RANSOMRESTORE
Back

9 Ways to Prevent Ransomware: A Practical Checklist

Most ransomware prevention advice is too vague to act on. Be careful with emails doesn't help. Here are nine specific controls that make your business a harder target — ranked by what we actually see working in 1,000+ ransomware incident responses.

5 min read

1. The Offline Backup (The One That Actually Saves You)

Backups are everyone's advice. But most businesses have backups that wouldn't save them.

Cloud sync isn't a backup. If ransomware encrypts your local files and you have auto-sync enabled, it syncs the encrypted versions to the cloud within minutes. Your "backup" is now encrypted too.

What actually works: a copy that's disconnected.

The 3-2-1 rule:

3 copies of your data
2 different storage types
1 copy completely offline — not plugged in, not syncing

Practical setup: external drive, backs up daily, unplugged after each backup. Weekly rotation to keep it current. That offline copy is what lets you recover without paying anyone.

One more thing that most guides skip: test the restoration. A backup you've never restored from is a backup of unknown reliability. Restore to a test machine once a quarter. Takes 2 hours and might save you everything.

2. Lock Down RDP (Attackers Are Scanning for It Right Now)

Remote Desktop Protocol is one of the top three ransomware entry points, and the attacks are completely automated. Scripts scan the entire internet for open port 3389, find it on your server at 3am, run a brute-force credential attack, and by morning they're in.

If you don't need RDP: disable it. Full stop.

If you need it for remote work:

  • Put it behind a VPN — RDP should never be directly internet-facing
  • Enable MFA on the VPN and RDP
  • Strong passwords — "Company2024!" is not strong
  • Account lockout after 5 failed attempts — kills brute force
  • Whitelist IPs if you can — only allow known locations

Change the default port (3389) as a minor additional deterrent. Doesn't stop sophisticated attackers but does filter out the fully automated scans.

3. Email Is Still Where Most Attacks Start

35% of ransomware infections begin with a phishing email. The emails have gotten significantly better — they reference real vendors, mimic real invoice formats, come from spoofed addresses that look correct at a glance.

The defense isn't paranoia. It's a simple habit: if an email has an attachment you weren't expecting, verify it through a different channel before opening.

Call the sender. Send them a separate message asking if they sent something. Takes 2 minutes and eliminates most phishing risk.

Train your team on what to do if they click something:

Disconnect from the network immediately. Tell IT. Don't try to fix it yourself.

The "tell IT immediately" part matters more than people realize. We've handled cases where the infection was caught in the first 30 minutes because someone reported it fast — and saved 90% of the files. The cases where people tried to handle it quietly for a day usually resulted in full encryption.

4. Updates Are Not Optional

In 2017, WannaCry infected 230,000 systems across 150 countries in a single day. The vulnerability it exploited had a patch available for 2 months before the attack.

Most successful ransomware attacks exploit vulnerabilities that have working patches. The attackers are specifically looking for unpatched systems because they know most organizations run behind on updates.

Highest priority patches:

  • Windows OS (enable automatic updates)
  • VPN software (attackers specifically scan for outdated VPN versions)
  • RDP components
  • Browsers and email clients
  • Office suite

One that surprises people: firmware. Router and firewall firmware often goes unpatched for years. Check it.

5. Your Antivirus Alone Is Not Enough

Traditional antivirus works by comparing files against known malware signatures. Modern ransomware is specifically designed to evade this — new variants are compiled regularly to produce different file signatures.

What you need alongside antivirus: Endpoint Detection and Response (EDR).

EDR watches behavior, not signatures. It notices when a process starts encrypting hundreds of files in rapid succession — which is exactly what ransomware does — and can stop it and alert you before the damage is complete.

For small businesses without IT staff: managed EDR services handle monitoring and response. The cost is a fraction of a ransomware incident.

6. Network Segmentation: Limiting the Blast Radius

If ransomware gets onto one machine, how much can it reach?

In a flat network — common in small businesses — the answer is "everything." One infected workstation can reach the file server, the accounting system, the backup drive, and every other machine on the network.

Network segmentation puts walls between zones:

Zone Access
Guest WiFi Internet only, isolated from everything else
Employee workstations Work systems, no direct server access
File servers Only accessible by specific machines/roles
Backups Separate network, no general access

You don't need enterprise hardware to start. Separating guest WiFi from your business network is a 20-minute change on most modern routers and eliminates one entire attack surface.

