Ransomware Defense

Ransomware Prevention and Recovery Guide for Small Businesses

A practical guide to preventing ransomware attacks and recovering if one succeeds. Covers backup strategy, endpoint protection, network segmentation, and step-by-step recovery procedures.

Protect Your Business

81%of US small businesses suffered a breach last year

$4.88Maverage cost of a data breach

3-7 daystypical full network recovery time

81%of ransomware starts with phishing

Part 1: Prevention

Ransomware is preventable with the right controls. These eight measures form a layered defence that stops the vast majority of attacks.

1. Keep Everything Patched

Enable automatic Windows updates on all devices
Patch third-party software within 48 hours of critical updates
Replace end-of-life operating systems — they receive no patches

2. Deploy EDR

Microsoft Defender for Business (included in M365 Business Premium)
Enable automated investigation and response
Enable tamper protection so ransomware cannot disable Defender

3. Enable MFA Everywhere

Enable MFA for all users via Conditional Access
Use phishing-resistant MFA (passkeys/FIDO2) for admin accounts
Block legacy authentication protocols that bypass MFA

4. Implement 3-2-1 Backups

3 copies of your data (original + 2 backups)
2 different storage types (e.g., cloud + external drive)
1 copy offsite or offline (air-gapped)

5. Restrict Admin Privileges

Remove local admin rights from standard users
Use Windows LAPS for unique local admin passwords per device
Use Privileged Identity Management for just-in-time admin access

6. Enable Controlled Folder Access

Windows includes a built-in ransomware protection feature that blocks unknown applications from modifying files in protected folders (Documents, Desktop, Pictures).

Set-MpPreference -EnableControlledFolderAccess Enabled

7. Segment Your Network

Separate Wi-Fi into business and guest networks
Use VLANs to isolate departments or device types
Disable SMBv1 and restrict lateral movement with firewall rules

8. Train Your People

Run phishing simulations quarterly
Teach users the signs of phishing emails
Establish a clear reporting process for suspicious emails

Recommended Backup Schedule

Data	Backup Method	Frequency
M365 email, OneDrive, SharePoint	Third-party M365 backup (Veeam, Datto, Acronis)	Daily
On-premises file servers	Backup to NAS + offsite cloud	Daily
Databases and line-of-business apps	Application-specific backup + snapshot	Daily
System images	Full system image to external drive	Weekly
Critical configs (firewall, switches, AD)	Export configs to secure storage	Monthly

Microsoft 365 does not provide true backup. Deleted items have retention limits (30-93 days), and ransomware that encrypts synced OneDrive files will sync the encrypted versions to the cloud. You need a third-party backup solution.

Part 2: Recovery

If ransomware hits despite your defences, follow this process. Time is critical — every minute counts.

Immediate Response (First 30 Minutes)

Isolate affected devices — disconnect from Wi-Fi and Ethernet immediately. Do not power off.
Identify the scope — which devices and shares are affected? Is encryption still spreading?
Notify your incident response team — internal IT, your MSSP, and leadership
Do not pay the ransom — no guarantee of recovery, and it funds future attacks
Preserve evidence — take photos of ransom notes, record affected filenames and extensions

Investigation (Hours 1-4)

Identify the ransomware variant — check ransom note and file extension against databases like id-ransomware.malwarehunterteam.com
Determine the entry point — review sign-in logs, email logs, and VPN access logs
Check for data exfiltration — modern ransomware steals data before encrypting
Assess backup integrity — verify backups are not encrypted or corrupted

Recovery (Hours 4-48)

Wipe and reimage affected devices — do not try to decrypt or clean an infected machine
Restore data from backups — use the most recent clean backup from before the attack
Reset all passwords — assume all credentials are compromised
Patch the entry point — fix whatever allowed the initial access
Re-onboard devices — enrol reimaged devices in Intune and verify EDR is running

Post-Incident (Days 2-14)

Monitor for re-infection — attackers sometimes leave backdoors for return visits
Review and update security controls — close the gaps that allowed the attack
Notify affected parties — you may have legal obligations to notify customers and regulators
File a report — report to the FBI IC3 (ic3.gov) and local law enforcement
Document lessons learned — update your incident response plan and runbooks

Recovery Time Expectations

Scenario	Typical Recovery Time
Single device, good backups	2-4 hours
10-50 devices, cloud backups	1-3 days
Full network, including servers	3-7 days
No backups — rebuild from scratch	2-4 weeks
No backups, critical data lost	Permanent loss

Prevention Checklist

Essential (Do These First)

Automatic OS updates enabled
EDR deployed on all devices
MFA enabled for all users
3-2-1 backups in place
Backup tested (restore verified)

High / Medium Priority

Local admin rights removed from users
Controlled Folder Access enabled
Phishing simulation run this quarter
Network segmented (VLANs)
SMBv1 disabled
Incident response plan documented
Cyber insurance in place

Test your backups regularly. A backup that has never been tested is not a backup — it is a hope. Schedule a quarterly restore test where you actually recover files and verify they are complete and usable.

