The Ransomware Prevention Framework: A Layered Defense That Actually Holds
Key Intel / TL;DR
  • Ransomware is the end of a chain, not the start. Prevention means breaking the chain at initial access, privilege escalation, and lateral movement before encryption ever runs.
  • The framework has five layers: shrink the attack surface, harden identity, protect and test backups, detect early, and rehearse response. A gap in any one layer carries the whole risk.
  • Immutable, offline-tested backups are the difference between a bad week and a closed business. Assume the primary copy will be encrypted and design the recovery copy to survive it.

The average ransomware operator does not break in and encrypt on the same day. They break in on a Tuesday, sit quietly for a few days, map your network, find your backups, delete them, and only then run the encryptor on a Saturday night when your on-call rotation is thin.

That gap between initial access and encryption is where prevention lives. Ransomware is not a single event you block at the perimeter. It is the last step in a chain that started weeks earlier with a phished credential, an unpatched VPN, or an exposed remote desktop port. Every step in that chain is a place to stop the attack, and a real prevention program defends all of them at once.

This is the framework we use to think about that defense. Five layers, each one covering a stage of the attack. A weakness in any single layer transfers the entire risk to the next one, so the goal is not a perfect wall. The goal is depth, so that a failure in one control gets caught by the next.

Why Single Controls Fail

Most organizations treat ransomware prevention as a shopping list. Buy an endpoint detection product. Turn on multi-factor authentication. Run a backup job. Each of those is worth doing, and none of them is a strategy on its own.

The problem is that ransomware crews are not testing one control. They are looking for the seam between your controls. Your endpoint tool is excellent, so they use valid credentials and living-off-the-land techniques that never drop a malicious file. Your MFA is enabled, so they bombard a tired employee with push notifications until one gets approved. Your backups run nightly, so they spend their eleven days of dwell time finding the backup server and destroying it first.

The living off the land playbook covers how attackers blend into normal administrative activity to slip past tools that watch for malware. Prevention works when the layers overlap enough that beating one still leaves the attacker facing the next.

Layer One: Shrink the Attack Surface

You cannot get phished through a service that does not exist, and you cannot get exploited on a port that is not open. The first layer removes the entry points before anyone has to defend them.

Ransomware initial access clusters around a short list of doors:

  • Exposed remote access. Internet-facing Remote Desktop Protocol, unpatched VPN appliances, and management interfaces are among the most common ransomware entry points year after year. Every one of these should either be behind an identity-aware gateway or off the internet entirely.
  • Unpatched internet-facing software. The Equifax breach ran through an Apache Struts flaw that had a patch available for two months. Ransomware crews watch the same vulnerability disclosures your team does, and they move faster.
  • Assets nobody remembers owning. The forgotten subdomain and the abandoned staging server are exactly where attackers start, because nobody is patching what nobody is tracking.

This is why external attack surface management belongs in a ransomware program. You cannot patch or decommission an exposed asset you do not know exists. Continuous discovery of what the internet can see, paired with a hard rule that internet-facing systems get patched on a compressed timeline, closes the door affiliates use most.

A cybersecurity assessment is the fastest way to get an honest baseline of that surface. You want to find the exposed management port before the affiliate does.

Layer Two: Harden Identity

Once the perimeter shrinks, credentials become the primary way in. Modern ransomware runs on valid logins far more than on exploits, because a valid login raises no alarms and works from anywhere.

Harden the identity layer along three lines:

  • Phishing-resistant MFA on everything that matters. Push-approval MFA stops password spraying but not push bombing. FIDO2 security keys and passkeys defeat both, because there is no code to phish and no prompt to fatigue. Prioritize them for administrators, remote access, and email.
  • Least privilege as a default, not an exception. The damage a ransomware operator can do is bounded by the privileges of the account they compromise. If every user is a local administrator and service accounts have domain admin rights, one phished credential owns the environment. Strip standing privilege and grant it just in time.
  • Separate the tiers. Domain administrator credentials should never log into a normal workstation, where an attacker can scrape them from memory. Tiered administration keeps your most powerful accounts off your most exposed machines.

This layer is where a zero trust architecture earns its keep. When every access request is verified against identity, device health, and context rather than network location, a stolen credential stops being a skeleton key. The attacker who lands on one machine cannot simply walk to the next.

Layer Three: Protect and Test Backups

Assume the first two layers fail. Assume the operator is inside, has privileges, and is about to encrypt. The question that decides whether you pay the ransom is simple: can you restore without them?

For most organizations that answer is weaker than they think, because they protected the backup process without protecting the backup itself. Ransomware crews learned this years ago. They hunt for backup servers during their dwell time and delete or encrypt the recovery copies before triggering the main event, precisely so you have no choice but to pay.

