Ransomware prevention and recovery: a complete guide

ITHQ 8 min read Cybersecurity
cybersecuritysecuritybcdrbackuprecovery

Ransomware has evolved from a nuisance into a multibillion-dollar criminal industry. South African organisations are not exempt - the country consistently ranks among the most targeted in Africa, with attacks hitting businesses of all sizes across every sector.

Understanding how ransomware works, how to prevent it, and how to recover from it is essential knowledge for every business leader and IT team.

How ransomware works

Ransomware is malicious software that encrypts your files and demands payment - usually in cryptocurrency - for the decryption key. Modern ransomware operations have evolved well beyond simple encryption:

  • Double extortion - attackers exfiltrate your data before encrypting it, then threaten to publish it if you don’t pay. Even if you restore from backups, you still face the data leak.
  • Triple extortion - in addition to encryption and data theft, attackers contact your customers, partners, or regulators directly to increase pressure.
  • Ransomware-as-a-Service (RaaS) - criminal groups build ransomware platforms and sell access to affiliates, dramatically lowering the barrier to entry. The attackers targeting your business may be relatively unsophisticated operators using someone else’s tools.

The typical ransomware attack follows a pattern: initial access, lateral movement through your network over days or weeks (establishing persistence and identifying high-value targets), data exfiltration, and finally, encryption of as many systems as possible simultaneously for maximum impact.

Common attack vectors

Phishing emails

Phishing remains the most common initial access method. A convincing email persuades an employee to click a malicious link or open an infected attachment. From there, the attacker gains a foothold on the endpoint and begins expanding their access.

Remote Desktop Protocol (RDP)

Exposed RDP services with weak credentials are a favourite target. Attackers use automated tools to scan the internet for open RDP ports and brute-force their way in. If your RDP is accessible from the internet - even on a non-standard port - you are being scanned.

Exploiting vulnerabilities

Unpatched systems provide direct entry points. VPN appliances, web servers, and edge devices are particularly attractive targets because they’re internet-facing and often overlooked in patching programmes.

Supply chain compromise

Attackers increasingly target software vendors and service providers to reach their customers. The Kaseya and SolarWinds incidents demonstrated how a single compromised vendor can affect thousands of downstream organisations.

Prevention: building your defences

No single control stops ransomware. Defence in depth - multiple overlapping layers - is the only effective strategy.

Patch management

Keep operating systems, applications, and firmware current. Prioritise internet-facing systems and known exploited vulnerabilities. Automated patch deployment through your managed IT platform ensures patches actually get applied rather than languishing in approval queues.

Multi-factor authentication (MFA)

Enforce MFA everywhere, particularly on:

  • Email accounts
  • VPN connections
  • Remote access tools (RDP, remote desktop gateways)
  • Administrative accounts
  • Cloud services

MFA blocks the vast majority of credential-based attacks. It is the single highest-impact security control you can implement today.

Integrate MFA as part of a comprehensive identity and access management strategy that includes privileged access management, conditional access policies, and regular access reviews.

Network segmentation

Flat networks allow ransomware to spread from a single compromised endpoint to every system. Segmentation divides your network into zones, limiting lateral movement. Critical servers, operational technology, and backups should be on isolated segments with strict access controls between them.

Endpoint Detection and Response (EDR)

Deploy EDR agents on every endpoint. Modern EDR platforms detect ransomware behaviour - mass file encryption, shadow copy deletion, credential dumping - and can automatically isolate compromised devices before the damage spreads.

Email security

Layer email security controls:

  • Spam and phishing filters - block known malicious senders and domains
  • Attachment sandboxing - detonate suspicious attachments in an isolated environment before delivery
  • Link rewriting - check URLs at time of click, not just at time of delivery
  • SPF, DKIM, and DMARC - prevent email spoofing of your domain

Your cybersecurity and security operations programme should treat email security as a primary defence layer.

