How to Beat Ransomware
How Can Your Business Prevent an Attack and Recover Without Paying a Ransom?
Ransomware is one of the most disruptive cyber threats a business can face.
An attack can prevent employees from accessing computers, servers, emails, documents and essential business applications. Modern ransomware attacks may also involve criminals stealing information and threatening to publish or sell it unless the organisation pays.
This means ransomware is no longer only about recovering encrypted files.
A business may also need to investigate:
- Which systems were accessed
- Whether customer information was stolen
- Which user accounts were compromised
- Whether the attacker still has access
- Whether backups are safe
- Whether customers or regulators must be informed
- How operations will continue during recovery
There is no single product that can guarantee your business will never experience ransomware.
The best way to beat ransomware is to use several layers of protection, detect suspicious activity quickly and maintain recovery systems that the attacker cannot destroy.
The National Cyber Security Centre recommends this defence-in-depth approach because it creates several opportunities to identify and stop malicious activity before it causes serious harm.
What is ransomware?
Ransomware is malicious software used to prevent an organisation from accessing its systems or information.
The attacker may encrypt files, lock computers or disrupt important services. They then demand payment, normally in cryptocurrency, in exchange for a promised decryption key or restoration of access.
However, many ransomware attacks now involve more than encryption.
Before locking systems, the criminals may spend days or weeks inside the network. During that time, they may:
- Steal confidential information
- Search emails and documents
- Identify backup systems
- Obtain administrator access
- Disable security tools
- Create additional accounts
- Move between computers and servers
- Delete or damage backups
The attacker may then threaten to publish the stolen information even if the business can recover its systems without a decryption key. The NCSC warns that payment does not guarantee stolen data will actually be deleted and that criminals may sell it or threaten the victim again later.
How does ransomware enter a business?
Ransomware attacks can begin in several ways.
Common routes include:
- Phishing emails
- Malicious attachments
- Stolen Microsoft 365 passwords
- Exposed remote-access services
- Unpatched firewalls or VPN equipment
- Compromised suppliers
- Weak administrator passwords
- Malicious website downloads
- Unmanaged personal devices
- Infected USB sticks
- Remote Desktop services exposed to the internet
An employee opening one malicious attachment does not always immediately result in every file being encrypted.
The attacker may first establish access, steal credentials and search for more valuable systems. This can make the incident difficult to identify until the ransomware is finally activated.
The NCSC specifically warns that attackers increasingly use exposed remote-access services and unpatched remote-access devices to enter organisations.
Can antivirus stop ransomware?
Modern antivirus and endpoint detection software are important parts of ransomware protection.
They can identify known malware, suspicious processes, unusual scripts and behaviour commonly associated with an attack.
However, antivirus should not be the only protection.
An attacker may use legitimate administration tools, stolen passwords or built-in Windows features rather than relying entirely on a traditional malicious file.
Antivirus may also be ineffective if:
- It has been disabled
- The device has stopped reporting
- Security intelligence is out of date
- Large folders have been excluded
- Nobody is monitoring the alerts
- The attacker has obtained administrator access
- The product has not been configured correctly
Microsoft Defender for Endpoint combines antivirus with endpoint detection, investigation and response capabilities. Microsoft states that its next-generation protection and attack-surface-reduction features are designed to help prevent, detect and respond to threats such as ransomware, but the relevant protection settings still need to be configured.
Antivirus is an important layer, but it cannot replace secure accounts, updates, backups, monitoring and incident planning.
1. Maintain ransomware-resistant backups
Working backups are one of the most important protections against ransomware.
If your business can restore its information and systems from a safe recovery point, it is less dependent on an attacker’s promised decryption key.
However, simply having a backup job is not enough.
Ransomware attackers frequently search for backups before encrypting the main systems. If they can access the backup platform, they may delete recovery points, shorten retention periods or encrypt the backup data.
