Ransomware Prevention Best Practices

Feb 8, 2023 | Automation, Specops



Ransomware is a form of malicious software designed to block access to a computer system and its data until a ransom is paid, usually in the form of cryptocurrency. The ransomware makes data unusable by encrypting all of the data it finds, which usually brings a company’s operations to a halt. Ransomware operators promise to return the compromised data to the victims once the ransom is paid, but more often than not, they take the money and run without returning the data. There are many ways ransomware can infect computer networks, but the most common points of entry are less sophisticated than it might sound. Ransomware attacks commonly begin as simply as cracking weak passwords, exploiting security vulnerabilities, and sending phishing emails.

The good news is that these attacks can be prevented with the right tools and the right mindset, as you will see in these five best practices for ransomware prevention. While there is no panacea for avoiding ransomware attacks, the most effective plan lies in a combination of best practices and reliable security solutions.




1. Hacking Humans


Ransomware attacks usually start small and the weakest link is a negligent workforce. Ransomware operators craft simple phishing emails designed to trick employees into clicking on a malicious link or opening an infected attachment. No matter how robust your security systems are, a workforce not trained to recognize the signs of social engineering schemes will keep the door open for ransomware. Regularly drill your employees in social engineering tests, enforce good password policies, and use multi-factor authentication.

Something as preventable as a weak password is too often the starting point for crippling ransomware attacks. Organizations using Specops Password Auditor stay one step ahead of ransomware attacks by scanning Active Directory for weak or compromised passwords. Combined with Specops Password Policy,, organizations can set password policies and enforce compliance before cybercriminals have a chance to find your weak passwords before you do.


2. 3-2-1-1 Backup Plan


Avoiding ransomware in the first place is ideal, but not everything will go according to plan. You can get your systems up and running without delay if you keep a secure backup of your most important data—or better yet, four of them.

A new addition to the classic 3-2-1 rule for backup, the 3-2-1-1 principle advises storing four separate copies of your data: two stored locally in different formats, one stored offline, and one saved in an immutable format. Immutable data can’t be altered as there is no key to “unlock” it with, like with encrypted data. Distributing your recovery strategy across four separate backups will rule out the temptation to pay the ransom or hire external professionals to rebuild your systems.


3. Zero Trust


The evolving threat landscape has driven the innovation of the zero-trust security model. The basic principle of zero trust is to treat every user, device, and request in your network as if it originates from an untrusted external source. In other words: never trust, always verify. Zero trust architecture involves a wide range of best practices, but it has its foundation in two key principles: least privilege and de-parameterization.

Least privilege involves granting users the least amount of access needed for their work rather than granting permissions based on the implicit trust inherited from the organization. Implicit trust architectures more easily succumb to malicious insiders and hijacked corporate accounts, as in the case of a successful phishing campaign. De-parameterization addresses the fact that remote work and remote applications have distributed the boundaries of a company beyond its physical walls. Simply being on-site is no longer a sign of an employee’s implicit trustworthiness, so to repeat: never trust, always verify.


4. Update Your Systems


Along with social engineering tactics, outdated and vulnerable systems are the most common attack vectors for ransomware. Update your applications and operating systems as soon as new patches become available, and retire any legacy technology you may have on your network. Legacy software and hardware were designed to deal with different threats than modern ones, as ransomware operators know well. To take a famous example, the WannaCry attack owes its success to the 200,000 compromised machines running the 30-year-old SMB v1 protocol, with the help of the EternalBlue exploit kit.


5. Network Segmentation


Ransomware can only do so much damage if it targets an isolated part of the network. This is the principle of network segmentation—the practice of dividing a computer network into many sub-networks with limited connectivity between them. Employ the use of firewalls to maintain a barrier of separation between each part of the network and closely monitor the traffic flowing between them. Network segmentation is especially crucial for organizations in regulated industries where data regulations like HIPAA and PCI-DSS must be strictly adhered to.

In summary, here are five best practices to consider when fortifying your information systems.


  • Regularly train your workforce to recognize the signs of a social engineering attack.
  • Store at least four backups: two locally-stored copies in different formats, one offline copy, and one immutable copy.
  • Never trust, always verify.
  • Apply the latest security patches as soon as they become available.
  • Limit the spread of ransomware by separating your network into segmented sub-networks.