Ransomware Protection: How to Protect Your Business

What Is Ransomware and Why It’s a Threat to Businesses

Ransomware is a type of malicious software created with the aim of holding the devices or sensitive data of an organisation for ransom by denying access to them. This is typically done by encrypting files and making them unusable until a payment has been received. 

While some threats primarily aim to lock users out of their devices, modern attacks increasingly target the data itself. In the past, many threats involved straightforward encryption of files. However, the trend has shifted towards a form of double extortion. In this approach, attackers first steal sensitive data before encrypting it, then threaten to release the information if their demands are not met. 

Some attackers even go as far as leveraging triple extortion by adding a distributed-denial-of-service (DDos) attack to increase the feeling of urgency and pressure the victim’s customers or partners.

A business can be brought to an immediate halt because of a well-executed ransomware attack, making it a critical threat to any organisation. Average ransom demands are huge, the cost of lost business can be detrimental, and the long-term reputational damage of being the victim of a highly publicised attack can be difficult to recover from. 

If a business is seen to fail to protect customer data, it can suffer severe regulatory and legal ramifications, including large fines and a variety of sanctions. The rise of Ransomware-as-a-Service (RaaS) has made the cybercrime industry even more pervasive and it is easier than ever for even non-technical teams to orchestrate destructive attacks. 

Common Entry Points Used by Ransomware Attackers

Poor cyber hygiene and opportunism are the common causes of ransomware attacks. Jimber reports that 70% of Benelux ransomware attacks in 2025 were traced back to VPN vulnerabilities. Most malicious actors are capitalising on compromised credentials and unpatched software. 

Initial Access Brokers sell unauthorised entry into networks, weaponizing user identity at scale. A primary target of these attacks is Active Directory. Lepide reports that 79% of organisations have users with improper permissions and that 25% of data breaches are caused by unauthorised permission changes. 

Phishing email campaigns, where attackers send malicious emails hoping to convince employees into opening attachments laden with malware, are also a common entry point. By infecting the employee’s device, the attacker can gain network access. This threat is being amplified by AI-driven phishing to further increase the velocity of these campaigns, allowing attackers to reach more potential victims than ever before.

Typical Security Gaps That Increase Organizational Risk

Organisational risk to ransomware is meaningfully increased by poor identity management, unpatched infrastructure and a definitive lack of visibility into its own digital footprint. Lepide states that “up to 30% of corporate accounts are inactive and orphaned” (belonging to contractors or former employees). These accounts are unmonitored and provide an easy access entry point for attackers that can be exploited much more easily than targeting a current employee with all the protections their active enterprise account may afford them. 

The scale of unpatched infrastructure is made apparent with statistics like 79% of organisations facing moderate to high levels of accumulated technical debt. Herodevs also cite outdated systems that aren’t regularly being patched for security issues as being “four times more likely” to be weaponised by attackers. Another common infrastructure vulnerability is the lack of network segmentation. Many networks fail to provide security boundaries between critical system areas and those needed for the average user. This lack of depth provides a security risk that can spread rapidly throughout an entire business. 

Visibility and operational gaps are nearly a universal problem. 76% of organisations have suffered cyber incidents due to shadow IT (unknown and unmanaged internet-enabled devices being used by employees). HornetSecurity’s 2025 Ransomware Impact Report states 74% of organisations offer ransomware protection training, but 42% of security leaders think that this training is ineffective. 

In huge numbers, organisations are leaving themselves vulnerable to huge security breaches by remaining in the dark about how their employees are using internet-facing devices or educating their employees on the risks of doing so.

How Credential Compromise Enables Ransomware Spread

Credential compromise allows ransomware to spread by sidestepping traditional enterprise security protocols and allowing malicious actors to operate from a position of privileged access. If attackers are able to find valid logins through successful phishing attacks or from Initial Access Brokers, they can enter networks completely unchallenged and remain undetected for long periods of time. Once in the network, attackers can use administrative protocols to move to other systems.