A ransomware-resistant backup strategy should include:
- More than one copy of important information
- Separate storage locations
- Offline or isolated recovery copies
- Multifactor authentication for backup administrators
- Separate backup administration accounts
- Protection against immediate deletion
- Sufficient retention to recover from an earlier date
- Monitoring of failed jobs and destructive changes
- Regular recovery testing
- Malware checks before restoration
The NCSC advises organisations to keep backups separate from their normal network, avoid leaving removable backup devices permanently connected and maintain multiple copies using different solutions or locations.
Use separate backup credentials
The account used to administer your normal network should not automatically control the backup system.
If an attacker compromises a powerful administrator account, separate backup credentials can make it more difficult for them to destroy the organisation’s recovery options.
The NCSC recommends isolated backup credentials, least-privilege access and MFA for requests that alter or destroy backup data.
Use immutable or protected recovery points
An immutable backup cannot be changed or deleted during a defined retention period.
Other systems use soft deletion or delayed deletion, allowing administrators to recover information after an accidental or malicious removal request.
These controls provide valuable protection, but alerts must still be monitored. A delayed deletion feature is less useful if nobody notices the warning until the recovery period has expired.
Test the backups
A successful backup notification proves that a job completed. It does not necessarily prove that the business can restore an entire system.
Recovery tests should confirm:
- The data is readable
- The required applications are included
- Administrator credentials are available
- Recovery instructions are accurate
- The backup is free from malware
- The recovery can meet the business’s required timescale
- Employees can access the restored systems
A backup that has never been tested is only an assumption.
2. Protect every important account with MFA
Passwords can be stolen through phishing, malware, password reuse and data breaches.
Multifactor authentication, normally shortened to MFA, requires an additional verification step before access is granted.
This might involve:
- Microsoft Authenticator
- A hardware security key
- A passkey
- A certificate
- A trusted device
MFA should be applied to:
- Microsoft 365
- Remote-access systems
- VPN accounts
- Backup administration
- Cloud services
- Firewall management
- Remote monitoring platforms
- Administrator accounts
- Financial applications
CISA’s ransomware guidance recommends requiring MFA, particularly for webmail, VPNs and accounts that access critical systems.
Where possible, businesses should use phishing-resistant authentication rather than relying only on text-message codes or simple approval notifications.
Employees must also be trained not to approve an unexpected authentication request. Repeated MFA prompts may be evidence that somebody already knows the user’s password.
3. Keep computers, servers and network equipment updated
Ransomware groups frequently exploit known vulnerabilities.
The manufacturer may already have released a security update, but the attacker can still succeed if the organisation has not installed it.
Updates should cover more than Windows computers.
A complete patch-management process should include:
- Windows and macOS devices
- Servers
- Microsoft applications
- Third-party software
- Firewalls
- VPN appliances
- Backup systems
- Routers and switches
- Website platforms
- Remote-access tools
- Mobile devices
- Firmware
Internet-facing systems should receive particular attention because attackers can attempt to reach them directly.
CISA recommends regularly updating operating systems, applications and firmware, while prioritising vulnerabilities known to be actively exploited.
The business should be able to identify:
- Which devices are missing updates
- Which systems are no longer supported
- Why an update has failed
- Which applications require testing
- Who is responsible for resolving exceptions
- How quickly critical updates must be installed
Repeatedly postponing updates creates a growing window of opportunity for attackers.
4. Remove unnecessary administrator access
Employees should not normally have permanent local administrator access simply because it makes software installation easier.
If an employee with administrator permissions opens a malicious file, the malware may receive greater control over the computer.
Administrator accounts can potentially be used to:
- Disable security protection
- Install software
- Create new users
- Access other profiles
- Extract credentials
- Change system settings
- Move between devices
Use the principle of least privilege.
Employees should receive only the access needed to complete their work. Administrative tasks should be carried out through separate, protected accounts.
Microsoft Intune Endpoint Privilege Management can also allow approved applications to run with elevated permissions without giving the employee unrestricted administrator control.
