Ransomware is a type of malware that restricts access to computer systems, files, and networks by encrypting them and demanding payment for a decryption key. Cyber criminals launch ransomware attacks by exploiting vulnerabilities in internet-facing software, stealing or purchasing employee credentials, or tricking users into downloading malicious files through phishing emails and links. Once inside a network, attackers typically spend time mapping the environment and moving laterally — escalating privileges and identifying high-value systems — before deploying the ransomware itself.

Modern ransomware attacks have evolved far beyond simple file encryption. In 2025, 70% of ransomware claims involved dual extortion — attackers simultaneously encrypting systems and exfiltrating sensitive data. Even when a business can restore systems from backups, the threat of stolen data being publicly leaked creates lasting legal, regulatory, and reputational exposure. The top ransomware threat actors in 2025 included Akira (linked to 25% of events), Qilin (12%), and RansomHub (7%), each operating with distinct tactics and escalating demands.

The financial consequences extend well beyond the ransom itself. The average ransom demand exceeded $1 million in 2025, while the total average cost of a ransomware claim — factoring in business interruption, data restoration, and forensic investigation — was $262,000, even for many victims who refused to pay. Learn how those costs compound. Among Coalition policyholders in 2025, 86% of ransomware victims refused to pay, relying instead on backups and incident response expertise to recover.

Ransomware attacks are ubiquitous and expensive to remediate. While no single control prevents every attack, these 10 practices are consistently the most effective defenses based on Coalition's claims data and incident response experience:

1. Turn on multi-factor authentication

2. Run security awareness training

3. Update vulnerable technology

4. Use strong passwords

5. Monitor your endpoints

6. Establish a regular patch cadence

7. Implement secure remote access

8. Prioritize account maintenance

9. Maintain backups

10. Use attack surface monitoring

Unfortunately, there is no silver bullet for ransomware prevention. Threat actors constantly adapt their tactics. In 2025, they moved faster than ever, with the average attacker breaking out across a victim's network in under 48 minutes after gaining initial access.

Businesses must layer defenses across their technology, processes, and people. The ransomware prevention best practices below are grounded in what Coalition's claims data and incident response teams see on the front lines, every day.

1. Turn on multi-factor authentication

The most common way ransomware attackers get inside a network is through the front door. Compromised credentials were the confirmed access vector in 27% of ransomware incidents in 2025, and virtual private networks (VPNs) — tools specifically designed to protect remote access — were the targeted technology in 59% of all ransomware claims, largely because their login panels were exposed to the internet without multi-factor authentication (MFA) enforcement.

MFA is an identity verification strategy that requires users to provide multiple authentication credentials before access is granted. With MFA in place, a stolen password alone is not enough. A threat actor must also bypass a second, independent checkpoint. Implementing MFA across every remote access point is one of the single most impactful ransomware prevention steps any business can take.

There are three main MFA methods:

• Knowledge-based MFA relies on facts users know: passwords, PINs, and personal security questions.

• Possession-based MFA uses something users have: a one-time passcode (OTP) sent via SMS or an authenticator app, a software certificate, or a physical hardware security key.

• Inherence-based MFA grants access via unique biometric identifiers: facial recognition, fingerprints, or voice recognition.

At minimum, enforce MFA across every internet-facing login panel, especially VPNs and remote desktop applications. Businesses that expose VPN login pages to the public internet without MFA are 3-4 times more likely to experience a cyber incident, according to Coalition's 2026 Cyber Claims Report.

2. Run security awareness training

Social engineering remains one of the most reliable tools in a ransomware attacker's playbook. In 2025, social engineering was the confirmed initial access method in 11% of ransomware incidents. And across all claims, 71% of funds transfer fraud events stemmed from social engineering tactics alone. Attackers are skilled at manufacturing urgency, impersonating trusted parties, and hiding malicious intent inside routine-looking communications.

