by The Computing Australia Group | Ransomware 101
Ransomware 101 for businesses and teams
What it is, how it breaks in, how to prevent it, and exactly what to do if you’re hit – plus a pragmatic recovery checklist and training plan – are all covered in this ransomware guide. This expanded guide modernises your original post with actionable steps, clear priorities, and enterprise-grade best practices adapted for SMBs and mid-market organisations.
What Is Ransomware?
Ransomware is malicious software that encrypts your files or otherwise locks you out of systems, then demands a ransom-usually in cryptocurrency-to restore access or to prevent the release of stolen data. Modern variants frequently use “double” (and sometimes triple) extortion:
- Encryption: Your data and backups are made unusable.
- Data theft: Sensitive information is exfiltrated to the attacker’s servers.
- Extortion: Attackers threaten to leak or auction your data if payment isn’t made-even if you can restore from backups.
- Harassment: In some cases, attackers call staff, customers, or suppliers to pressure payment.
Impacts range from a single locked laptop to entire networks: servers, endpoints, cloud accounts, phones, IoT devices, and line-of-business apps.
How Ransomware Enters Your Business
Attackers take the easiest reliable path. Common initial access routes:
1. Phishing emails & malicious links/attachments
- Look-alike domains, fake invoices, HR notices, shipping updates, DocuSign/SharePoint prompts.
- Macros or embedded scripts trigger malware loaders.
2. Compromised credentials
- Reused passwords from breaches and weak or absent MFA allow attackers to log in to email, VPNs, remote desktops, cloud consoles.
3. Unpatched vulnerabilities
- Public-facing systems (VPNs, firewalls, CMS plugins, remote management tools) exploited by automated scanners.
4. Exposed remote access (RDP/SSH/VNC)
- Internet-exposed services with weak credentials or no MFA are rapidly brute-forced.
5. Third-party & supply chain
- Integrations, managed service tools, or software update channels become the attacker’s backdoor to your environment.
6. Malvertising & drive-by downloads
- Ads leading to fake installers (e.g., “free” editors, media converters) or trojanised software.
The Modern Ransomware Playbook (What Actually Happens)
1. Initial Foothold – Via phishing, credential abuse, or a vulnerable service.
2. Persistence – New admin accounts, scheduled tasks, registry keys, or cloud tokens to survive reboots.
3. Privilege Escalation – Credential dumping (e.g., LSASS memory), keylogging, Kerberoasting; goal is Domain Admin or equivalent cloud super-admin.
4. Discovery & Lateral Movement – Mapping shares, identity stores, hypervisors, cloud storage; moving via RDP/PSExec/WinRM, abusing misconfigured identity and legacy protocols.
5. Exfiltration – Sensitive data zipped and exfiltrated to attacker infrastructure or cloud buckets.
6. Impact – Mass encryption, deletion or corruption of backups, system destruction, ransom note dropped across endpoints.
Understanding this chain helps you place controls where they break the sequence.
Prevention: Controls That Actually Move the Needle
Below are layered controls-start with the Foundations and work up.
Foundations (Non-negotiable)
- Patch & Update Everything
- Operating systems: monthly patching policy.
- Applications & plugins: browsers, office suites, CMS, firmware.
- Cloud services: monitor vendor advisories and apply updates promptly.
- Endpoint Protection
- EDR/XDR over legacy antivirus. Look for behaviour-based detection, isolation, and rollback.
- Backups With the 3-2-1-1-0 Rule
- 3 copies of data, 2 different media, 1 offsite, 1 immutable/offline, 0 backup restore errors (tested).
- Protect backup consoles with MFA; separate credentials and networks.
- MFA Everywhere
- Mandatory on email, VPN, remote desktop, cloud admin, and backup platforms.
- Use phishing-resistant methods where supported (FIDO2, passkeys).
- Least Privilege & Access Control
- Role-based access; remove standing admin rights; elevate only when needed.
- Disable stale accounts; enforce strong password policy + breach monitoring.
- Email & DNS Security
- Secure email gateway with attachment sandboxing and URL rewriting.
- DMARC, DKIM, SPF enforced in reject/quarantine mode.
- DNS filtering to block known malicious domains.
- Network Hygiene
- Segment networks (workstations vs. servers vs. backups).
- Disable or restrict RDP/SMB across segments; prefer VPN with MFA.
- Egress filtering to limit outbound exfiltration channels.
- Security Logging & Alerting
- Centralise logs (SIEM) from endpoints, identity provider, firewalls, email and backup platforms.
- Alert on unusual sign-ins, mass file modifications, backup policy changes.
Hardening (High ROI)
- Application Allow-listing – Only pre-approved software can execute.
- Macro & Script Controls – Block macros from the internet by default; restrict PowerShell to signed scripts.
- Admin Workstations – Dedicated, locked-down devices for admin tasks; no email or web browsing.
- Local Firewall & NAC – Enforce host firewalls; consider network access control for unmanaged devices.
- Privileged Access Management (PAM) – Vault, rotate, and broker privileged credentials; monitor session activity.
- Zero Trust Principles – Continuous verification; assume breach and verify every access.
Governance & Insurance
- Incident Response (IR) Plan – Documented roles, contacts, decision trees, and communication templates.
- Tabletop Exercises – Twice yearly practice with IT, leadership, legal, comms.
- Cyber Insurance – Align technical controls with policy requirements; pre-approve vendors for IR/forensics.
End-User Habits That Reduce Risk
Your people are your biggest attack surface. Train and reinforce:
- Pause before you click. Verify sender, domain, and context. Hover over links; don’t trust urgent language.
