Ransomware Prevention: The Controls That Work
There is no magic box that stops ransomware. Prevention works the way the attack does: in stages. Each control you put in place removes a step the attacker depends on, and enough of them in sequence break the chain before encryption ever happens.
There is no magic box that stops ransomware. Prevention works the way the attack does: in stages. Each control you put in place removes a step the attacker depends on, and enough of them in sequence break the chain before encryption ever happens.
The good news is that the controls are not exotic. They are the fundamentals, applied consistently, with the gaps closed.
The controls that work
| Control | Stage it breaks |
|---|---|
| Phishing and email defenses | Initial access. Email protection plus training to spot phishing, the most common way attackers get in. |
| Phishing-resistant MFA | Initial access. An extra verification step that substantially reduces unauthorized access from stolen credentials. |
| Patching and vulnerability management | Initial access. Continuously scan and remediate high-risk vulnerabilities before they become entry points. |
| Least privilege | Privilege escalation. Restrict users to only the access they need, limiting what a compromised account can reach. |
| Network segmentation | Lateral movement. Segment workloads and allow only required communication, so a breach in one zone cannot reach everything. |
| Endpoint protection and EDR | Foothold and lateral movement. Behavioral analytics block malicious behavior and lateral movement in real time. |
| Restrict exposed RDP and remote access | Initial access. Exposed, poorly secured RDP is a primary entry point; reduce and harden remote exposure. |
| Tested offline backups | Recovery. Immutable, offline backups following the 3-2-1-1-0 rule let you restore without paying. |
The most useful way to think about prevention is to map each control to the stage of the attack it disrupts. A control that does not break a stage is decoration.
See it in action: breaking the chain
No single control stops ransomware. Each one removes a stage the attacker depends on. The scenarios below are illustrative.
- The password alone gets the attacker in.
- From there they reach a flat network and escalate freely.
- MFAPhishing-resistant MFA blocks the login despite the stolen password.
- Least privilegeEven if they get in, the account can reach very little.
- SegmentNetwork segmentation stops lateral movement.
- The loader runs and calls home.
- There is nothing to detect the behavior or stop the spread.
- EmailEmail protection strips most malicious attachments first.
- EDRBehavioral analytics block the malicious process in real time.
- BackupsImmutable offline backups mean recovery without paying.
Where to start
You cannot do everything at once, so order matters. Close the front door first, then shrink the blast radius, then protect your ability to recover.
[[INSIGHT: Attackers now hunt your backups and delete them before they encrypt. A backup that is reachable from the network is not a recovery plan, it is another target. Offline and immutable is the difference between restoring and paying.]]
- Prevention works in layers; each control breaks a stage of the attack chain.
- Close the front door with phishing-resistant MFA, email defenses, and patching.
- Shrink the blast radius with least privilege and network segmentation.
- Run EDR with all prevention policies enabled, not partially.
- Keep tested, immutable, offline backups so you can recover without paying.
Frequently asked questions
What is the single best control against ransomware?
There is no single one. Prevention works in layers: each control removes a stage the attacker depends on. Phishing-resistant MFA, patching, least privilege, segmentation, EDR, and tested offline backups together break the chain.
Why is MFA so important for ransomware?
Stolen credentials are a primary way in. Multi-factor authentication adds a verification step that substantially reduces unauthorized access, and phishing-resistant MFA is harder still to defeat.
Do backups prevent ransomware?
Backups do not prevent the attack, but tested, immutable, offline backups let you recover without paying. Attackers now hunt and delete backups, so they must be isolated from the network.
Why enable all EDR prevention policies?
Partial activation does not give proportional protection. If a critical prevention policy is left off, the environment can still be fully exposed even with the rest enabled.
