How to Prevent Ransomware Attacks: 20 Best Practices for 2022

The internet is fraught with peril these days, but nothing strikes more fear into users and IT security professionals than the threat of ransomware.

Ransomware attacks can shut down network access or operations, damage your reputation with customers and employees, and invite further attacks as cybercriminals view your organization as susceptible. Just this year, attacks like those waged against Colonial Pipeline and Kaseya show no organization is safe. Even the strongest cybersecurity infrastructures struggle to manage the consequences of a ransomware breach, and there is no easy solution.

The good news is that with good cyber hygiene – including employee training, robust configuration management and security systems in place – organizations can mitigate ransomware vulnerabilities and prepare for the worst-case scenario.

We take a comprehensive look at ransomware, what it is, how to avoid it, and what to do if you become one of its unfortunate victims.

Further reading on ransomware protection and recovery:

What is Ransomware?

Ransomware is malware that covertly breaches a network and executes a cryptographic attack that locks or encrypts valuable files on the network. As a growing attack method, ransomware attacks go farther than just encrypting data and systems today.

Traditionally: Advanced Encryption

Three decades ago the youngest strains of ransomware (e.g., AIDS Trojan) used weak symmetric encryption that a victim could undo with another effort, but today’s asymmetric encryption methods rise to the level of nearly impossible to break.

Using the most advanced encryption standards today, ransomware gangs often deploy AES-256 to encrypt and decrypt an organization’s files. Like other innovations, advancing encryption is a blessing for organizations at large – except when it’s used against them.

Now Including Data Exfiltration and Double Extortion

The success of ransomware has led to its adoption by top cybercriminal gangs globally. Ransomware-as-a-Service (RaaS) is available for sale on the dark web while advanced persistent threats (APT) added ransomware to their malicious toolbox

Today’s ransomware attacks increasingly have the capabilities to exfiltrate network data prior to encryption. So on top of threatening to leave files encrypted, data exfiltration means the malicious actors can also threaten to release the organization’s sensitive data. With a copy of network data, the organization is also at risk of a double-extortion attack as the group could come back asking for more at a later date.

Read more: Top Database Security Solutions for 2021

Am I Vulnerable to Ransomware?

Ransomware, like any malware, breaches networks through traditional attack vectors like:

  • Phishing emails, suspicious links, social engineering, and malicious websites
  • Software and remote desktop protocol (RDP) vulnerabilities

During the coronavirus pandemic, hackers have increasingly targeted vulnerabilities brought on by the pandemic. With an influx of BYOD policies, a shift to remote work, and reliance on remote desktop software, malicious emails jumped 600% in the first few months of the pandemic. Similarly, as organizations move toward hybrid ecosystems, vulnerabilities rooted in cloud storage and systems are coming to light.

Without a comprehensive network segmentation or microsegmentation policy, malicious actors can move laterally within your organization’s network, infect endpoints and servers, and demand a ransom for access to your data.

Malicious Emails and Links

The email attack vector can make ransomware a difficult problem to stop. If the attacker is determined, it is almost impossible to prevent them from finding a way to entice an employee.

Attackers can fool even sophisticated users into clicking on an invoice they are expecting, or a photograph that is ostensibly from someone they know, or a document that appears to have come from their boss. Organizations should prepare for the worst and take all necessary steps to minimize the potential impact.

How Does Ransomware Work?

One of the common ways criminals infect an organization is by sending an email with malicious links or attachments that an employee clicks on unwittingly to initiate an attack. These may be emails sent to millions of potential victims or targeted emails sent to a specific person in a particular organization.

Read more: USAID Email Phishing Campaign Shows Supply Chain Threats Continue

Attackers will inform the victim that their data is encrypted. For access to the decryption key, the victim must make prompt payment, often in cryptocurrency shielding the attacker’s identity (but not the wallet address). Because cryptocurrency often doesn’t hide the wallet address, U.S. DOJ officials were able to recover part of the ransom paid to DarkSide after the Colonial Pipeline ransomware attack.

If not paid within an initial period, usually 48 to 72 hours after, attackers have no shame in increasing the ransom, and often threaten to delete data too. Since organizations cannot expect good faith negotiations, there is no guarantee the attacker supplies the key post-payment.

Because ransomware frequently contains extraction capabilities that can steal critical information like usernames and passwords, stopping ransomware from penetrating the network is serious business. With vulnerabilities rooted in unsuspecting users, the task of preventing these attacks means both staff training and a robust email and network security system that includes a strong backup program so you have a recent copy of your data that you can roll back to.