Running security awareness training on a regular basis (at minimum annually, ideally quarterly) teaches employees what current attack attempts look like, how to verify the legitimacy of requests, and what to do when something looks suspicious. Simulated phishing exercises provide measurable data on where employee vigilance is weakest and where training has taken hold. The goal isn't to make every employee a security expert; it's to ensure no single employee becomes an easy way in.

3. Update vulnerable technology

Software exploits are the leading initial access vector in ransomware attacks. In 2025, they were the confirmed entry method in 38% of ransomware incidents where forensic investigators identified how attackers got in. What makes this especially alarming is which software is being exploited: The most frequently targeted vendors in perimeter compromises were SonicWall, Fortinet, Cisco, Citrix, and Palo Alto Networks.

Once a vulnerability is publicly disclosed, attackers begin scanning for unpatched systems within hours. Businesses that fall behind on patching internet-exposed devices are not just accepting risk; they are handing attackers a timed window to walk through an unlocked door. Prioritize scanning and updating any server or appliance accessible from the public internet, and treat vendor security advisories as urgent operational tasks, not optional IT maintenance.

Legacy on-premises infrastructure, including older email servers left with login pages exposed to the public internet, is a particularly high-risk category. Learn why on-premises Microsoft Exchange has become one of the most targeted technologies for ransomware attackers, and what businesses can do to reduce that risk.

Not every vulnerability can be patched immediately, but not every vulnerability poses equal risk. Coalition's Exploit Scoring System (Coalition ESS) uses machine learning to predict which vulnerabilities are most likely to be exploited in the real world, helping security teams prioritize their patching effort where it will have the greatest impact. See how Coalition ESS helps predicts exploitation before it happens.

4. Use strong passwords

Compromised credentials are the second most common ransomware access vector, confirmed in 27% of incidents in 2025. Whether passwords are stolen via phishing, bought on dark web marketplaces, brute-forced through exposed login panels, or exposed in third-party data breaches, weak and reused credentials give attackers a direct route into business systems, often without triggering any alarms.

Employees often opt for weak passwords out of convenience, not carelessness. The solution isn't harsher consequences; it's making secure behavior the easiest option. Strong passwords should be long, unique across every account, and never stored in email inboxes or shared documents. A password manager removes the cognitive burden of remembering dozens of credentials and reduces the temptation to reuse passwords across accounts.

Pair strong password policies with proactive credential monitoring, services that scan breach databases and alert your team when employee credentials appear in a known data leak. Catching a compromised credential before an attacker uses it is far less costly than responding to a ransomware attack after they already have.

5. Monitor your endpoints

Every device with access to your network (a laptop, a server, a mobile phone) is a potential entry point for ransomware. Endpoint detection and response (EDR) solutions continuously monitor device behavior for signs of suspicious activity, block harmful processes in real time, and help security teams investigate and remediate threats as they emerge. The traditional "castle-and-moat" perimeter model, aka securing one central network boundary, has given way to a distributed reality where every endpoint is a gateway that must be actively defended.

One critical caveat: EDR only works when someone is actively monitoring and responding to its alerts. Living off the land (LOTL) attacks, in which threat actors use the operating system's own built-in tools like PowerShell, Remote Desktop Protocol, and BitLocker rather than external malware, can generate EDR alerts that go unnoticed for days when no one is watching. Trusted system tools are involved in the majority of major attacks, specifically because they're harder for automated systems to flag as malicious.

For most small and midsize businesses without a dedicated security operations center, managed detection and response (MDR) is the more practical choice. MDR pairs EDR technology with 24/7 expert monitoring and automated response capabilities. With attackers now moving across networks in an average of 48 minutes after initial access, automated response (not just detection) is what limits the blast radius.

Wirespeed Automated Detection and Response (ADR) is built for exactly this gap. It combines AI-driven threat detection with automated containment actions — isolating compromised endpoints, killing malicious processes, and alerting your team — so response begins in seconds, not hours. For businesses managing lean IT teams, Wirespeed ADR closes the window attackers rely on.

