Go to content
Menu Menu Menu

Logo NIC.br Logo CERT.br

Ransomware: How to Protect

Author: CERT.br
Version: 1.0 — October 5, 2025

English translation technical review: Merike Käo, DoubleShot Security

See also

Ransomware: How It Happens

Ransomware: How to Detect

Ransomware: How to Respond

Download the PDF Brochure

Resumen

Introduction

Given the frequent discovery of new vulnerabilities and the complexity of systems and networks, it is necessary to adopt a layered defense strategy, with multiple security measures that complement each other. Thus, if it is not possible to avoid Initial Access, other measures exist to delay the attack, limit the impact and increase the operational resilience of the organization.

Some essential measures, illustrated in the Infographic "Ransomware: How to protect", are discussed below.

Infographic Ransomware: How to protect
Infographic "Ransomware: How to protect"

Icon MFA 1. Use Multifactor Authentication (MFA)

Multifactor authentication helps prevent unauthorized access through compromised credentials. It is essential to prevent Initial Access and can also be used against Lateral Movement.

  • Adopt MFA, in particular, for:
    • remote network access, such as VPN and remote desktop;
    • services accessible via Web and cloud services;
    • Users with administrator privileges, especially in cloud services.
  • Whenever possible, use phishing-resistant MFA mechanisms.

It is worth noting that SSL VPNs have weaknesses inherent to the fact that they use web browsers as clients. They are susceptible to many attacks, including session token hijacking, which allows the attacker to bypass the MFA and gain access to the network. Thus, it is important to consider adopting a more robust VPN solution.

Icon Perform Vulnerability Management 2. Perform Vulnerability Management

Attackers exploit vulnerabilities both in systems exposed on the Internet to achieve Initial Access, and in the internal network in the Privilege Escalation and Lateral Movement phases.

Therefore, it is important to manage vulnerabilities of all systems using a risk-based prioritization strategy, to fix security bugs or mitigate them, and to implement measures that reduce the possibility of exploitation.

  • Keep operating systems, applications and device firmware up to date:
    • some vulnerabilities are fixed only by updating the software to a new version, and not by applying other security measures.
  • Prioritize the correction of:
    • systems and services exposed on the Internet, such as routers, firewalls, VPN, proxies, web servers and email;
    • actively exploited vulnerabilities, such as those listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.
  • Implement mitigation measures if remediation is not possible, as in cases of legacy systems or if there is no software or firmware fix available:
    • isolate the vulnerable system from the rest of the network;
    • apply more restricted access control;
    • implement available workarounds.

Icon Raise employee awareness 3. Raise employee awareness

Phishing and other social engineering techniques, such as calls posing as technical support, are used to persuade employees and contractors to provide login credentials, install malware or remote desktop tools. They are among the main Initial Access vectors, and can also be used for Lateral Movement.

  • Train employees and contractors so that they know:
    • the official technical and security support channels;
    • recognize phishing and other suspicious communications;
    • report potential security problems, such as phishing, improper account access, security alerts and if your computer "acts strange";
    • What is ransomware and what to do in case of an attack.

Icon Use security tools 4. Use security tools

Some tools can help prevent, detect and contain threats such as phishing, malware and ransomware attacks, and are useful for prevention in all phases of the attack. Examples include endpoint security tools, antispam filters and network protection and monitoring tools.

  • Install malware and phishing security tools on workstations and servers.
  • If possible, use tools with detection and response capacity.
  • Adopt network traffic protection and monitoring tools:

Icon Create and protect backups 5. Create and protect backups

Backups usually store important data for companies. In ransomware attacks they are doubly targeted, as sources for data exfiltration and as targets of destruction, to prevent the organization from recovering without paying the ransom.

  • Make backups regularly.
  • Keep backups offline to avoid destruction.
  • Implement controls to prevent unauthorized access and modifications.
  • Test backups regularly to verify that the data is intact and the restoration is effective.

In cases where the attack advances to the encryption and interruption of critical operations, having updated and intact backups can represent the only business recovery alternative.

Icon Reduce the attack surface 6. Reduce the attack surface

Unnecessarily or improperly exposed active services, both on the Internet and on the internal network, increase the risks of vulnerabilities being exploited and of unauthorized access. Eliminating what is unnecessary helps prevent Initial Access, Privilege Escalation, Lateral Movement and Impact.

  • Disable unused services, both on the Internet and on the internal network.
  • Do not expose services and data unnecessarily, such as:
    • remote desktop, such as, RDP;
    • network sharing, such as, SMB;
    • cloud storage, such as, buckets and backups;
    • critical servers, such as, domain controllers;
    • printers and other networked devices.

Icon Manage identities and access 7. Manage identities and access

The more privileges an account has, the greater the negative impact if it is compromised. In addition, accounts and permissions kept active without purpose increase the risk of improper access. Granting accounts only the essential permissions and for the necessary time (minimum privilege principle) limits the attacker's actions in cases of a compromise.

  • Control access based on the principle of minimum privilege:
    • grant only the permissions necessary to fulfill the function, including in service accounts, such as backup and web server;
    • limit the number of accounts with privileged access;
    • properly assign access permissions to resources, such as network shares and backups;
    • provide remote access only to those who need it.
  • Regularly review employee and third-party accounts and privileges:
    • disable the accounts of those who no longer provide services;
    • revoke unnecessary permissions if they change roles.

Icon Implement network segmentation 8. Implement network segmentation

Segmenting the network into smaller and segregated parts limits Lateral Movement and the spread of malware. This reduces the risk of improper access to critical systems and sensitive data, helping to contain the attack and Data Exfiltration.

  • Segment the network and maintain separation among critical services, user equipment, legacy systems, etc.
  • Isolate the segments and give only access to necessary services.