7. Disable What You're Not Using

Ransomware frequently uses legitimate Windows features against you. The Locky family spread partly through VBScript. Many attacks use PowerShell. Macros in Office documents are a classic delivery mechanism.

Most small businesses don't need these features enabled.

Quick wins:

  • Office macros: File → Options → Trust Center → "Disable all macros with notification"
  • Windows Script Host (.js/.vbs files): disable WSH or change default file association to Notepad — these scripts run via wscript.exe, not your browser
  • PowerShell: if you're not using it for IT automation, consider restricting it

This isn't about disabling everything — it's about reducing your attack surface to what you actually use.

8. Least Privilege: The Boring Rule That Prevents Disasters

Most employees don't need administrator rights to do their job. Most ransomware, however, needs administrator rights to encrypt everything.

Standard user accounts limit what ransomware can do. Even if an employee gets infected, the malware can only encrypt what that user can access — not system files, not other users' data, not as much.

Practical implementation:

  • Separate accounts for admin tasks vs. daily work
  • Nobody browses the web or reads email from an admin account
  • Quarterly access review — people change roles, access often doesn't follow

This is one of those measures that feels like bureaucracy until it's the reason an incident is contained to one machine instead of the whole network.

9. Have a Plan Before You Need One

When ransomware hits, the first 30 minutes matter enormously. Businesses that recover well almost always have someone who knew what to do without having to figure it out under pressure.

Your incident response plan doesn't need to be a 50-page document. It needs to answer these questions:

In the first 5 minutes:

  • Who's authorized to disconnect systems from the network?
  • What systems get isolated first?

In the first hour:

  • Who gets notified (internal, external)?
  • Who contacts the recovery service?
  • What's the communication policy for customers/staff?

After containment:

  • How do you verify clean backups?
  • What's the restoration sequence?
  • How do you prevent the same attack?

Write it down. Share it with anyone who might need it. Then — this is the part most organizations skip — actually test it. A tabletop exercise once a year, where you walk through a hypothetical attack, surfaces gaps before a real incident does.

For what to do in the first 30 minutes of an actual attack, see our ransomware emergency: 5 steps to take right now.

Where to Start If You're Starting From Zero

Not every business can implement all of this immediately. Here's the priority order based on what we actually see in incident response:

Priority Action Why
1 Offline backup Recovers you without paying anyone
2 Lock down RDP Eliminates top attack vector
3 MFA everywhere Stops credential-based attacks
4 Patch Windows and VPN Closes known exploits
5 EDR on endpoints Catches what AV misses

The first three you can implement this week. Do those first.

FAQ

What's the single most effective ransomware prevention measure? An offline backup. If nothing else, do that. It means you can recover without paying ransom even if everything else fails.

How much does EDR cost for a small business? Managed EDR typically runs $5-15 per endpoint per month. A ransomware incident costs $50,000+ on average. The math is straightforward.

Is antivirus enough to stop ransomware? No. Traditional signature-based AV misses new variants. You need behavioral detection (EDR) alongside it. See point 5 above.

Should we pay the ransom if we get hit? Not as a first option. ~30% of victims who pay still don't get their files back. Try free tools first, then professional recovery. See our complete ransomware recovery guide for the full process.

How often should we test our backup restoration? Quarterly. A backup you've never tested is a backup of unknown quality. Restore to a test machine and verify the data is intact.

Already dealing with an attack?

If you're reading this after ransomware has already hit: stop here, go to our ransomware emergency checklist, and act on that first.

Want a professional assessment of your security posture?

We'll review your current setup and identify the gaps that matter most — before ransomware finds them first. Based on 12 years of experience and 1,000+ ransomware incident responses.

In most cases, we respond within 3 hours.

RANSOMRESTORE

Remote ransomware recovery, digital forensics, and incident response.

Services

  • Emergency Breach Response
  • Ransomware Response & Recovery
  • Penetration Testing

Emergency Contact

Terms of Service|Privacy Policy
© 2026 Lyncore Intelligent Technology Limited (Operating as Ransomrestore). All rights reserved.