6. Establish a regular patch cadence

Ransomware groups don't wait weeks to exploit a newly disclosed vulnerability. They begin scanning for unpatched systems within hours. In 2025, software exploits were the most common ransomware initial access vector (38% of confirmed incidents), and the most frequently exploited perimeter devices came from vendors like SonicWall, Fortinet, Cisco, Citrix, and Palo Alto Networks. Falling behind on patches for these devices is the equivalent of leaving a door unlocked in a neighborhood where break-ins happen daily.

A structured patch cadence removes the ambiguity about what gets patched when. As a baseline, treat any critical or high-severity vulnerability in an internet-facing device as urgent, ideally addressed within 24 to 48 hours of disclosure. For lower-priority patches, a monthly cadence with defined rollout days gives teams a sustainable rhythm. Many organizations also set firm deadlines: devices not updated by a certain date are removed from the network until they are.

No security team can patch everything at once. Coalition ESS uses predictive modeling to identify which vulnerabilities are most likely to be weaponized by real attackers, often weeks before they appear on known-exploited vulnerability lists. Using a tool like Coalition ESS lets teams focus patching resources on the vulnerabilities that pose the greatest actual risk, rather than treating every CVE equally. See how predictive vulnerability scoring works in practice.

7. Implement secure remote access

Most businesses today are fully or partially distributed, with employees accessing company systems from home networks, hotels, and coffee shops. Securing remote access is no longer an IT nicety; it's one of the highest-impact ransomware prevention steps a business can take. In 2025, VPNs were the targeted technology in 59% of confirmed ransomware incidents. Businesses that leave VPN login panels exposed to the public internet are 3-4 times more likely to experience a cyber incident; for remote desktop applications, that risk multiplier rises to 3–8 times.

The baseline controls for any remote access technology are non-negotiable: enforce MFA for every user, keep all perimeter appliances aggressively patched, and never leave login panels accessible from the public internet without a second layer of protection. Hackers actively scan the internet for exposed login portals and will attempt credential stuffing, brute-force attacks, and exploitation of known vulnerabilities the moment they find one.

Many organizations are moving beyond traditional VPNs entirely, replacing them with Zero Trust Network Access (ZTNA) frameworks. Unlike VPNs, which grant broad network access once a user authenticates, ZTNA verifies the identity of every user and device before granting access to individual applications — continuously, not just at login. This "never trust, always verify" model dramatically reduces the blast radius if credentials are ever compromised. Coalition's incident responders have consistently identified exposed VPNs and legacy remote access tools as primary attack entry points, and recommend ZTNA as the long-term solution for organizations that can make the transition.

For businesses still relying on legacy infrastructure, including on-premises email servers with internet-exposed login pages, migration to cloud-hosted alternatives that receive automatic security updates is the safest long-term path. Until migration is complete, move all legacy login panels behind a VPN and enforce MFA universally.

8. Prioritize account maintenance 

Ransomware attackers rarely strike the moment they enter a network. They often spend days or weeks moving laterally before deploying the encryption payload: escalating privileges, mapping systems, identifying the most valuable data, etc. The accounts they exploit most frequently are not new compromises; they are dormant, over-privileged, or poorly maintained accounts that give attackers a quiet path through the network without triggering alerts.

Account hygiene is the discipline of keeping your identity environment clean and trustworthy. This means tying every privileged account to a named human, not a shared "admin" login that's been in use for years without a password change. Every account should hold only the minimum privileges required for its function, and access should be revoked immediately when an employee changes roles or leaves the organization. One of the most dangerous scenarios in ransomware incidents is a golden ticket attack, which gives a threat actor total control over a company's Active Directory, effectively making them a ghost administrator with keys to every system.

Adopt a zero-trust approach to identity: verify continuously, grant minimally, and review regularly. Modern identity tools like Microsoft EntraID make it practical for even small businesses to enforce multi-factor authentication, single sign-on, and identity-based access controls without significant IT overhead. Monitoring identity activity (not just passwords) means suspicious behavior like unusual login times, unexpected privilege escalations, or access to atypical systems surfaces quickly, while attackers still have limited footholds.