Design backups to survive an attacker who already has domain admin:

  • Keep the 3-2-1 rule and add immutability. Three copies, two media types, one offsite. Then make at least one copy immutable or air-gapped, so that even a credential with full rights cannot alter or delete it. Object-lock storage and offline media both work. A backup an administrator can delete is a backup an attacker can delete.
  • Separate backup credentials from production identity. If the same domain admin account that runs your servers also controls your backups, compromising one compromises both. The backup system needs its own isolated authentication.
  • Test restores, not just backups. A backup job that reports success is not a recovery. Measure the thing that matters during an incident: how long it takes to restore your critical systems from clean media, and whether the restored data is actually usable. Untested backups fail at the worst possible moment.

Backups are the layer that turns a catastrophe into an outage. Everything else reduces the odds of getting hit. This is the layer that decides what getting hit costs.

Layer Four: Detect the Dwell Time

The gap between initial access and encryption is a gift, if you are watching. That gap used to be generous. Industry dwell times once ran into weeks or months, but they have collapsed as defenders got faster and attackers responded by moving quicker. Sophos put the median dwell time for ransomware cases at around four days in its 2025 report. Four days is still four days, and every hour of it is a chance to catch the intrusion before the encryptor runs. Detection is not about catching the encryptor. By the time files are encrypting, prevention has already failed. Detection is about catching the reconnaissance, the privilege escalation, and the lateral movement that happen first.

The behaviors that precede ransomware are noisy if you know the signatures:

  • Credential access. Tools that dump credentials from memory, sudden use of administrative shares, and authentication from a workstation to systems it has never touched before.
  • Discovery. A single host suddenly enumerating the whole network, querying Active Directory for admin groups, or scanning for backup servers and file shares.
  • Defense evasion. Security tools getting disabled, event logs cleared, and shadow copies deleted. That last one, the deletion of Volume Shadow Copies, is a near-universal ransomware precursor and one of the highest-fidelity alerts you can build.

Endpoint detection and response gives you the telemetry, but the value is in tuning it to the ransomware kill chain and having someone who responds to the alert at two in the morning. Detection without a response capability is just a very detailed record of how you got encrypted.

Layer Five: Rehearse the Response

The last layer is the one organizations skip, and it is the one that determines how the first four perform under pressure. A team that has never practiced the bad day improvises it, and improvisation during a ransomware incident is slow, and slow is expensive.

An incident response plan is the foundation, but a plan in a document is not a capability. The capability comes from rehearsal:

  • Run tabletop exercises against a ransomware scenario specifically. Walk the actual decisions. Who declares the incident? Who has authority to take production offline to stop the spread? What do you tell customers, and when? How do you operate when your own email and ticketing systems are encrypted?
  • Decide the ransom question before the timer is running. Whether or not your organization would ever pay is a leadership and legal decision, not something to improvise while an attacker counts down. Paying may violate sanctions rules, and it never guarantees clean recovery. Make the call in advance and write it down.
  • Know who you call. Legal counsel, cyber insurance carrier, forensics, and law enforcement all have roles. Your cyber insurance policy likely requires specific notification steps and approved vendors, and skipping them can void coverage at the moment you need it most.

Rehearsal is where the framework stops being a diagram and becomes muscle memory. The organizations that recover fastest are not the ones that were never breached. They are the ones that had already practiced the bad day.

The Framework Holds Because the Layers Overlap

No single layer here stops ransomware. Attack surface reduction fails when a zero-day drops. Identity hardening fails when an administrator gets tired and approves the wrong prompt. Detection fails when the crew moves slowly enough to blend in. That is the point.

The framework holds because the layers cover for one another. The exposed port that slips past patching gets caught by identity controls. The stolen credential that beats identity gets caught by detection. The intrusion that beats detection runs into immutable backups. And every layer buys time for the rehearsed response to activate. An adversary needs only one path to succeed. You have to defend all of them, and depth is what lets you do that without being perfect at any single one.

Start by finding out which layers you actually have. Most organizations discover the gap is not where they expected. The Human Attack Surface Score gives you a fast, honest read on where a ransomware crew would find their way in, and where your defenses would hold. If you want a deeper look at your specific environment, schedule a conversation with Grab The Axe and we will map your layers against the way these attacks actually run.

References

Cybersecurity and Infrastructure Security Agency. (n.d.). #StopRansomware Guide. CISA. https://www.cisa.gov/stopransomware/ransomware-guide

National Institute of Standards and Technology. (2024, February 26). The NIST Cybersecurity Framework (CSF) 2.0. NIST. https://www.nist.gov/cyberframework

Sophos. (2025, April 2). It Takes Two: The 2025 Sophos Active Adversary Report. Sophos News. https://news.sophos.com/en-us/2025/04/02/2025-sophos-active-adversary-report/

Distribute Intel
Chris Armour
Director of Information Security
Chris Armour
The Breaker & Builder.

Operating on the philosophy that 'you can't build a secure system if you don't know how to break it,' Chris leads our engineering division. A top 1% National Cyber League competitor, he hardens our digital infrastructure against the very exploits he has mastered.

View Author Page →