- Attachments: Prefer cloud-shared docs to emailed files. If you must open, do so in a sandboxed viewer.
- Password hygiene: Use a password manager; unique passwords; enable MFA everywhere.
- Software installs: Only from the company portal or trusted vendor sites-never from “free download” pages.
- Remote work: Use company VPN; avoid public Wi-Fi without protection; lock screens.
- Report quickly: Insecurity thrives on silence. A fast report can save the network.
If You’re Hit: A Calm, Step-By-Step Incident Response
The goal in the first hours is containment and preservation-stop the bleeding, keep evidence, and avoid making it worse.
1. Record Everything
- Photograph/collect ransom notes and on-screen messages.
- Capture filenames, timestamps, suspicious emails, user actions preceding the event.
2. Isolate Affected Systems
- Disconnect from the network immediately (unplug Ethernet, disable Wi-Fi).
- If spread is ongoing across the network, segment or shut down affected subnets/servers.
- For a single endpoint, isolation is safer than power-off because forensic memory may be useful. If you cannot isolate, shut down to prevent lateral spread.
3. Disable Potentially Abused Accounts
- Force global password resets for admins first, then users.
- Revoke suspicious tokens and sessions in your identity provider (e.g., Azure AD/Entra, Google Workspace).
- Remove unauthorised admin accounts and API keys.
4. Secure Backups Now
- Take backup repositories offline/immutable; verify last known-good restore points.
- Lock backup admin accounts; check policies weren’t altered.
5. Engage Specialists
- Contact an experienced incident response team such as The Computing Australia Group.
- Lock backup admin accounts; check policies weren’t altered.
6. Do Not
- Do not delete files or reimage systems yet (unless containment requires it).
- Do not communicate with attackers directly without guidance.
- Do not use compromised email/chat for IR coordination-move to a clean channel.
7. Communications
- Use pre-approved internal and external comms templates.
- Inform leadership, key stakeholders, and, if needed, customers with facts only-avoid speculation.
Recovering From a Ransomware Attack
Once contained, move through these phases:
1) Triage & Forensics
- Identify the patient zero and the attack path (phish → credential → VPN/RDP → privilege escalation → encryption).
- Determine the scope: affected endpoints, servers, SaaS apps, backups, data exfiltration evidence.
- Collect logs/artifacts; preserve chain of custody for legal/insurance.
2) Eradication
- Remove malware, persistence mechanisms, and unauthorised accounts.
- Patch exploited vulnerabilities.
- Rotate secrets: passwords, API keys, service accounts, certificates.
3) Restoration (Clean-Room Approach)
- Stand up a sterile recovery environment (known-good images, patched baselines).
- Restore from verified clean backups; scan restored data before reconnecting.
- Gradually reconnect segments; monitor closely for anomalies.
4) Post-Incident Hardening
- Implement missing controls identified during forensics (e.g., MFA gaps, EDR coverage, network segmentation).
- Update incident response and communication plans based on lessons learned.
- Provide a post-mortem to leadership with a phased investment plan.
Should you pay? Paying does not guarantee full decryption or data deletion and can attract repeat targeting. Decisions should be made with legal, law enforcement, and insurance input and only after exploring recovery options.
Business Continuity: Backups, Testing & Tabletop Exercises
Backups succeed at restore, not at “completion.” Make them boring, automated, and proven:
- Architecture: Follow 3-2-1-1-0 and keep at least one immutable copy (object lock/WORM) and, where possible, one offline copy (air-gapped).
- Scope: Include servers, endpoints for critical roles, cloud SaaS (email, drives), and configuration backups (firewalls, switches).
- Frequency & Retention: Balance RPO/RTO with cost; many SMBs adopt daily fulls + hourly incrementals for key systems.
- Testing: Schedule quarterly restores (file-level and full system). Document restore time and any errors.
- Separation of Duties: Backup admins should not share credentials with domain admins; use MFA and just-in-time access.
Tabletop Exercises
Twice yearly, simulate scenarios: email account takeover, ransomware outbreak, cloud credential compromise. Practice escalation, decisions, notifications, and restores.
Training: Build a Human Firewall
- Onboarding & Quarterly refreshers on phishing, passwords, data handling, reporting.
- Phishing simulations that teach, not shame; track participation and improvement.
- Just-in-time tips in collaboration tools (“Check the link before you click,” “Use the company app portal”).
- Role-based modules for finance, HR, IT admins, and executives.
- Executive buy-in: when leaders model secure behaviour, adoption soars.
Ransomware defence isn’t about a single tool-it’s about layers: strong identity, hardened endpoints, segmented networks, bulletproof backups, trained people, and a tested plan. With those in place-and a trustworthy partner like The Computing Australia Group-you dramatically reduce the chance of a breach and, just as importantly, speed recovery if one occurs.
Call Chris on 0438 855 884 or email sales@computingaustralia.group
FAQ
Will paying the ransom guarantee my data back?
No. Decryptors can be faulty; data may still be leaked; you may be targeted again. Exhaust recovery options first and consult legal/insurance.
Are cloud services safe from ransomware?
Cloud reduces some risks but doesn’t eliminate them. Attackers can encrypt synced files or steal cloud credentials. Apply MFA, conditional access, least privilege, and versioned/immutable backups.
How often should we back up?
Align to business needs. Many opt for hourly incrementals on key systems and daily fulls, with 90-day retention plus monthly/yearly archives.
What’s the single biggest improvement we can make?
MFA everywhere plus EDR on every device-these stop a large percentage of real-world attacks.
Who needs admin access?
Far fewer people than you think. Use just-in-time elevation and audit admin actions.