9. Maintain backups

Viable, immutable backups are the most powerful ransomware recovery tool available. In 2025, their impact was measurable: 86% of ransomware victims among Coalition policyholders refused to pay the ransom, with most citing the ability to restore from backups as the reason they could walk away from demands exceeding $1 million. Businesses that invest in tested, offsite backups convert a potential catastrophe into a manageable, though disruptive, recovery process.

For backups to serve as a genuine defense, not a false comfort, they must meet four criteria:

• Immutable: Backups cannot be altered, deleted, or encrypted by ransomware or any other process. Backup solutions that write to the same network that could be encrypted offer no protection.

• Offline or off-site: At least one copy of critical data should be stored separately from the primary network — physically or in a geographically separate cloud environment.

• Regularly tested: A backup that has never been restored may fail exactly when it is needed most. Test backups through full recovery drills, not just existence checks.

• Comprehensive: Backups should cover all critical systems, not just selected files. A partial restore that leaves key applications offline can be as disruptive as no restore at all.

One additional consideration: protect your backups from being used as intelligence by attackers. Ransomware groups have been observed searching victim networks for cyber insurance policy documents during an intrusion and using coverage details to calibrate their ransom demands. Treat your cyber insurance policy as a sensitive document, stored with the same access controls as financial records, and never on shared drives accessible from the compromised network.

10. Use attack surface monitoring

The cybersecurity attack surface expands every time a business adds a new user, device, cloud service, or application; and most organizations have far more internet-exposed assets than they realize. Attack surface monitoring gives security teams an outside-in view of their infrastructure: what is visible to potential attackers, what is vulnerable, and what requires immediate attention before it becomes an entry point.

In 2025, 872 Coalition policyholders ignored critical security alerts during the insurance quoting process and later suffered ransomware attacks totaling $436 million in losses. At the same time, 80% of businesses that reported a claim had never activated their Coalition Control account — missing the opportunity to intercept threats before they escalated. Proactive visibility is not just good practice; the data shows it directly and measurably reduces the likelihood and cost of an attack.

Coalition Control® is a free automated scanning and monitoring platform available to all Coalition policyholders. It continuously scans your external attack surface for vulnerabilities, misconfigurations, and exposed services, and sends alerts with actionable remediation guidance when issues are found — giving security teams an ongoing, outside-in view of their risk exposure.

Ransomware is no longer primarily a problem for large enterprises. In 2025, businesses with revenues under $25 million experienced a 10% year-over-year increase in ransomware claims frequency — as attackers increasingly automated their tools to scan the internet for unpatched vulnerabilities in smaller organizations' perimeters at scale. For attackers, a small business with limited security resources and a lot to lose is an attractive, efficient target.

The financial consequences are severe relative to the size of the businesses involved. Average ransom demands exceeded $1 million in 2025. The total average cost of a ransomware claim (accounting for business interruption, data restoration, and forensic investigation) was $262,000.

For a small business, a loss of that magnitude can be existential. And the nature of ransomware attacks has grown more complex: 70% now involve dual extortion, combining encryption with data theft. Even when a business successfully restores from backups, the threat of stolen customer or employee data being publicly leaked creates ongoing legal and regulatory exposure that can outlast the operational recovery by months or years.

Ransomware attackers have also become more sophisticated in how they size their demands. Some groups actively search victim networks for cyber insurance policy documents during an intrusion, using coverage limits as a reference point for setting ransom demands and as leverage in negotiations. Understanding these tactics, and taking steps to protect sensitive documents like insurance policies with the same rigor as financial records, is now part of a complete ransomware defense strategy.

A ransomware attack can occur at any time, bringing operations to a standstill and threatening an entire organization. Businesses that invest in layered defenses before an attack, not after, are measurably more likely to survive one intact.