How to protect your company against ransomware: prevention, response and recovery
Resposta direta
To protect your company against ransomware, combine prevention and response capability: phishing-resistant MFA on all access, EDR on every endpoint, patching prioritized by active exploitation, network segmentation and immutable backup following the 3-2-1-1-0 standard, tested regularly. In case of attack, isolate the network without powering off the machines, activate incident response and preserve evidence. Decripte runs 24/7 incident response with a 1-hour containment SLA.
Principais conclusões
- ›Double extortion is standard: ~87.6% of ransomware attacks in 2025 combined encryption and data exfiltration, so restoring a backup does not eliminate the risk of a leak.
- ›Credential abuse (22%), exploitation of vulnerabilities (20%) and phishing (16%) are the main initial-access vectors; 54% of ransomware victims had credentials previously exposed in infostealers.
- ›During the attack: isolate the network but do NOT power off the machines — keys and forensic evidence reside in RAM and are lost on shutdown.
- ›The recommendation from CISA and the FBI is not to pay the ransom; only ~28% of victims paid in 2025. Paying does not guarantee recovery nor destruction of the exfiltrated data.
- ›Immutable backup following the 3-2-1-1-0 standard, with credentials isolated from production and tested regularly, is the foundation of recovery — attackers target backups before encrypting.
- ›In Brazil, ransomware involving personal data requires communication to the ANPD and to the data subjects within 3 business days (Resolution CD/ANPD No. 15/2024).
- ›A fast response defines the damage: Decripte runs 24/7 incident response with a critical-incident containment SLA of up to 1 hour.
What ransomware is and the evolution to double and triple extortion
Ransomware is malware that hijacks an organization's data or systems — usually by encrypting files — and demands a ransom payment, almost always in cryptocurrency, to restore access. The model has changed profoundly: today encryption is just one of the pressure levers, not the only one.
Double extortion has become the market standard. Before encrypting, the attacker exfiltrates the data and threatens to publish it on leak sites if the ransom is not paid. In 2025, about 87.6% of ransomware claims involved both encryption and data exfiltration simultaneously. This neutralizes the classic defense of simply restoring backups: even after recovering the systems, the company still faces the threat of public exposure of sensitive customer data, contracts and intellectual property.
Triple extortion adds a third layer of pressure: denial-of-service (DDoS) attacks against the victim, direct contact with customers, partners or the press, and even communication to regulators to force payment. Triple-extortion campaigns command substantially higher ransom premiums than attacks that only encrypt.
The ecosystem has professionalized around the Ransomware-as-a-Service (RaaS) model: operators develop the malware and extortion infrastructure and license it all to affiliates, who carry out the attacks and split the profit. In 2024, 55 new RaaS families emerged, up 67% from the previous year. Groups such as Qilin and Akira operate like franchises, which lowers the technical barrier to entry and explains the roughly 58% growth in the number of victims claimed on leak sites in 2025.
The attack chain: from initial access to encryption
A ransomware attack is rarely instantaneous. It follows a chain (kill chain) of stages that can take from hours to weeks, and each stage is an opportunity for detection and containment.
Initial access. The three dominant vectors, according to the Verizon DBIR 2025, are credential abuse (22% of breaches), exploitation of vulnerabilities (20%) and phishing (16%). In the specific context of ransomware, 54% of victims had credentials previously exposed in infostealer logs before the attack. Initial Access Brokers sell these ready-made accesses, allowing operators to buy the entry and focus on the later phases. Exploitation of VPNs and edge devices has grown strongly, with exploits against VPNs increasing nearly eightfold.
Persistence and privilege escalation. After getting in, the attacker installs mechanisms to maintain access and hunts for administrative credentials, frequently bypassing MFA via prompt bombing, session token theft or adversary-in-the-middle attacks.
Lateral movement. Using legitimate tools (living-off-the-land, such as PsExec, WMI and RDP) and stolen credentials, the attacker spreads across the network, maps critical assets and locates file servers, domain controllers and, crucially, the backup repositories.
Exfiltration. Before encrypting, sensitive data is copied out, frequently in volume, enabling double extortion. This is a valuable detection window: anomalous spikes in outbound traffic are a strong signal.
Impact. Finally, the attacker disables antivirus and backup tools, deletes snapshots and shadow copies, and triggers mass encryption — usually outside business hours to delay the response. Ransomware appeared in 44% of all breaches analyzed in the DBIR 2025, up from 32% the previous year.
How to prevent ransomware: the controls that actually reduce risk
Effective prevention attacks the chain at multiple points, starting from the premise that credentials will be compromised. The controls below are prioritized by real impact on risk reduction.
