How to Protect Your Business From Ransomware
What ransomware is
Ransomware is malicious software that encrypts your files and demands payment for the decryption key. Modern attacks also steal data first and threaten to publish it, so paying rarely ends the problem. For a small or mid-sized business, a single infection can halt operations, invoicing, and customer service for days. The good news: almost every successful attack relies on a handful of preventable weaknesses.
How ransomware gets in
- Phishing email with a malicious attachment or link.
- Exposed remote access, especially RDP or SSH open to the whole internet with weak passwords.
- Unpatched software: VPN gateways, firewalls, CMS plugins, and operating systems.
- Reused or leaked credentials without multi-factor authentication.
- Compromised suppliers or software updates.
Defend in layers
1. Back up with the 3-2-1 rule
Keep three copies of your data on two types of media, with one copy offline or immutable and off-site. Immutable backups cannot be altered or deleted by an attacker who reaches your servers. Test a full restore at least quarterly; a backup you have never restored is only a hope.
2. Patch quickly
Most ransomware exploits vulnerabilities that were fixed months earlier. Enable automatic security updates and prioritise internet-facing systems.
3. Enforce MFA and strong passwords
Require multi-factor authentication on email, VPN, remote desktop, and admin panels. This single step blocks the majority of credential-based intrusions.
4. Lock down remote access
Never expose RDP directly. Put remote access behind a VPN, restrict source IPs on your Firewall, and use key-based SSH.
5. Filter email and train staff
Use spam and attachment filtering, and teach staff to report suspicious messages. Block or sandbox Office macros that arrive from the internet.
6. Segment and limit privileges
Give users and services only the access they need. Network segmentation stops one infected machine from reaching every server and backup.
Practical server hardening
# Ubuntu/Debian: enable automatic security updates sudo apt install unattended-upgrades sudo dpkg-reconfigure --priority=low unattended-upgrades # SSH: key-only login, disable root and passwords sudo sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config sudo sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config sudo systemctl restart ssh # Firewall: deny by default, allow only what you need sudo ufw default deny incoming sudo ufw allow 22/tcp sudo ufw enable # Slow down brute force sudo apt install fail2ban && sudo systemctl enable --now fail2ban # Immutable off-site backup with restic restic -r sftp:backup@backup.example.com:/srv/backups init restic -r sftp:backup@backup.example.com:/srv/backups backup /var/www /etc
If you are hit
- Isolate affected machines: disconnect the network, but do not power off if you need forensics.
- Identify the scope and preserve logs.
- Do not pay if avoidable; payment funds crime and does not guarantee recovery.
- Rebuild systems, then restore from clean, verified backups.
- Rotate all passwords and keys.
- Report to authorities and affected parties as required.
NIS2 and GDPR
If your company falls under NIS2 or handles personal data, a ransomware incident likely triggers reporting duties within tight deadlines. Keeping backups and logs inside the EU simplifies compliance and data sovereignty.
Takeaway
You cannot make an attack impossible, but tested offline backups, fast patching, and MFA turn most ransomware from a disaster into an inconvenience. Start with a backup you have actually restored.