Also Read: Best Encryption Tools & Software for 2021

What Does Ransomware Look Like?

You know you’re the victim of ransomware if your desktop has an open pane, a readme.txt, or a message that reads:

“Your files have been replaced by these encrypted containers and aren’t accessible; you will lose your files on [enter date] unless you pay $2500 in Bitcoin.”

“!!! IMPORTANT INFORMATION !!! All of your files are encrypted with RSA-2048 and AES-256 ciphers.”

A screenshot showing an example of the ransomware strain WannaCry.
WannaCry Ransomware Example. Provided by UpGuard.
A screenshot showing an example of the ransomware strain GandCrab.
GandCrab Ransomware Example. Provided by UpGuard.

How to Prevent Ransomware

There is a multitude of steps organizations can take to prevent ransomware with varying degrees of effectiveness. Below we outline twenty best practices for actions you can take to reduce your risk of a ransomware attack:

1. Offline Backups

While virtual backups are great, if you’re not storing data backups offline, you’re at risk of losing that data. This means regular backups, multiple copies saved, and monitoring to ensure backups hold true to the original. Restoring data after an attack is often your best approach, making reliable backups key ransomware protection.

2. Staff Awareness

Raising awareness about ransomware is a baseline security measure. But it could only take one employee lowering their guard for an organization to be compromised. As training sessions have little influence over staff for every potential attack, it makes added security more imperative.

3. Spam Filter

Cybercriminals send millions of malicious emails to at-random organizations and users, but an effective spam filter that continually adapts alongside a cloud-based threat intelligence center can prevent more than 99% of these from ever reaching employees’ desktops.

4. Configure Desktop Extensions

Employees should be trained not to double-click on executables (files with a .exe extension). However, Windows hides file extensions by default, allowing a malicious executable such as “evil.doc.exe” to appear to be a Word document called “evil.doc”.  Ensuring that extensions are always displayed can go a long way to countering that kind of threat.

5. Block Executables

Filtering files with a .exe extension from emails can prevent some malicious files from being delivered to employees but bear in mind that this isn’t foolproof. Malicious emails can instruct employees to rename files, and ransomware is also increasingly being delivered as JavaScript files (see below).

6. Block Malicious JavaScript Files

Ransomware being delivered in .zip files containing malicious JavaScript files are common. These are disguised as text files with names like “readme.txt.js”  – and often just visible as “readme.txt”, with a script icon for a text file. You can prevent this vulnerability for staff by disabling Windows Script Host.

7. Restrict Use of Elevated Privilege

Ransomware can only encrypt files that are accessible to a particular user on their system – unless it includes code that can elevate a user’s privileges as part of the attack, which is where patching and zero trust come into play.

8. Promptly Patch Software

It’s a basic security precaution to ensure that all software is updated with the latest security patches, but it’s worth reiterating because breaches continue due to delayed updating. Just in 2020, the SolarWinds hack could’ve been prevented for organizations that promptly patched software.

9. Zero Trust

Moving toward zero trust offers visibility and control over your network, including stopping ransomware. The next three actions: prioritize assets and evaluate traffic, microsegmentation, and adaptive monitoring are central steps of the zero trust architecture and greatly reduce your risks of an attack.

10. Prioritize Assets and Evaluate Traffic

With the use of inventory tools and IOC lists, an organization can identify its most valuable assets or segments. This full picture gives staff a look into how an attacker could infiltrate your network and gives needed visibility into traffic flows. This gives your team clear guidelines as to what segments need added protection or restrictions.

11. Microsegmentation

Microsegmentation is the ultimate solution to stopping lateral movement. By implementing strict policies at the application level, segmentation gateways and NGFWs can prevent ransomware from reaching what’s most important.

12. Adaptive Monitoring and Tagging 

Once your micro-perimeters surround your most sensitive segments, there’s a need for ongoing monitoring and adaptive technology. This includes active tagging of workloads, threat hunting, and virus assessments, and consistent evaluation of traffic for mission-critical applications, data, or services.

13. Utilize a CASB

A cloud access security broker (CASB) can help manage policy enforcement for your organization’s cloud infrastructure. CASBs provide added visibility, compliance, data security, and threat protection in securing your data.

14. Rapid Response Testing

In the event of a successful breach, your team must be ready to restore systems and data recovery. This includes pre-assigning roles and ensuring a digital forensics and incident response plan is in place.

15. Sandbox Testing

A common method for security analysts to test new or unrecognized files is by utilizing a sandbox. Sandboxes provide a safe environment, disconnected from the greater network for testing the file.

