Most ransomware incidents don’t start with a dramatic intrusion. They start with something mundane — a credential obtained from a phishing email or a purchased data breach, used to log into a system that wasn’t looking for anything unusual. From there, the attacker moves quietly: escalating privileges, mapping the network, identifying backup systems, staging data for exfiltration. The encryption event, when it comes, is the final step of a process that may have been running for days or weeks.
This matters because it means the defence isn’t just about detecting ransomware — it’s about disrupting the earlier stages before the attacker gets to the point where encryption is possible. Here’s a five-step framework.
Step 1 — Harden your identity layer
Stolen credentials are the most common ransomware entry point. The controls that stop credential-based attacks from progressing:
- Phishing-resistant MFA on all accounts, especially administrative ones. TOTP codes and push notifications can be intercepted; FIDO2 keys and Windows Hello for Business cannot.
- Conditional Access policies that require compliant, managed devices for sensitive applications. A stolen credential replayed from an attacker’s machine fails this check.
- Eliminate legacy authentication protocols (Basic Auth, NTLM) that bypass modern MFA entirely.
- Enforce least privilege — administrators should have separate admin accounts used only for administrative tasks, not for everyday email and browsing.
Step 2 — Close known vulnerabilities
Once an attacker is inside your network, unpatched systems are what they use to move laterally and escalate privileges. Patch management isn’t glamorous, but it’s one of the highest-leverage security controls available:
- Critical vulnerabilities: patch within 48 hours, or implement compensating controls while patching.
- High-severity vulnerabilities: patch within two weeks.
- Prioritise internet-facing systems and anything with admin interfaces.
- Include network device firmware (routers, switches, firewalls) — these are often overlooked.
Step 3 — Limit lateral movement
Ransomware spreads by moving from system to system using legitimate credentials and tools. Network segmentation limits how far it can travel:
- Segment your network so that a compromise of one system doesn’t automatically give access to all others.
- Restrict administrative tools to specific devices. PowerShell remoting, RDP, and WMI shouldn’t be available from every workstation.
- Audit and clean up service accounts — these often have excessive privileges and are common targets.
Step 4 — Detect early
Ransomware has a signature before the encryption starts: unusual login times, bulk file access, lateral movement between systems, privilege escalation attempts. Endpoint Detection and Response (EDR) tools catch these behavioural patterns:
- Deploy EDR across all endpoints — not just servers.
- Configure alerts for high-confidence indicators: mass file modification, shadow copy deletion, new admin account creation.
- Have an escalation path. Alerts that go to a mailbox nobody reads aren’t useful.
This is where a Managed SOC adds significant value — experienced analysts triaging alerts around the clock, with the context to distinguish a real threat from a false positive.
Step 5 — Protect and test your backups
Backups are the last line of defence, and they’re specifically targeted in modern ransomware attacks. Attackers try to encrypt or delete backups before triggering the main payload:
- Keep at least one backup copy completely isolated from your production environment — offline, or in a storage system the production network can’t reach.
- Microsoft 365 data needs separate backup — Microsoft’s retention doesn’t protect against ransomware-caused deletion.
- Test your restores. A backup you’ve never restored from is an assumption, not a capability. Run a restoration drill at least annually.
None of these steps require exotic tooling. They require consistent execution of the fundamentals. Most ransomware incidents we see in Australian businesses exploit gaps that have been known about for some time — credentials without proper MFA, unpatched systems, backups that were never tested.
If you’d like an assessment of where your business sits across these five areas, start with the Safe to Scale Scorecard or get in touch directly.