You should regularly review:
- Local administrators
- Microsoft 365 administrators
- Server administrators
- Backup administrators
- Firewall administrators
- External supplier accounts
- Service accounts
- Accounts belonging to former employees
An administrator account that is no longer required should be removed rather than kept available in case it is useful later.
5. Strengthen email and web protection
Many ransomware attacks begin with a convincing email.
The message may contain:
- A malicious attachment
- A link to a fake Microsoft login page
- A fraudulent invoice
- A password-protected ZIP file
- A request to enable macros
- A link to download software
- An impersonation of a senior employee or supplier
Email security should scan attachments, check links and identify impersonation attempts before the message reaches the employee.
Web protection can also block access to known malicious or newly created websites.
The NCSC recommends a combination of mail filtering, file-type controls, content inspection, malicious-site blocking and safe-browsing protections to reduce the chance of malware reaching devices.
Technology will not identify every convincing attack, so employees must also know how to respond.
They should be encouraged to report suspicious messages rather than feeling embarrassed that they may have made a mistake.
The earlier an employee reports a malicious attachment or stolen password, the greater the opportunity to contain the incident.
6. Use attack surface reduction rules
Attack surface reduction rules can block behaviours that are commonly abused during ransomware and other cyber attacks.
For example, policies may prevent or restrict:
- Office applications creating child processes
- Executable content launching from email
- Suspicious or obfuscated scripts
- Credential theft
- Untrusted applications running from removable media
- Processes associated with ransomware behaviour
Microsoft explains that ASR rules help prevent malware from exploiting applications and scripts to infect devices.
These rules should be introduced carefully.
Some restrictions could interfere with older applications or specialist business software. A sensible deployment may involve:
- Reviewing current application behaviour
- Enabling selected rules in audit mode
- Examining the results
- Testing with a pilot group
- Creating tightly controlled exceptions where necessary
- Moving suitable rules into warn or block mode
Microsoft recommends testing many ASR rules in audit mode before enforcing them widely.
Exceptions should be limited and documented. Excluding a large folder or application without review can create a route that attackers may exploit.
7. Prevent attackers moving across the network
A ransomware attack on one laptop should not automatically provide access to every server, computer and backup system.
Network segmentation divides systems into controlled areas and limits unnecessary communication between them.
For example:
- Employee devices should not freely manage servers
- Guest Wi-Fi should be separate from business systems
- Backup management should be restricted
- Administrative access should come from controlled devices
- Critical servers should accept only required connections
- Different sites and departments may require separate controls
This can make it more difficult for an attacker to move laterally after compromising the first device.
The business should also review exposed services.
Remote Desktop and management interfaces should not be directly available from the internet unless there is an essential and carefully secured requirement.
Remote access should use:
- MFA
- Restricted source locations
- Secure VPN or Zero Trust access
- Individual accounts
- Strong monitoring
- Prompt security updates
- Account lockout and risk controls
An old remote-access service forgotten on the network can provide exactly the route an attacker needs.
8. Monitor security alerts around the clock
Security tools generate warnings when they identify suspicious activity.
However, an alert does not protect the business unless somebody sees it, investigates it and takes appropriate action.
Ransomware actors may operate:
- Overnight
- At weekends
- During bank holidays
- While key employees are away
- When internal IT staff are unavailable
Important alerts may include:
- Security software being disabled
- Suspicious PowerShell activity
- Mass file changes
- Credential theft
- Unusual administrator access
- Logins from unexpected locations
- New privileged accounts
- Malicious internet connections
- Backup deletion attempts
- Attempts to spread between computers
A managed detection and response service can investigate these warnings and take action when a genuine attack is identified.
Possible responses may include:
- Isolating a computer
- Disabling an account
- Revoking active sessions
- Blocking an internet address
- Quarantining a file
- Stopping a malicious process
- Escalating the incident
- Contacting affected users
Early action can prevent one compromised account or device from becoming an organisation-wide outage.
9. Protect your Microsoft 365 environment
Ransomware is not limited to traditional file servers.