By harvesting more credentials, typically via Active Directory, in a process known as a “credential cascade”, attackers can reach increasingly higher-value targets. To protect themselves in case their original credentials are no longer usable, attackers could even create new, hidden user accounts to provide themselves with persistent access.

If ransomware attackers gain access to high-privilege credentials like Domain Admin rights, they could push ransomware to every device connected to a network at the same time. Attackers with administrative access can cause system-wide havoc by disabling security tools such as Endpoint Detection and Response (EDR) or antivirus software or target recovery infrastructure by deleting or encrypting backups.

Best Practices for Ransomware Protection in the Workplace

Effective ransomware protection in the workplace requires a multi-layered, proactive strategy that finds answers to technical weaknesses, identity management vulnerabilities, and the human element. 

Enforcing a universal and mandatory multi-factor authentication process is the single greatest lever an organisation can pull in the defence against credential theft. Businesses should make a point to seek out phishing-resistant MFA for all network and email access. This is especially important for privileged accounts and anyone connecting via VPN. 

User access should be assigned according to the Principle of Least Privilege (PoLP), restricting users to the bare minimum permissions necessary for their positions. This should also be paired with regular Active Directory audits, which should aim to routinely review and clean up AD accounts. The deletion of inactive and orphaned accounts should be automated to stop the threat of them eventually becoming points of entry by malicious actors.

Adopting a Zero Trust Architecture (ZTA) that always asks for verification for every access request, regardless of whether it comes from inside the network or not, can provide a greater level of protection and peace of mind. Technical defence infrastructures will also be further bolstered by using strategic macro and micro-segmentation to divide the network into distinct security zones. This prevents malware from spreading from its initial infection point towards more critical areas of the business.

Thorough data protection and backup strategies are vital when defending against the threat of data deletion. The 3-2-1-1-0 rule can protect against these threats by reminding organisations of the practice of maintaining three copies of data on two different media types with one copy off-site, one copy offline, and zero errors after backup verification. Backups are only effective if they work and so regularly testing the restoration process is an equally important part of providing adequate safeguards against ransomware. 

Timely software patching to reduce technical debt and close vulnerabilities in operating systems and applications as soon as they are released is another great habit to pick up. This combines well with frequent vulnerability scans to identify and document areas of weakness and correct them as soon as possible – especially if they have access to the internet. 

The human element is a challenging but important element of ransomware protection to get right. Ongoing security awareness training, established response playbooks and open communication channels employees can use in the event of an attack can mean that if the worst happens, your team knows how to protect the organisation from ransomware and can send an alert through the proper channels quickly and effectively. 

Tools and Security Measures to Strengthen Organizational Ransomware Protection

Advanced ransomware defence tools that can help to protect your business and prevent an attack when it’s still just a vulnerability. EDR tools provide real-time behavioural monitoring and can contain or roll back threats before an organisation’s data can be encrypted by attackers. Extended Detection and Response (XDR) goes even further by integrating data across endpoints, networks, cloud apps, and SaaS providers. Network Detection and Response (NDR) is a crucial tool for identifying double extortion attempts by detecting exfiltration tools and flagging suspicious outbound traffic patterns.

Domain Name System (DNS) Security can block malicious activity in its earliest stages by highlighting traffic with malicious intent before network transactions are completed. Similarly, Security Information and Event Management (SIEM) platforms centralise logs so that organisations can be alerted in real-time and workflows can be automated to contain intrusions.

How 1Password Helps Provide Credential-Based Ransomware Protection 

1Password reduces the attack surface for ransomware to find an entry point by addressing the human errors that malicious attackers prey on particularly: weak passwords, exposed credentials, and the efficacy of phishing scams. 1Password’s Extended Access Management platform goes one step further, providing businesses with device health checks and shadow IT discovery to make sure that organisations have greater visibility and governance over their data.