16. Update Anti-Ransomware Software

As noted, consistent updating of network software is critical. This is especially true for your existing intrusion detection and prevention system (IDPS), antivirus, and anti-malware.

17. Update Email Gateway

All email for your network typically travels through a secure web gateway (SWG). By actively updating this server, you can monitor email attachments, websites, and files for malware. This visibility into attacks trending for your organization can help inform staff moving forward of what to expect.

18. Block Ads

All devices and browsers should have extensions that automatically block pop-up ads. With the extensive use of the internet, malicious ads pose a long-lasting threat if not blocked.

19. Bring-Your-Own-Device (BYOD) Restrictions

If you have a remote work staff or just a loose policy surrounding devices acceptable for network access, it might be time to crackdown. Unregulated use of new or unique devices poses an unnecessary risk to your network. Enterprise mobility management (EMM) is one solution.

20. Forensic Analysis

After any detection of ransomware, there needs to be an investigation into its entry point, time in the environment, and confirm that it’s been fully removed from all network devices. From there, the task of ensuring it never returns begins.

Ransomware Attacks and Costs

In the last decade, we’ve seen ransomware attacks increase exponentially. Here are just a few of the most recent stats and facts that underline the severity of ransomware as a threat.

Ransomware Statistics

  • Ransomware attacks increased by 130% in 2020 (Beazley Group)
  • Almost 40% of victims pay the ransom (Malwarebytes)
  • Only 38% of state and local government employees are trained for ransomware prevention, and only 29% of small businesses have experience with ransomware (IBM)
  • Though decryption tools don’t always work properly, criminals reportedly fail to decrypt data after payment only 1% of the time (Sophos)
  • Enterprise ransomware accounts for 81% of total infections, and by market segment, 62% are small to medium-sized businesses (Symantec)

Ransomware Facts

  • Healthcare and financial services are the most attacked industries
  • Losses for business averaged $2,500 per incident, and ransom demands average $13,000 (Comparitech)
  • The FBI estimates ransom payments per year exceed $1 billion (Datto)
  • Others go further in estimating ransomware will cost as much as $6 trillion per year starting in 2021 (Cybersecurity Ventures)
  • Ransomware is particularly threatening to MSPs, as any downtime often leads to a loss in clients (NinjaOne)

Ransomware Types

Locker ransomware, a malware designed to lock users out of the network entirely, is also an example of malware that can lead an organization to pay a ransom for returned access. Though the predominant technique remains crypto ransomware wherein hackers encrypt the data, both prevent normal business under threat.

Ransomware Gangs and Malware Strains

Through the years, we’ve seen several strains of ransomware make headlines: CryptoLocker in 2013, Locky in 2016, WannaCry and Hermes in 2017, GandCrab and Ryuk in 2018, and now REvil, Maze, and others join the malicious gang of strains in 2021.

These advanced strains of ransomware increasingly use sophisticated tactics that prolong their presence and potential damage to the victim.

A screenshot of the ransomware strain Ryuk.
Ryuk Ransomware Example. Provided by UpGuard.

Ryuk Ransomware

Like Samas and BitPaymer ransomware, Ryuk targets large organizations with high ransom demands. But what distinguishes Ryuk’s deadliness is its military-grade levels of encryption, ability to delete shadow copies on the endpoint, and encrypt network drives and resources. Without external backups or rollback technology, recovery is impossible.

A screenshot of the ransomware strain REvil.
REvil Ransomware Example. Provided by Secureworks.

REvil (Ransomware-Evil)

Earlier this year, REvil, a Russian-speaking gang targeting larger enterprises with high ransom requests, successfully attacked meat processing company JBS Foods and IT managed service provider Kaseya. Using the ransomware payload dubbed Sodinokibi, REvil infiltrates the network, wipes out all files in backup folders, and encrypts network systems before demanding ransom.

Anti-Ransomware Solutions

In the battle against ransom-based malware, there is an industry of vendor solutions attempting to fill the gap. Available software can play a critical role in supplementing your existing security infrastructure, but it is only one piece of the puzzle.

Below we dive into the features to look for in solutions and note some of the current industry vendors.