An attacker who compromises Microsoft 365 may be able to:
- Read emails
- Download SharePoint files
- Access OneDrive
- Create mailbox-forwarding rules
- Send phishing emails from a genuine account
- Grant access to a malicious application
- Change security settings
- Steal information before encryption begins
Microsoft 365 protection should include:
- MFA
- Conditional Access
- Protected administrator accounts
- Microsoft Defender for Office 365
- Microsoft Defender for Business
- Managed and compliant devices
- External-sharing controls
- Risky sign-in monitoring
- Regular permission reviews
- Independent backup and retention planning
Employees should not be allowed to access sensitive company information from any unknown device simply because they know the correct password.
Conditional Access can restrict access to approved, managed or compliant devices and provide additional controls for personal equipment.
10. Control USB sticks and removable storage
An infected USB stick can transfer malware without using email or the internet.
Removable media can also be used to copy large quantities of company information.
Where USB storage is not required, it should be blocked.
Where it is required, the business should consider:
- Allowing only approved devices
- Encrypting company USB sticks
- Blocking executable files
- Providing read-only access
- Logging USB activity
- Preventing sensitive information from being copied
- Prohibiting personal USB sticks
Microsoft Defender device control and Intune can help restrict removable storage to approved users and devices.
Employees should never connect an unknown USB stick found in a car park, reception area or meeting room.
11. Train employees to recognise attacks
Employees are an important part of ransomware protection.
Training should cover more than an annual presentation.
People should understand:
- How to recognise phishing emails
- Why unexpected MFA requests are suspicious
- Why passwords must not be reused
- How to report a suspicious message
- Why software must not be installed without approval
- Why security warnings should not be ignored
- Why unknown USB sticks must not be connected
- What to do after opening a suspicious file
- Who to contact outside normal working hours
Security exercises can help confirm whether employees understand the guidance.
The purpose should be education rather than punishment.
Employees who fear being blamed may delay reporting an incident. That delay could give the attacker more time to spread through the business.
12. Create and test an incident response plan
Ransomware incidents are stressful.
Important decisions should not be made for the first time while systems are offline and criminals are demanding payment.
A ransomware response plan should identify:
- Who leads the response
- Who can authorise systems to be disconnected
- How the IT and security teams will communicate
- Which systems must be restored first
- Who contacts the cyber insurer
- Who contacts customers and employees
- Where offline contact details are stored
- How legal and regulatory requirements will be assessed
- Which incident response specialists should be contacted
- How decisions and evidence will be recorded
- How the business will operate while systems are unavailable
The NCSC states that being prepared to detect and respond quickly can prevent further damage and reduce the financial and operational impact of a cyber incident.
The plan should be tested using realistic exercises.
A tabletop exercise could present a scenario such as:
It is 7am on Monday. Employees cannot access files, the server displays a ransom note and a criminal group claims to have stolen customer information. What happens next?
The exercise can reveal missing contact details, unclear responsibilities and unrealistic recovery expectations before a real incident occurs.
What should you do during a ransomware attack?
When ransomware is suspected, the priority is to contain the incident and prevent further damage.
Do not immediately begin clicking through files or reconnecting systems to see whether they now work.
The NCSC recommends actions including:
- Disconnect infected devices from wired, wireless and mobile network connections.
- Consider disabling wider network or internet connectivity during a serious incident.
- Contact your IT, cyber security and incident response providers.
- Preserve evidence and record actions taken.
- Reset compromised credentials carefully, ensuring recovery access is not lost.
- Identify whether information may have been stolen.
- Wipe and rebuild infected devices safely.
- Confirm that backups and recovery devices are clean.
- Restore through a controlled process.
- Continue monitoring for remaining malicious activity.
Do not connect a backup to a system that may still be infected.
Ransomware may have been present for some time before it became visible, so recent backups should be scanned and reviewed before restoration.
Should you switch off an infected computer?
The safest action depends on the incident.
Disconnecting the device from the network can prevent it from communicating with other systems while potentially preserving information in memory that may be useful to incident responders.
