How to prevent ransomware: a practical security guide

According to the Netwrix 2025 Cybersecurity Trends Report, 79% of organizations experienced a cyberattack in the past 12 months, up from 68% the prior year. Most of those incidents succeeded through identity and access gaps.

A CISA advisory documents a consistent pattern across major incidents: attackers obtained access through identity and access weaknesses, escalated privileges, and encrypted from the inside before defenders could respond.

The path ransomware follows through an environment is well understood. Attackers exploit a credential, move laterally through Active Directory, reach domain controllers, and deploy encryption at scale.

Organizations that have invested heavily in perimeter defenses while leaving that identity path open have found that perimeter investment does not interrupt the attack chain where it actually runs.

This guide explains how ransomware incidents unfold, which controls stop most incidents before encryption deploys, and what recovery measures to have in place when they do not.

Why ransomware prevention is important

Ransomware prevention is no longer a technical initiative that lives exclusively within the security team. The financial, regulatory, and operational consequences now reach the boardroom directly.

• Backups no longer guarantee recovery: Modern ransomware attackers exfiltrate data before encrypting it. Even organizations that restore successfully still face a data exposure incident, regulatory notification obligations, and the threat of public data release.
• The financial exposure has changed: Recovery is not limited to the ransom itself. Organizations can also face notification obligations, legal costs, and operational downtime.The Netwrix 2025 Cybersecurity Trends report shows that 75% of organizations reported financial damage due to attacks, and 13% estimated damages at $200,000 or more.
• Third-party and supply chain compromise is a serious risk: Initial access can come through previously compromised environments, service providers, or trusted external relationships.
• Requirements are tightening: Security expectations from regulators, insurers, and incident response guidance increasingly emphasize identity controls, privileged access management, and tested backups. These requirements increasingly shape both business continuity planning and insurability.

How a ransomware attack works

Ransomware follows a predictable attack chain. Understanding each stage reveals where prevention controls deliver the most value.

Step 1: Initial access

The attacker gains entry through one of four routes:

1. Compromised credentials used against a remote access portal.
2. Phishing emails that harvest credentials or deliver malware.
3. Exploitation of an unpatched internet-facing service.
4. A supply chain compromise through a trusted vendor or partner.

Credentials are the most common entry point because they require no exploit since a valid username and password is sufficient.

Step 2: Foothold and persistence

Once inside, the attacker establishes persistence before taking any visible action. This typically involves creating backdoor accounts, deploying remote access tools, or modifying scheduled tasks to survive a reboot.

The dwell time between initial access and active operations is often measured in days or weeks, which is why behavioral visibility during this quiet phase matters.

Step 3: Privilege escalation and lateral movement

The attacker moves from a low-privilege foothold toward domain-level control. The most common routes are Kerberoasting service accounts with weak passwords, exploiting Active Directory misconfigurations such as unconstrained delegation, credential dumping from memory, and abusing over-privileged accounts that accumulated rights over time. Reaching a domain controller at this stage means controlling the entire environment.

Step 4: Data staging and exfiltration

Before deploying ransomware, attackers identify and stage sensitive data for exfiltration. This step is what enables double extortion: even if an organization restores from backup, the threat of publishing exfiltrated data creates independent leverage. Backups address encryption; they do not address exfiltration.

Step 5: Ransomware deployment

Encryption deploys across the environment. By this stage, attackers have already established access, escalated privileges, and exfiltrated data. Every earlier step in this chain exists to prevent reaching this one.

9 ways to prevent ransomware attacks

The nine controls below follow a deliberate priority sequence. The first four stop most incidents at the entry and escalation point. The next three improve resilience when those controls fail, and the final two ensure recovery is possible.

1. Enforce MFA on every privileged and remote access point

MFA on privileged accounts and all remote access, including RDP, VPN, and admin portals, is the single highest-return control against credential-based initial access. Absent or procedurally bypassed MFA is a consistent finding across major ransomware incidents.

Phishing-resistant MFA is the standard to target. FIDO2 security keys and device-bound passkeys resist both phishing and fatigue attacks, where attackers send repeated push notifications until a user approves.

CISA's fact sheet on phishing-resistant MFA identifies FIDO/WebAuthn as the only widely available phishing-resistant option.

Standard push-based MFA cannot stop fatigue attacks or help desk social engineering, where an attacker calls IT posing as an employee to trigger a password reset.

2. Harden your identity layer: where most attacks succeed or fail

Attackers do not need to break in when they can sign in, and increasingly, they are. Cloud account compromise climbed from 16% in 2020 to 46% in 2025, making credential abuse the fastest-growing initial access vector.