Today, anti-ransomware tools play a vital role in any network. These solutions include next-generation firewalls (NGFWs), email gateway security software, data loss prevention (DLP), and endpoint security and antivirus software. When considering vendors, here are some critical capabilities and features that your anti-ransomware software should provide:

Capability Description
Block malicious web pages Before users visit websites, your software needs to be able to unmask URLs and note risk/reputation ratings and preview the target page. Known malicious sites can then be blocked.
Block ransomware files Cloud-based threat intelligence software can now block known malicious files. Unknown files can be intercepted and uploaded to the cloud to be sandboxed and analyzed, and then given a threat rating or blocked.
Prevent suspicious activity Antivirus endpoint software blocks identifiable malicious files, but products also increasingly offer adaptive analysis to identify and stop unrecognized files. Because most ransomware uses a system’s own encryption DLLs, this capability can block or pause calls to these DLLs by untrusted applications.
Monitor for mass modifications File integrity monitoring capabilities can detect changes to system files and the registry. This can be used to block applications that attempt to create or modify large numbers of files or change their names.
Detect anomalous behavior DLP systems can create dummy files that should never be accessed or backed up. If these files are accessed, they can trigger an alarm that a possible ransomware attack is taking place.
Backup and disaster recovery Backups are critical to restoring data and network segments in the event of a disaster. Providers continue to offer more reliable and efficient backup solutions to ensure data immutability and availability across the hybrid infrastructure.


Many security vendors offer products covering everything from email and network security to intrusion detection and prevention systems (IDPS) and threat intelligence tools. While several anti-ransomware vendors are consumer-facing, here is a partial list of vendors and products for IT buyers to evaluate:

While the above vendors offer pre-attack protection tools, more and more vendors are looking for rapid response capabilities. For example, Connecticut-based Coveware offers free remediation options, threat actor negotiations, ransom settlement, and promises to restore data and end downtime sooner.

Also Read: Top Threat Intelligence Platforms for 2021

How to Respond to Ransomware

If you’re already a victim of ransomware, you probably came to this section first. Once past the immediate problem, organizations need to consider the steps and tools to prevent a recurrence. Fool me once, as they say. Here are some steps that might help if you are a ransomware victim:

Backups Are Critical

The primary way an organization recovers after being hit by ransomware is by restoring systems from backups. However, restoring all systems can take days, and changes since the last backup before the attack will be lost. Investigate to know when your data was tampered with so you can make sure you restore from an unaffected backup instance.

Read more: Preparing for Ransomware: Are Backups Enough?

Version Restores Can Work

It may be possible to restore files on individual systems using a built-in file versioning service in some cases. This approach keeps the version history of all files on a drive and makes it possible to “go back in time” to restore them to their unencrypted state. With newer ransomware variants enabled to block this capability, it has lost some of its luster.

Decryption Tools for Weak Ransomware Attacks

In some ransomware variants, the encryption process isn’t competently implemented, providing an opportunity for recovering data. If there is a flaw in how the encryption key is generated, you could potentially derive the decryption key from a file’s timestamp. Security vendors and government agencies actively release decryption tools that automatically generate the keys and decrypt files for breakable ransomware.

Also Read: Anti-Ransomware Decryption Toolkit Grows

Paying the Ransom

The elephant in the room during any discussion about ransomware is whether an organization may face the least disruption and financial loss by giving in to the criminals’ demands and paying the ransom. In some cases, it may seem like the only option to prevent a company from going out of business. And after all, 99% of all ransomware payments result in the needed decryption key and recovery of all data.

It’s a decision that can only be made by organizations on a case-by-case basis, but keep in mind:

  1. Paying criminals emboldens their actions, making future attacks more likely.
  2. There is no guarantee paying the ransom will lead to all (or indeed any) files decrypted, and a return to normalcy.
  3. The restoration can also cause headaches with slow decryption tools or a partial restoration that recovers damaged data.

Wrapping Up: Prepared for Ransomware

If you’re the victim of ransomware, you’ve hopefully taken steps to end your nightmare and prevent future attacks. For those who’ve yet to have their data kidnapped for ransom, there’s undoubtedly more you or your business can be doing to manage the threat.

As ransomware threats grow, cyber insurance remains a prospective solution for some willing to pay ongoing premiums. High-integrity data backups and a healthy security posture may be your first line of defense, but having an insurance policy to help minimize the damage is excellent secondary protection. Keep in mind, amidst a year of cyber attacks, premiums are on the rise and some cyber insurers are pulling back their services.

We strongly encourage you to note any preventative steps mentioned that your organization isn’t currently doing. Make a plan to beef up your defenses against ransomware.

Sam Ingalls
Sam Ingalls
Sam Ingalls is an award-winning writer and researcher covering enterprise technology, cybersecurity, data centers, and IT trends, for eSecurity Planet, Tech Republic, ServerWatch, Webopedia, and Channel Insider.

Top Products

Related articles