and add a runtime tool like Falco to spot suspicious container behavior. Escape to host is a real ATT&CK technique, not a theoretical one.
Framework grounding & sources
Test your backups (they fail silently)
Linux backup scripts fail quietly more often than anyone wants to admit. Restore from backup on a schedule and confirm it actually works. Document the steps so someone other than you can run them at 2am during the incident.
Framework grounding & sources
Fix the IAM mess
Most cloud incidents trace back to absurd IAM permissions. The developer who needs one bucket has full S3. Scope permissions to the specific resource and use temporary credentials instead of permanent access keys living in a config file. Valid accounts and unsecured credentials are the cloud attacker's bread and butter.
Framework grounding & sources
Turn on all the logging and read it
Enable CloudTrail, VPC Flow Logs, and storage access logs, then actually look at them. GuardDuty and Microsoft Defender for Cloud catch the obvious stuff, but the alerts that matter are the custom ones for your environment. Logging you never read is just storage cost.
Framework grounding & sources
Back up to a separate account
Ransomware deletes cloud backups too when it can reach them. Store critical backups in a separate account with minimal cross-account access and immutability turned on. Cross-account roles beat shared access keys every time.
Framework grounding & sources
Segment in the cloud too
Security groups and NACLs are not full firewalls, but they are the controls you have. Default-deny and open only what is needed. A database that does not need internet access should not have a route to it, full stop.
Framework grounding & sources
Scan your cloud config constantly
CSPM tools like Prowler or ScoutSuite find the public S3 bucket and the security group that allows SSH from the entire internet. Misconfiguration is how a lot of cloud exposure starts. Run the scans weekly and fix what they surface.
Framework grounding & sources
Kubernetes needs its own attention
Default Kubernetes is permissive. Configure RBAC so not every pod is cluster-admin, apply Pod Security Standards, and use network policies so the web pod cannot chat directly with the database pods. Container escape and malicious internal images are the techniques these settings blunt.
Framework grounding & sources
Encrypt with managed keys you understand
Use KMS or Key Vault for keys, not hardcoded keys in your repo. In January 2025 the Codefinger group abused AWS S3 server-side encryption with customer-provided keys (SSE-C) to lock victims' data using AWS's own tooling, with no AWS vulnerability involved, only stolen credentials. Know how your encryption works and tightly scope who can call it.
Framework grounding & sources
Source: Halcyon: Ransomware encrypting S3 buckets with SSE-C (Jan 2025)
Protect the metadata service
Switch EC2 instances to IMDSv2. SSRF attacks love stealing credentials from the instance metadata service, and the cloud instance metadata API is a named ATT&CK credential-access technique. This is a small change that closes a common path.
Framework grounding & sources
Separate security, backup, and logging accounts
Put security tooling, backups, and logs in different accounts with strict access. When the main account gets popped, you want the infrastructure that helps you recover to be out of reach. Isolation is what keeps inhibit-recovery from finishing the job.
Framework grounding & sources
If you only do three things
Most shops chase the wrong upgrades. You do not need the newest AI-labeled platform. You need the basics done right, in this order.
- Backups that actually restore. Offline or immutable, isolated, tested monthly. This is your recovery mechanism when everything else fails. (Actions 4, 19, 22)
- Network segmentation. One infection should not reach the whole estate. (Actions 5, 15, 23)
- Credential security. MFA plus least privilege closes the front door. (Actions 3, 6, 20)
Pick the biggest gap in your environment and fix that first. Usually it is backups, because that is what saves you when the rest does not.