Phishing-resistant MFA. Since credential abuse is the number-one access vector, MFA on all external access (VPN, email, admin panels, RDP) is the first line. Prefer phishing-resistant factors — FIDO2/WebAuthn keys — over SMS or simple push, which are vulnerable to prompt bombing and AiTM.
EDR/XDR on every endpoint. Endpoint detection and response identifies kill-chain behaviors — running discovery tools, attempts to delete shadow copies, mass encryption — and enables automatic isolation of the machine. Servers, workstations and cloud workloads need complete coverage, with no blind spots.
Risk-based vulnerability management. Since 20% of breaches start with exploitation of vulnerabilities, patching must prioritize what is under active exploitation (the CISA KEV catalog) and internet-exposed assets: VPNs, firewalls, gateways and public applications. Reduce the attack surface by disabling exposed RDP and unnecessary services.
Network segmentation and least privilege. Segmentation limits lateral movement: flat networks let a single compromised endpoint reach the entire infrastructure. Apply Zero Trust, separate administrative environments (PAW/AD tiering), and grant only the minimum privileges necessary.
Immutable backup following the 3-2-1-1-0 standard. This is the recovery insurance policy. Keep three copies of the data, on two types of media, with one copy offsite, plus one immutable or air-gapped copy, and zero errors validated by restore tests. Immutable backups use WORM and prevent alteration or deletion within the retention window even by those with administrator credentials — provided the backup credentials are isolated from the production identity system, the attackers' preferred target when deleting backups.
Hardening, hygiene and training. Disable unsigned macros, apply application allowlisting, monitor anomalous PowerShell use, manage the external surface and train teams against phishing. No single control is enough; resilience comes from overlap.
What to do during the attack: isolate, do not power off and activate response
The first hours determine the size of the damage. The order of actions below prioritizes containing the spread without destroying the evidence needed to recover and investigate.
Isolate, do not power off. Disconnect the affected machines from the network — cable, Wi-Fi, EDR isolation — to stop encryption and lateral movement. Do not power off the equipment: many variants keep encryption keys and forensic artifacts only in RAM, which is lost on shutdown. Powering off can undermine both the investigation and any decryption opportunities.
Activate incident response immediately. Trigger the IR plan and the specialized team. The sooner containment begins, the fewer systems are lost. Decripte runs 24/7 incident response with a critical-incident containment SLA of up to 1 hour, carrying out isolation, eradication and forensic investigation in parallel.
Preserve evidence. Capture memory and disk images of the affected systems, preserve logs (EDR, firewall, VPN, authentication, email) and the ransom note before any remediation. This evidence underpins identification of the entry vector, assessment of what was exfiltrated and the legal notification obligations.
To pay or not to pay. The technical recommendation from agencies such as CISA and the FBI is not to pay. Payment does not guarantee recovery of the data nor destruction of the exfiltrated copies, funds organized crime, marks the company as a payer (increasing the risk of recurrence) and may violate sanctions depending on the group involved. The rate of victims who actually pay fell to about 28% in 2025, as more organizations recover from backup. The decision involves legal, regulatory and continuity factors and must be made with specialized counsel — never as an isolated reaction by the technical team under pressure.
Recovery from validated backups
Recovery is not just restoring files — it is restoring securely, without reintroducing the attacker into the environment. Restoring into a still-compromised network results in re-encryption within days.
Eradicate before restoring. Confirm that the entry vector was closed, that the compromised credentials were reset (including service accounts and keys), that the backdoors were removed and that the endpoints are clean. Restoration must occur in a known-clean environment, ideally rebuilt.
Recover from validated, immutable backups. Use the immutable or air-gapped copy that the attacker could not alter. Verify the integrity of the backups and ensure the restore point predates the initial compromise — not just the encryption, since the attacker may have been on the network for weeks.
Prioritize by criticality. Set the restore order by the services essential to the business, respecting the RTO (time) and RPO (maximum acceptable data loss) objectives defined beforehand. CISA's guidance is to validate the ability to restore at least seven days of operation.
Test before the incident, not during. The '0' line of 3-2-1-1-0 — zero errors — only exists with regular testing: monthly file-restore verification, quarterly application-level recovery tests and annual full-environment failover exercises. A backup that has never been tested is an assumption, not a guarantee.
Notification to the ANPD and legal aspects
In Brazil, ransomware with exfiltration of personal data is a security incident under the LGPD, and the legal-regulatory handling runs in parallel with the technical response, with its own deadlines.
Duty to report. Article 48 of the LGPD requires the controller to notify the National Data Protection Authority (ANPD) and the affected data subjects when the incident may entail relevant risk or harm. Resolution CD/ANPD No. 15 of April 24, 2024, approved the Security Incident Communication Regulation (RCIS), detailing how, when and what to report.