Powering it off may stop active encryption, but it can also remove temporary evidence.
Employees should therefore follow the organisation’s incident procedure and contact the IT or cyber security team immediately.
Where rapid expert advice is not available and encryption is visibly spreading, isolating the device and affected network connections should be treated as urgent.
Should you pay the ransom?
The NCSC and UK law enforcement do not encourage, endorse or condone paying a ransom.
Payment does not guarantee:
- That a working decryption key will be provided
- That every file will be recovered
- That stolen information will be deleted
- That malware and backdoors have been removed
- That the criminals will not demand more money
- That the business will not be targeted again
Paying also funds criminal activity.
Before making any decision, the organisation should review all available recovery options and speak to appropriate specialists, insurers, legal advisers and law enforcement.
Free decryption tools are available for some ransomware variants through initiatives such as the No More Ransom project, although tools are not available for every type of ransomware.
The strongest position is to prepare in advance so that paying the attacker is not the only apparent recovery option.
Do ransomware incidents need to be reported?
UK organisations can report cyber incidents through the government’s cyber incident reporting service.
A ransomware incident may also constitute a personal data breach.
The loss of access to personal information can itself be a breach, even where there is no confirmed evidence that the attacker downloaded the data.
Under UK GDPR, an organisation must notify the ICO without undue delay and no later than 72 hours after becoming aware of a personal data breach, unless the breach is unlikely to create a risk to people’s rights and freedoms.
The organisation should complete and document a risk assessment even when it decides that notification is not required.
Your cyber insurer, customers, industry regulators and contractual partners may also have notification requirements.
These responsibilities should be documented in the incident response plan.
Can a small business really beat ransomware?
Yes, but beating ransomware does not mean relying on one antivirus product and hoping it blocks every attack.
It means making the business difficult to compromise and capable of recovering when a security control fails.
A practical ransomware strategy should include:
- Secure, tested and isolated backups
- MFA on important accounts
- Prompt security updates
- Managed endpoint protection
- Attack surface reduction
- Restricted administrator access
- Email and web filtering
- Network segmentation
- Device management
- Employee training
- Continuous monitoring
- A tested response and recovery plan
Each layer makes the attacker’s task more difficult.
If a phishing email reaches an employee, web protection may block the site.
If the password is stolen, MFA may prevent access.
If a device is compromised, endpoint detection may isolate it.
If the attacker reaches the network, segmentation may limit movement.
If systems are encrypted, ransomware-resistant backups may allow recovery.
That is how you beat ransomware: not with one perfect defence, but by preventing one mistake or failed control from becoming a complete business disaster.
How can Hamilton Group help?
At Hamilton Group, we help businesses reduce their ransomware risk and prepare for a safe recovery.
We can assist with:
- Ransomware risk assessments
- Microsoft Defender for Business
- Managed detection and response
- 24/7 cyber security monitoring
- Microsoft Intune
- Attack surface reduction rules
- Microsoft 365 security
- Conditional Access
- Multifactor authentication
- Email threat protection
- Administrator access reviews
- Software and security updates
- Firewall and network security
- USB device controls
- Ransomware-resistant backups
- Microsoft 365 backup
- Disaster recovery planning
- Recovery testing
- Employee cyber security training
- Cyber Essentials preparation
- Incident response planning
We can review your existing security and answer important questions such as:
- Would we know if an attack started tonight?
- Are all important accounts protected with MFA?
- Can employees disable security settings?
- Are company devices properly managed?
- Are backups isolated from administrator accounts?
- Could an attacker delete every recovery point?
- When was the last complete recovery test?
- Who would manage a ransomware incident?
- How long would the business be unable to operate?
Ransomware cannot be defeated by software alone.
It requires secure technology, monitored systems, informed employees and a recovery process that has been tested before it is needed.
Contact Hamilton Group to discuss how we can help protect your business from ransomware and give you confidence that you can recover from an attack.
Call us on 0330 043 0069 or book an appointment with one of our experts.