Ransomware Defence
Breaking the Attack Chain
Ransomware isn’t a "jump scare"; it is a slow build. It often begins weeks before encryption with a single unauthorised login. Effective defence isn't just about anti-malware; it’s about stopping attackers from gaining traction. As Microsoft notes, "Attackers are no longer breaking in; they are logging in."
If encryption begins, your options are limited. Law enforcement and the NCSC advise against paying ransoms, as there is no guarantee of data recovery. The goal is to disrupt the sequence—access, escalation, and lateral movement—before the damage is done.
The 5-Step Ransomware Defence Plan
1. Phishing-Resistant Sign-Ins
Most incidents start with stolen credentials. "Phishing-resistant" MFA (such as security keys or biometrics) cannot be easily bypassed by fake login pages.
- Action: Enforce strong MFA on all accounts, prioritising admins.
- Action: Disable "legacy authentication" (old protocols that bypass MFA).
- Action: Use Conditional Access to require extra verification for unusual locations or devices.
2. Least Privilege & Separation
If a single login is compromised, it shouldn't grant control over the entire business.
- Action: Ensure admin accounts are separate from everyday user accounts (don't check email on an admin account).
- Action: Eliminate shared logins and over-privileged "Everyone" groups.
- Action: Follow the NIST principle: grant only the minimum access needed for the task.
3. Close Known Holes
Attackers exploit unpatched or outdated software. This step removes "easy wins."
- Action: Patch critical vulnerabilities immediately, prioritising internet-facing systems.
- Action: Include third-party apps (like browsers or PDFs) in your patching schedule, not just Windows.
4. Early Detection
Identify warning signs—like unusual data movement—before encryption spreads.
- Action: Use endpoint monitoring to flag suspicious behaviour.
- Action: Define clear escalation rules so your team knows which alerts require an immediate shutdown.
5. Secure, Tested Backups
- Action: Keep at least one backup copy offline or isolated from the main network.
- Action: Run regular "restore drills" to ensure your data actually works when needed.
- Action: Define recovery priorities (e.g., payroll first, archives second) before a crisis hits.
From Crisis to Control
Ransomware succeeds in reactive, improvised environments. By turning these fundamentals into enforced defaults, you shift ransomware from a company-ending crisis to a manageable, contained incident.Does your current backup strategy include an "offline" copy? We can help you audit your recovery sequence to ensure you're protected.