Deadline. The communication to the ANPD and to the data subjects must be made within 3 business days from becoming aware of the incident, unless a different deadline applies under specific legislation. Additional information still under investigation may be provided within 20 business days. Since July 2025, the ANPD has acted with greater rigor, with more than 20 companies notified for failing to report incidents.
What to report. The notification must describe the nature of the affected data, the data subjects involved, the technical and security measures adopted, the related risks and the mitigation measures. That is why preserving evidence in the response phase is decisive: without knowing what was exfiltrated, there is no way to fulfill the obligation correctly.
Other legal fronts. Depending on the sector, there are additional obligations — the Central Bank and regulation of fintechs/payment institutions, filing a police report, and contractual notification to B2B customers. The decision on ransom payment also has legal implications relating to sanctions. Companies in regulated sectors such as fintechs, crypto and e-commerce must treat incident response as an integrated security, legal and compliance process, defined before the incident.
Passo a passo
- Implement phishing-resistant MFA (FIDO2/WebAuthn) on all external access — VPN, email, RDP and admin panels — to close the number-one access vector, credential abuse.
- Install EDR/XDR on every endpoint and server, with no blind spots, configured to automatically isolate machines that exhibit ransomware kill-chain behavior.
- Establish risk-based vulnerability management, prioritizing the patching of internet-exposed assets and flaws under active exploitation (the CISA KEV catalog); disable exposed RDP and unnecessary services.
- Segment the network and apply least privilege and Zero Trust to contain lateral movement, separating administrative environments and service accounts.
- Configure immutable backup following the 3-2-1-1-0 standard (three copies, two media, one offsite, one immutable/air-gapped, zero errors), with the backup credentials isolated from the production identity system.
- Test recovery regularly: monthly file-restore verification, quarterly per-application tests and an annual full failover exercise, validating RTO and RPO.
- Define an incident response plan in advance, integrating security, legal and compliance — including isolation without powering off, evidence preservation and the ANPD notification workflow — and rehearse it before the incident occurs.
Perguntas frequentes
What should I do if I have been infected by ransomware?
Immediately isolate the affected machines from the network (cable, Wi-Fi and EDR isolation) to stop the encryption and lateral movement, but do not power off the equipment — encryption keys and forensic evidence frequently reside only in RAM and are lost on shutdown. Activate specialized incident response, preserve logs and the ransom note, and identify the entry vector before any remediation. Decripte responds 24/7 with a 1-hour containment SLA.
Should I pay the ransomware ransom?
The recommendation from CISA and the FBI is not to pay. Payment does not guarantee recovery of the data nor destruction of the exfiltrated copies, funds organized crime, signals the company as a payer (raising the risk of another attack) and may violate sanctions depending on the group involved. In 2025, only about 28% of victims paid, as more companies recovered from validated backups. The decision involves legal and regulatory factors and must be made with counsel, not as an isolated reaction by the technical team.
What is double extortion in ransomware?
Double extortion is the tactic in which the attacker, before encrypting the systems, exfiltrates the data and threatens to publish it on leak sites if the ransom is not paid. It has become standard: about 87.6% of ransomware cases in 2025 combined encryption and data theft. This neutralizes the defense of merely restoring backups, because the company still faces public exposure of sensitive data. Triple extortion adds DDoS and direct contact with customers, partners or regulators.
How do I prevent ransomware in the company?
Combine overlapping controls: phishing-resistant MFA (FIDO2) on all external access, EDR/XDR on every endpoint, patching prioritized by active exploitation (CISA KEV), network segmentation with least privilege, and immutable backup following the 3-2-1-1-0 standard with credentials isolated from production. Since credential abuse (22%) and exploitation of vulnerabilities (20%) are the main access vectors, close exposed remote access and monitor for credentials leaked in infostealers.
Does backup protect against ransomware?
Backup is essential for recovery, but it only protects if it is immutable and tested. Modern attackers actively seek out backup repositories, delete snapshots and use compromised credentials to destroy copies before encrypting. That is why the recommended standard is 3-2-1-1-0: three copies, two media, one offsite, one immutable or air-gapped, and zero errors validated by regular restore tests. A backup never tested is an assumption. And since double extortion also exfiltrates data, backup does not eliminate the risk of a leak.
Do I need to notify the ANPD in case of ransomware?
Yes, when personal data is involved and the incident may generate relevant risk or harm to the data subjects. Article 48 of the LGPD and Resolution CD/ANPD No. 15/2024 require communication to the ANPD and to the affected data subjects within 3 business days from becoming aware of the incident, with the possibility of supplementing within 20 business days. The notification must describe the affected data, the risks and the measures adopted, which makes preserving evidence during the response indispensable.
Under a ransomware attack, or want to harden the company first?
Decripte responds to ransomware incidents 24x7 with a 1-hour containment SLA and implements defenses (immutable backup, EDR, segmentation).
