Preventing Malware and Ransomware Attacks in Your Business

How Malware and Ransomware Enter Business Networks

Understanding the attack pathways is the starting point for effective prevention. The NCSC's incident data consistently identifies a small number of routes accounting for the vast majority of malware and ransomware incidents affecting UK SMEs:

• Phishing emails: Malicious links or attachments in email remain the most common delivery mechanism. Users are socially engineered into clicking a link, downloading an attachment or entering credentials on a fake page.
• Exploitation of unpatched vulnerabilities: VPN appliances, remote desktop (RDP), Exchange Server and other internet-facing systems with known unpatched vulnerabilities are actively scanned and exploited by ransomware affiliates. In many well-documented incidents, exploitation occurred within days of public vulnerability disclosure.
• Compromised credentials: Stolen credentials (from phishing, data breach dumps or brute-forcing weak passwords) used to authenticate to internet-facing services — VPN, RDP, Microsoft 365 — provide direct network access without any malware delivery required.
• Malicious websites and drive-by downloads: Browsing to compromised or malicious websites can result in malware installation, particularly on unpatched browsers or systems with Java/Flash (legacy systems).
• USB and removable media: Less common in enterprise environments but still relevant for industrial and manufacturing settings.

Prevention Layer 1: Reduce the Attack Surface

The first layer of prevention limits what attackers can reach before they can attempt exploitation:

• Patch management: Apply critical and high-severity patches within 14 days (the Cyber Essentials requirement) — prioritising internet-facing systems, VPN appliances and remote access infrastructure. Automated patch management tools (Windows Update for Business, NinjaRMM, Action1) reduce the operational burden.
• Disable unnecessary services: RDP should not be exposed directly to the internet. If remote desktop access is required, it should be accessible only via VPN or Zero Trust network access (ZTNA), not via a public port. Audit internet-facing services regularly.
• Email filtering: Anti-spam, Safe Attachments (sandboxed detonation) and Safe Links (time-of-click URL scanning) reduce the volume of malicious content reaching users' inboxes.
• DNS filtering: Block connections to known malicious domains at the DNS level, preventing malware that has reached a device from calling home or downloading additional payloads.

Prevention Layer 2: Protect Endpoints

Endpoint detection and response (EDR) is the primary control for detecting and blocking malware that bypasses email and network filters:

• EDR vs traditional antivirus: Traditional antivirus uses signatures to detect known malware. EDR uses behavioural analysis — detecting suspicious behaviour (ransomware-like file encryption activity, process injection, living-off-the-land techniques) regardless of whether the specific malware signature is known.
• Automated response: Modern EDR platforms can automatically isolate an infected endpoint from the network, terminate malicious processes and collect forensic evidence while containing the spread.
• Managed EDR: EDR technology without monitoring is of limited value — alerts that sit unreviewed do not result in containment. Managed EDR (via an MDR service) ensures that detections are acted upon, including outside business hours when attacks commonly detonate.

Prevention Layer 3: Identity and Access Controls

Many malware infections spread through credential-based techniques — attackers steal credentials on one machine and use them to move laterally to others. Access controls limit this:

• MFA on all accounts: Prevents compromised credentials from being used to authenticate to cloud services or VPN
• Least privilege: Users should not have local administrator rights on their own workstations unless required for their role. Local admin rights are frequently required for malware to install and persist.
• Privileged Access Workstations (PAW): For IT administrators, a dedicated workstation used only for privileged tasks reduces the risk of admin credentials being compromised on a general-purpose device
• Credential Guard: Windows Defender Credential Guard protects NTLM hashes in memory, reducing the effectiveness of credential harvesting tools used in lateral movement

Prevention Layer 4: Backups

Backups do not prevent malware infection, but they are what determines whether a ransomware attack results in data loss and ransom payment pressure. The 3-2-1 backup rule remains the minimum: three copies of data, on two different media types, with one copy offline or air-gapped.

Critical points for ransomware-resilient backups:

• Offline or immutable backups cannot be encrypted by ransomware — cloud backup with object lock or tape backups kept offline satisfy this requirement
• Backup systems should have separate credentials from your main environment — if attackers compromise your domain admin account, they should not automatically have access to delete your backups
• Backup restoration should be tested regularly — backup test failures are most commonly discovered during actual incidents
• Microsoft 365 data is not automatically backed up by Microsoft — a third-party backup solution for Exchange, SharePoint and OneDrive data is necessary

What to Do When Prevention Fails

No prevention stack is 100% effective. The incident response priorities when malware is detected are:

1. Isolate: Disconnect the affected device from the network immediately — WiFi, Ethernet and any VPN connections. This limits lateral spread.
2. Contain: Identify other potentially affected devices through EDR telemetry or network traffic analysis
3. Preserve: Do not reimage the affected machine before forensic evidence is collected — this evidence determines how the attacker got in
4. Communicate: Notify your IT support or MDR provider, your cyber insurance underwriter and (if personal data may be affected) begin the GDPR breach assessment process
5. Recover: Restore from clean backups once the initial compromise vector and scope is understood