Protect Your Business From Ransomware

CyberITEX provides complete ransomware prevention and response — including endpoint protection, backup strategy, network segmentation, phishing training, and 24/7 monitoring. We help small businesses build enterprise-grade defences.

Email Security Services Managed IT Support

Get Security Insights Delivered

One email per month with our best articles. No spam.

Part 1: Prevention

Ransomware is preventable with the right controls. These eight measures form a layered defence that stops the vast majority of attacks.

1. Keep Everything Patched

Enable automatic Windows updates on all devices
Patch third-party software within 48 hours of critical updates
Replace end-of-life operating systems — they receive no patches

2. Deploy EDR

Microsoft Defender for Business (included in M365 Business Premium)
Enable automated investigation and response
Enable tamper protection so ransomware cannot disable Defender

3. Enable MFA Everywhere

Enable MFA for all users via Conditional Access
Use phishing-resistant MFA (passkeys/FIDO2) for admin accounts
Block legacy authentication protocols that bypass MFA

4. Implement 3-2-1 Backups

3 copies of your data (original + 2 backups)
2 different storage types (e.g., cloud + external drive)
1 copy offsite or offline (air-gapped)

5. Restrict Admin Privileges

Remove local admin rights from standard users
Use Windows LAPS for unique local admin passwords per device
Use Privileged Identity Management for just-in-time admin access

6. Enable Controlled Folder Access

Windows includes a built-in ransomware protection feature that blocks unknown applications from modifying files in protected folders (Documents, Desktop, Pictures).

Set-MpPreference -EnableControlledFolderAccess Enabled

7. Segment Your Network

Separate Wi-Fi into business and guest networks
Use VLANs to isolate departments or device types
Disable SMBv1 and restrict lateral movement with firewall rules

8. Train Your People

Run phishing simulations quarterly
Teach users the signs of phishing emails
Establish a clear reporting process for suspicious emails

Recommended Backup Schedule

Data	Backup Method	Frequency
M365 email, OneDrive, SharePoint	Third-party M365 backup (Veeam, Datto, Acronis)	Daily
On-premises file servers	Backup to NAS + offsite cloud	Daily
Databases and line-of-business apps	Application-specific backup + snapshot	Daily
System images	Full system image to external drive	Weekly
Critical configs (firewall, switches, AD)	Export configs to secure storage	Monthly

Part 2: Recovery

If ransomware hits despite your defences, follow this process. Time is critical — every minute counts.

Immediate Response (First 30 Minutes)

Isolate affected devices — disconnect from Wi-Fi and Ethernet immediately. Do not power off.
Identify the scope — which devices and shares are affected? Is encryption still spreading?
Notify your incident response team — internal IT, your MSSP, and leadership
Do not pay the ransom — no guarantee of recovery, and it funds future attacks
Preserve evidence — take photos of ransom notes, record affected filenames and extensions

Investigation (Hours 1-4)

Identify the ransomware variant — check ransom note and file extension against databases like id-ransomware.malwarehunterteam.com
Determine the entry point — review sign-in logs, email logs, and VPN access logs
Check for data exfiltration — modern ransomware steals data before encrypting
Assess backup integrity — verify backups are not encrypted or corrupted

Recovery (Hours 4-48)

Wipe and reimage affected devices — do not try to decrypt or clean an infected machine
Restore data from backups — use the most recent clean backup from before the attack
Reset all passwords — assume all credentials are compromised
Patch the entry point — fix whatever allowed the initial access
Re-onboard devices — enrol reimaged devices in Intune and verify EDR is running

Post-Incident (Days 2-14)

Monitor for re-infection — attackers sometimes leave backdoors for return visits
Review and update security controls — close the gaps that allowed the attack
Notify affected parties — you may have legal obligations to notify customers and regulators
File a report — report to the FBI IC3 (ic3.gov) and local law enforcement
Document lessons learned — update your incident response plan and runbooks

Scenario

Typical Recovery Time

Single device, good backups

2-4 hours

10-50 devices, cloud backups

1-3 days

Full network, including servers

3-7 days

No backups — rebuild from scratch

2-4 weeks

No backups, critical data lost

Permanent loss

Prevention Checklist

Essential (Do These First)

Automatic OS updates enabled
EDR deployed on all devices
MFA enabled for all users
3-2-1 backups in place
Backup tested (restore verified)

High / Medium Priority

Local admin rights removed from users
Controlled Folder Access enabled
Phishing simulation run this quarter
Network segmented (VLANs)
SMBv1 disabled
Incident response plan documented
Cyber insurance in place