Security awareness training

Technology controls catch most threats, but some will reach users. Regular, practical training helps employees recognise phishing attempts and report them. The most effective training is short, frequent, and includes simulated phishing campaigns that provide immediate, constructive feedback.

Privilege management

Operate on the principle of least privilege. Users should have only the access they need to do their jobs. Administrative privileges should be tightly controlled and monitored. A compromised account with local admin rights is far more dangerous than a standard user account.

Detection: catching attacks early

Prevention reduces risk but cannot eliminate it. Detection capabilities give you the chance to stop an attack before encryption begins.

Key detection capabilities include:

  • 24/7 monitoring - attackers don’t work business hours. Security monitoring must be continuous.
  • Behavioural analytics - detecting unusual patterns such as a user account accessing systems it normally doesn’t, large-scale file access, or data moving to unusual destinations.
  • Canary files and honeypots - deliberately placed decoy files and systems that trigger alerts when accessed.
  • Log aggregation and correlation - collecting logs from endpoints, servers, network devices, and cloud services into a central platform for analysis.

The window between initial compromise and encryption is your opportunity to intervene. Detecting an intrusion at the lateral movement stage, rather than after encryption, is the difference between a contained incident and a catastrophe.

Response and recovery

Incident response plan

Have a documented, tested incident response plan before you need it. The plan should cover:

  • Roles and responsibilities - who makes decisions, who communicates, who executes technical response
  • Communication protocols - internal communication, customer notification, regulatory reporting, media handling
  • Containment procedures - how to isolate affected systems quickly
  • Evidence preservation - maintaining forensic integrity for investigation and potential law enforcement engagement
  • Recovery procedures - the step-by-step process for restoring operations

To pay or not to pay

This is the question every ransomware victim faces. The pragmatic considerations:

Arguments against paying:

  • Payment funds criminal operations and incentivises further attacks
  • There’s no guarantee you’ll receive a working decryption key
  • Decryption is often slow and incomplete even with the key
  • You may be targeted again - paying marks you as willing
  • Depending on the attacker group, payment may violate sanctions regulations

Arguments for paying:

  • If you have no viable backups and the data is essential to business survival, you may have no alternative
  • Some cyber insurance policies cover ransom payments (though this is changing)

The best position is to never face this decision because you have reliable, tested backups that enable recovery without paying.

Backup strategies for ransomware resilience

Backups are your last line of defence, but only if they’re designed to survive a ransomware attack. Standard backups connected to your network will likely be encrypted along with everything else.

Ransomware-resilient backup practices:

  • Air-gapped or immutable backups - at least one copy of your backups should be either physically disconnected from your network or stored in an immutable format that cannot be modified or deleted, even by an administrator
  • The 3-2-1-1-0 rule - three copies, two different media types, one offsite, one offline/immutable, zero errors (verified through testing)
  • Backup account isolation - the accounts used to manage backups should be separate from your standard domain accounts, so that a compromised domain admin can’t delete your backups
  • Regular testing - restore from backup regularly to verify that your backups actually work. An untested backup is not a backup.

Building ransomware resilience into your business continuity and disaster recovery programme ensures that when - not if - an incident occurs, you can recover.

After an attack: lessons learned

Every incident, whether prevented, detected early, or fully realised, generates valuable information. A structured post-incident review should identify:

  • How did the attacker gain initial access?
  • What controls failed, and why?
  • What controls worked, and what can be reinforced?
  • How effective was the response?
  • What process, policy, or technical changes would improve your posture?

These findings should drive concrete improvements, not just populate a report that sits in a drawer.

Take action now

Ransomware preparedness isn’t something you can defer. The cost of preparation is a fraction of the cost of recovery - and immeasurably less than the cost of an attack you can’t recover from.

Contact us to assess your ransomware readiness. We’ll review your prevention controls, test your backup resilience, and help you build an incident response capability that ensures your business can withstand and recover from a ransomware attack.

Need help with cybersecurity?

Our team can help you implement the solutions discussed in this article.

Get in touch