The Layered Defense Strategy Against Ransomware
No single tool stops ransomware. Here's the complete layered defense strategy MSPs should implement for every client.
Ransomware is the #1 threat to MSP clients. In 2025, the average ransomware payment exceeded $1.5 million, and the average total cost of a ransomware incident (including downtime, recovery, and reputational damage) was over $4.5 million. No single tool can prevent all ransomware — you need layered defense.
Layer 1: Prevent Initial Access
Email Security: Over 90% of ransomware starts with a phishing email. Deploy email security with URL rewriting, attachment sandboxing, and impersonation detection. Block executable attachments. Warn users about external senders.
DNS Filtering: Block connections to known-malicious domains. This prevents both initial infection (blocking drive-by downloads) and post-compromise C2 communication.
Patch Management: Unpatched vulnerabilities are the second most common initial access vector. Keep OS and third-party applications patched within 14 days of critical patches.
MFA: Prevent credential-based attacks by requiring multi-factor authentication on all remote access, cloud services, and admin accounts.
Layer 2: Prevent Execution
Application Allowlisting: Only permit known-good applications to execute. This blocks ransomware binaries, even zero-day variants, because they're not on the allow list.
EDR: Behavioral detection catches ransomware by its actions (mass file encryption, shadow copy deletion, process injection) rather than its signature.
Layer 3: Limit Impact
Network Segmentation: Prevent lateral movement by segmenting networks. If ransomware compromises one workstation, it shouldn't be able to reach servers or other segments.
Least Privilege: Users shouldn't have admin rights on their workstations. Limit file share permissions to only what's needed. Use PAM for admin access.
Layer 4: Detect and Respond
SIEM + EDR Correlation: Detect ransomware indicators early — unusual encryption activity, shadow copy deletion, known ransomware tools. Automate response with SOAR playbooks: isolate, kill, contain.
Layer 5: Recover
Immutable Backups: Ransomware specifically targets backups. Use immutable storage that prevents backup deletion or encryption. Test restores regularly. Maintain offline or air-gapped backup copies for critical data.
Each layer adds resistance. When all five layers are active, a ransomware attack has to penetrate email security, bypass DNS filtering, exploit an unpatched vulnerability or compromised credential, evade application control and EDR, move laterally through a segmented network, avoid SIEM detection, AND destroy immutable backups. That's a tall order even for sophisticated threat actors.