The controls that interrupt lateral movement operate at the identity layer. Apply them in this order:

1. Replace standing admin accounts with just-in-time access that creates privileges only when needed and revokes them when the session ends.
2. Continuously audit and remediate attack paths in Active Directory, including unconstrained delegation, Kerberoastable service accounts, and ACL/DACL permissions that grant unintended escalation routes.
3. Ensure anomalous authentication and privilege escalation have real-time visibility to detect lateral movement before it reaches domain controllers.
4. Block Active Directory abuse techniques, including DCSync, Skeleton Key injection, and Golden Ticket creation, before they succeed rather than alerting on them after domain compromise.

Platforms that connect Identity Threat Detection and Response (ITDR), real-time AD threat blocking, and just-in-time privileged access give security teams the evidence chain to interrupt lateral movement before it reaches domain controllers.

3. Close the phishing and email entry point

Deploy email security filtering to block malicious messages before they reach users, and run regular awareness training so staff recognize credential harvesting attempts.

Verify identity through out-of-band channels before any helpdesk action that resets credentials or changes access, since MFA fatigue attacks and impersonation calls exploit procedural gaps rather than technical ones.

Phishing-resistant MFA removes the value of harvested credentials even when those controls fail.

4. Patch internet-facing systems and known exploited vulnerabilities first

Audit all internet-facing services (RDP, VPN appliances, and remote management tools) and close anything exposed without MFA or IP allowlisting.

For everything else, use the KEV catalog to prioritize patching by what is actively being exploited rather than by severity score alone. Exposed RDP without MFA or IP allowlisting is the highest-priority item to close before any other patching work begins.

5. Remove standing privileges and enforce least privilege access

Remove local admin rights from standard users and eliminate shared admin credentials. Where elevated access is needed, use time-bound privilege elevation: access is created on demand for a specific task and revoked automatically when the session ends, leaving no persistent credential to harvest.

6. Harden Active Directory and segment your network

For AD hardening, implement the tiered admin model: Tier 0 for domain controllers, Tier 1 for servers, Tier 2 for workstations. Enforce deny-logon rights so Tier 0 accounts cannot authenticate to lower tiers.

Require Privileged Access Workstations for Tier 0 activity. Continuously audit for attack paths: unconstrained delegation, Kerberoastable service accounts, and AdminSDHolder ACL modifications.

A misconfiguration found at a quarterly review is an open attack path. The same finding detected within minutes is a closed gap.

For network segmentation, isolate critical systems and backup infrastructure from general user networks so an attacker with a foothold on a workstation cannot reach domain controllers or backup consoles.

7. Deploy endpoint detection and behavioral monitoring

Deploy EDR/XDR with behavioral detection enabled and actively monitored. Configure it to alert on unusual file encryption activity, anomalous process behavior, and mass file access patterns, which are the signals that appear before encryption deploys.

Signature-based detection alone will not catch identity-based or living-off-the-land techniques; behavioral rules are required.

Insight Credit Union cut ransomware detection from hours to minutes with real-time behavioral alerts, shifting the outcome from containment to prevention.

8. Build an immutable, offline backup strategy

Backups are a recovery control, not a prevention control. Attackers often try to disable or reach recovery systems before deploying the main payload.

NIST ransomware guidance recommends maintaining multiple backup copies in geographically separate locations, including at least one offline or immutable copy.

In practice, this maps to the 3-2-1-1-0 framework most backup practitioners use: three copies, two media types, one offsite, one immutable or offline copy that ransomware cannot reach even with compromised credentials, and zero errors on verified restores.

A compromised Domain Admin account should not reach your backup consoles.

9. Test restores before you need them

Having backups is not the same as being able to recover. Regular restore testing should confirm:

• Time-to-recovery should be measured against defined RTO targets for each critical system.
• Recovery order should match business impact, with the most critical systems prioritized first.
• Backup integrity should be verified to confirm data is complete and uncorrupted before it is needed.

Organizations that test quarterly find gaps when they can be fixed. Those that test for the first time during an incident find them when they cannot.

Close the identity path ransomware follows

Most ransomware incidents trace back to an identity and access gap that was known, deprioritized, and eventually exploited.

The controls that interrupt the attack chain are not new: phishing-resistant MFA, zero standing privilege, Active Directory hardening, and tested backups have been consistent recommendations for years.

What separates organizations that maintain resilience from those that do not is rarely a knowledge gap. It is the discipline to close exposures before attackers find them.

For organizations running Microsoft-heavy hybrid environments, closing that gap starts with two specific controls:

1. Blocking Active Directory attack techniques before they succeed with Netwrix Threat Prevention
2. Eliminating standing privileges with Netwrix Privilege Secure

Both address the identity path ransomware follows in the lateral movement stage, before encryption is ever deployed.

Request a Netwrix demo to see the identity and access gaps ransomware exploits in your environment.