Ransomware Protection: A Multi-Layered Defence Strategy

Ransomware has evolved from opportunistic attacks using commodity malware into a sophisticated criminal industry. Ransomware-as-a-Service (RaaS) platforms like LockBit, BlackCat (ALPHV), and Cl0p provide affiliate programs where operators build the malware and infrastructure while affiliates carry out the intrusions, splitting ransom payments. This model has dramatically lowered the barrier to entry, increasing both the volume and sophistication of attacks. The Australian Cyber Security Centre (ACSC) has repeatedly warned that ransomware is the most destructive cybercrime threat to Australian businesses, with average recovery costs running into hundreds of thousands of dollars.

Modern ransomware attacks typically follow a multi-stage kill chain. Initial access is gained through phishing emails, exploitation of internet-facing vulnerabilities (VPNs, RDP, web applications), or stolen credentials purchased on dark web marketplaces. Once inside, attackers establish persistence, conduct reconnaissance, move laterally to identify high-value targets such as domain controllers and file servers, exfiltrate sensitive data for double extortion leverage, disable or delete backups, and then deploy the ransomware payload across as many systems as possible — often during off-hours to maximise impact before anyone notices.

Email remains the primary initial access vector for ransomware. Phishing emails carrying malicious attachments (Office documents with macros, password-protected ZIP files, ISO disc images) or links to credential harvesting pages account for the majority of initial compromises. A robust email security stack should include a cloud email gateway (such as Proofpoint, Mimecast, or Microsoft Defender for Office 365) that performs URL rewriting and time-of-click analysis, sandboxing of attachments, impersonation detection, and DMARC/DKIM/SPF enforcement. Configuring Microsoft 365 to block macro execution in documents received from the internet — as recommended by the ASD Essential Eight — eliminates one of the most common payload delivery mechanisms.

Beyond technology, user awareness training is an essential complement. Regular phishing simulations help employees recognise suspicious emails and report them to the security team rather than clicking. Training should be frequent, engaging, and tailored to the types of lures that threat actors are currently using — invoice fraud, delivery notifications, and urgent requests from executives are perennial favourites in the Australian market.

Traditional antivirus based on signature matching is no longer sufficient against modern ransomware, which uses obfuscation, fileless techniques, and living-off-the-land binaries (LOLBins) to evade detection. Endpoint Detection and Response (EDR) platforms — such as CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint, and Sophos Intercept X — provide behavioural analysis that monitors process activity in real time. When an EDR agent detects a process exhibiting ransomware-like behaviour (rapid file enumeration, mass file modification, shadow copy deletion), it can automatically isolate the endpoint from the network, kill the malicious process, and roll back affected files to their pre-encryption state.

For resellers, EDR is a high-value product category with strong recurring revenue. Most vendors offer MSP-friendly multi-tenant consoles that allow centralised management across client environments. When positioning EDR, emphasise the difference between passive antivirus and active detection and response — the ability to not just block known malware but to detect and contain novel attacks in real time is what justifies the premium over basic endpoint protection.

Unpatched systems are the low-hanging fruit that ransomware operators exploit to gain initial access or escalate privileges. Critical vulnerabilities in internet-facing services — VPN appliances (Fortinet, Cisco, Citrix), Microsoft Exchange, and remote access tools — are routinely weaponised within days of public disclosure. The ASD Essential Eight recommends patching internet-facing services within 48 hours of a critical vulnerability being identified. For internal systems, a 14-day patch window is the target. Automated patch management tools such as Microsoft SCCM, Intune, or third-party platforms like ConnectWise Automate and Datto RMM are essential for achieving these timelines at scale across managed client environments.

Flat networks are a ransomware attacker's best friend. Once they compromise a single endpoint, lateral movement to domain controllers, file servers, and backup infrastructure is trivial if no segmentation exists. Implementing network segmentation — separating workstations from servers, isolating backup networks, and restricting management plane access — forces attackers through chokepoints where monitoring and access controls can detect and block their movement. Micro-segmentation tools from vendors like Illumio and VMware NSX take this further by enforcing least-privilege communication policies between individual workloads.

Backups are the last line of defence against ransomware, but attackers know this and specifically target backup infrastructure. Modern ransomware will search for and delete Volume Shadow Copies, attempt to access backup servers using compromised credentials, and encrypt backup repositories that are accessible over the network. The countermeasure is immutable backups — backup copies that cannot be modified or deleted for a defined retention period, regardless of what credentials an attacker holds.

Immutability can be achieved through several mechanisms. Object lock on S3-compatible storage (AWS S3, Wasabi, MinIO) provides WORM (Write Once Read Many) protection at the storage layer. Veeam supports hardened Linux repositories where the backup files are owned by a non-root account and protected by immutability flags that even root cannot override during the retention period. Synology Active Backup for Business and QNAP QuTS hero offer snapshot-based immutability on NAS platforms. The 3-2-1-1 backup rule — three copies, two media types, one offsite, one immutable — has become the modern standard for ransomware resilience.

No defence is perfect, so every organisation must prepare for the possibility of a successful ransomware attack. An incident response (IR) plan should define roles and responsibilities, communication procedures (internal and external, including notifying the ACSC and affected individuals under the Notifiable Data Breaches scheme), containment steps, evidence preservation procedures, and recovery priorities. The plan should be documented, distributed to key stakeholders, and rehearsed through tabletop exercises at least annually.

Key IR actions during a ransomware event include immediately isolating affected systems from the network to prevent further spread, preserving forensic evidence (memory dumps, disk images, log files) before attempting recovery, identifying the ransomware variant to determine whether decryptors are available, assessing the scope of data exfiltration to inform regulatory notification obligations, and engaging pre-contracted IR retainers if the incident exceeds internal capabilities. For resellers, offering IR retainer services or partnering with specialist IR firms provides another layer of value and revenue.

Cyber insurance has become significantly harder and more expensive to obtain in Australia following the wave of high-profile ransomware incidents. Insurers now require detailed security questionnaires and may mandate specific controls — such as multi-factor authentication on all remote access, EDR on all endpoints, and immutable or air-gapped backups — as preconditions for coverage. Organisations that cannot demonstrate these controls may face exclusions, higher premiums, or outright denial of coverage. For resellers, this creates a natural upsell opportunity: helping clients implement the controls that insurers require is a tangible, business-driven reason to invest in security beyond abstract risk discussions.