Back to Insights
Incident Response

Defending Against Ransomware: The 5 Controls That Actually Matter

By THOR Security Group

Ransomware remains one of the most significant operational threats to mid-market organizations. Despite the complexity of modern malware, the initial entry points and propagation methods used by threat actors have remained remarkably consistent.

Most attacks do not rely on zero-day exploits. Instead, they exploit simple gaps in basic hygiene. By focusing your security budget and engineering time on the following five high-impact controls, you can block the vast majority of ransomware vectors.

1. Enforce Phishing-Resistant MFA Everywhere

Identity is the perimeter. Compromised credentials are the leading cause of business email compromise (BEC) and network entry.

  • The standard: Multi-factor authentication (MFA) must be enforced for 100% of accounts—no exceptions for executives or service accounts.
  • The priority: Move away from SMS and standard push notifications, which are vulnerable to SIM-swapping and “MFA fatigue” attacks. Implement phishing-resistant MFA (such as FIDO2 security keys or managed authenticator matching) for critical access points.

2. Isolate and Test Your Backups

If ransomware hits, your backups are your lifeline. Unfortunately, ransomware operators actively hunt for backup servers first to prevent you from restoring without paying.

  • Immutable Backups: Backups must be stored in a write-once-read-many (WORM) format or an offline/immutable cloud vault.
  • Tested Restores: A backup is only as good as its restore process. Conduct quarterly restoration drills of your active database and virtual machine configurations.

3. Deploy Managed Detection and Response (MDR)

Traditional signature-based antivirus cannot stop advanced threat actors who use legitimate administrative tools (known as “living off the land”) to navigate your network.

  • EDR/MDR: Deploy Endpoint Detection and Response (EDR) agents to all workstations and servers.
  • 24/7 Monitoring: Pair your tools with a Security Operations Center (SOC) that monitors alerts 24/7. An intrusion that starts at 10 PM on a Friday will encrypt your systems by Saturday morning if there are no eyes on the console.

4. Patch Exploitable, Internet-Facing Systems

External vulnerability scans show that many breaches start with unpatched VPN gateways, firewalls, or remote desktop (RDP) portals exposed to the public internet.

  • Vulnerability Scanning: Run weekly external vulnerability scans to detect exposed services.
  • Emergency Patch Cycle: Establish a 24-to-48-hour emergency patch cycle for high-severity vulnerabilities in edge infrastructure.

5. Standardize on the Principle of Least Privilege

Once an attacker gains entry to a standard laptop, they seek to escalate their privileges to Domain Admin to distribute the ransomware payload across the entire domain.

  • Remove Local Admin Rights: Standard users should not have local administrator rights on their laptops. This blocks unauthorized software installation and payload execution.
  • Tiered Admin Accounts: Administrators must use separate accounts for day-to-day work (email, web browsing) and administrative tasks.

Action Plan: Where to Start?

If you are unsure of your current posture, start by performing a baseline review of your identity controls and backup configurations.

Our team regularly guides mid-market companies through pragmatic risk reviews to close these exact gaps before threat actors find them. If you want to check your readiness, consider running a Free Security Self-Assessment to see where your organization stands.

Need assistance implementing these controls?

Our fractional CISOs and security consultants are ready to help secure your organization.

Contact a Advisor or call 312.529.0672