The Culprit
Ransomware is predicted to hit someone every 2 seconds by 2031. When it happens, you’re looking at 3+ weeks of downtime and millions in recovery costs. Here’s what actually works to prevent it, based on environments where people have successfully fought these attacks.
Windows Environment
Get endpoint protection that isn’t garbage Most antivirus is useless against modern ransomware. You need behavioral detection, not signature matching. CrowdStrike and SentinelOne catch things traditional AV misses. Set up Sysmon properly; use the SwiftOnSecurity config, not the default settings that log everything and nothing useful.
Train people not to click stupid stuff Your accounting department will open that “urgent invoice” attachment. Accept this reality and drill them regularly. Run phishing tests monthly, not annually. When someone fails, retrain them immediately, not six months later during their performance review.
Treat Active Directory like crown jewels AD compromise means game over. Most organizations hand out domain admin rights like candy. Stop doing that. Use tiered administration. Your desktop support guy doesn’t need domain admin to reset passwords. Audit your AD regularly because I guarantee you have service accounts from 2015 that nobody remembers.
Make backups they can’t delete Online backups are worthless if ransomware can encrypt them too. Your backups need to be offline or immutable. Test restoration monthly. Half the organizations I’ve seen had corrupted backups they never knew about. Can you rebuild your domain controller from scratch? If not, fix that now.
Segment your network like it matters Most networks are flat. One infected laptop can reach your file servers, domain controllers, and coffee machine. Block SMB and RDP between network segments unless there’s a business reason. Your marketing team doesn’t need direct access to payroll servers.
Force MFA everywhere that counts Stolen passwords are how they get in. MFA stops most credential-based attacks cold. Yes, users will complain. They’ll complain more when they can’t work for three weeks because someone’s password was “Password123.”
Patch the stuff that matters first You can’t patch everything immediately. Focus on internet-facing services and known ransomware targets. That Exchange server from 2019? That’s getting exploited. That WordPress site IT forgot about? That too.
Watch for the warning signs PowerShell execution at 3 AM is suspicious. Mass file modifications are suspicious. Someone disabling antivirus is really suspicious. Set up alerts for these things and actually respond to them. Half the ransomware attacks I’ve investigated had warning signs that nobody noticed.
Lock down PowerShell Ransomware loves PowerShell because it’s installed everywhere and trusted by Windows. Enable Constrained Language Mode and script block logging. Your developers might grumble, but they’ll adapt. Better yet, set them up their own isolated environment and keep these capabilities allowed in only environments that they are needed.
Control what can run Application whitelisting is annoying to set up but incredibly effective. AppLocker can prevent most ransomware from executing if configured properly. Start with a small pilot group, don’t try to roll it out company-wide on day one.
Linux Environment
Secure SSH properly Weak SSH is how they get into Linux boxes. Disable root login completely. Use SSH keys, not passwords. If you must use passwords, make them actually strong and enable fail2ban to block brute force attempts.
Monitor file changes obsessively Use auditd to watch critical files and directories. Configure AIDE or Tripwire for file integrity monitoring. When ransomware starts encrypting files, you want to know immediately, not when users complain.
Patch like your job depends on it Unpatched Linux servers are sitting ducks. Apache, Nginx, database software. All prime targets. Set up automated patching for security updates and actually test it in a staging environment first.
Don’t give everyone sudo Linux admins love sudo access. Resist this. Most users need specific commands, not full sudo rights. Use sudoers properly and audit who has what access.
Lock down network traffic Default Linux installs are too permissive. Configure iptables or ufw to block everything except what’s actually needed. Your web server doesn’t need to make outbound connections to random IPs.
Deploy proper monitoring OSSEC or Wazuh can catch a lot of malicious activity if configured correctly. Don’t just install it and forget it. Tune the rules for your environment.
Use mandatory access controls SELinux and AppArmor are painful to configure but limit damage significantly. Even if ransomware gets in, it can’t do as much harm when properly confined.
Secure your containers If you’re running Docker or Kubernetes, don’t run containers as root. Use read-only filesystems where possible. Runtime security tools like Falco can spot suspicious container behavior.
Test your backups Linux backup scripts fail silently more often than you’d think. Actually restore from backup regularly and make sure it works. Document the process so someone else can do it at 2 AM.
Cloud Environment
Fix your IAM mess Most cloud breaches happen because someone’s IAM permissions are ridiculous. That developer doesn’t need full S3 access; they need access to one specific bucket. Use temporary credentials, not permanent access keys sitting in config files.
Turn on all the logging CloudTrail, VPC Flow Logs, S3 access logs; enable everything and actually look at it. GuardDuty in AWS and Security Center in Azure will catch obvious stuff, but you need custom alerts for your specific environment.
Backup to different accounts Ransomware can delete your cloud backups too. Store critical backups in separate AWS accounts with minimal access. Cross-account roles are better than shared access keys.
Network segmentation in the cloud Security groups and NACLs aren’t firewalls, but they’re what you’ve got. Default deny everything and open only what’s needed. That database server doesn’t need internet access.
Scan your cloud configs constantly Cloud Security Posture Management tools like Prowler or Scout Suite will find the S3 buckets you left public and the security groups that allow SSH from everywhere. Run these weekly.
Kubernetes needs special attention Default Kubernetes is insecure. Configure RBAC properly because not every pod needs cluster-admin. Use Pod Security Standards and network policies. That web app pod shouldn’t be able to talk to your database pods directly.
Encrypt everything properly Use KMS or Key Vault for encryption keys, not hardcoded keys in your code. The Codefinger attacks happened because someone misused S3 encryption features. Know how your encryption actually works.
Protect your metadata service Switch to IMDSv2 on EC2 instances. SSRF attacks love to steal credentials from the metadata service. This is an easy fix that stops a common attack vector.
Separate your security stuff Put security tools, backups, and logging in different accounts with strict access controls. When your main account gets compromised, you want your security infrastructure to survive.
What Actually Matters
Most organizations focus on the wrong things. You don’t need the latest AI-powered security platform. You need basic hygiene done correctly.
The three things that matter most:
- Backups that actually work (test them)
- Network segmentation (one infection shouldn’t spread everywhere)
- Credential security (MFA and least privilege)
Everything else is nice to have. Start with these three and build from there.
Don’t try to implement everything at once. Pick the biggest risk in your environment and fix that first. Usually it’s backups, because that’s your recovery mechanism when everything else fails.
