Ransomware is the most disruptive cyber threat most organisations will ever face. It encrypts the data you depend on, demands payment for its return and, increasingly, steals a copy first so the criminals can extort you a second time. Knowing how to protect against ransomware is no longer a specialist concern. It is a board-level requirement.
This guide sets out the practical steps every business should take. It is written for leaders and IT teams who need clarity, not jargon, and it ends with the one control that decides whether a ransomware attack becomes an inconvenience or a crisis: physical disconnection.
What Ransomware Actually Does
Modern ransomware is a business. Criminal groups buy access to corporate networks from initial-access brokers, deploy off-the-shelf encryption tools, exfiltrate sensitive data to a leak site and present a ransom demand denominated in cryptocurrency. The technical attack is fast. The recovery is slow.
The UK National Cyber Security Centre tracked a threefold rise in the most severe ransomware incidents during 2024. Recovery times across all sectors now average more than seven months. Healthcare, local government and education have been hit hardest, but no sector is immune.
Step 1: Reduce Your Attack Surface
Most ransomware enters through one of three doors: a phishing email, an exposed remote-access service, or an unpatched internet-facing application. Closing those doors is the foundation of protection.
- Enforce multi-factor authentication on every account, especially for email, remote access and administrative tools. Stolen passwords alone should never be enough.
- Patch internet-facing systems within days, not months. The average time from a vulnerability being disclosed to it being exploited is now under a week.
- Disable or restrict remote desktop protocol and any other inbound remote-access service that is not actively required.
- Train staff to recognise phishing and give them an obvious way to report suspicious messages. Awareness is a control, not a slogan.
The UK Cyber Essentials scheme codifies these baseline controls. It is a sensible starting point for any organisation that does not already have an equivalent framework in place.
Step 2: Detect and Contain Before It Spreads
Ransomware rarely encrypts a network the moment it lands. Attackers typically spend days or weeks inside the environment, escalating privileges and mapping critical systems, before pulling the trigger. That window is your opportunity to detect them.
- Deploy endpoint detection and response across every server and workstation. Look for behavioural alerts, not just signature matches.
- Centralise logging and retain at least 90 days of authentication, network and endpoint events so you can investigate what happened.
- Segment your network so that a compromise in one zone cannot trivially reach another. Flat networks are why a single phishing click can take down an entire business.
- Restrict administrative privilege to the smallest possible set of accounts and require those accounts to use separate, hardened workstations.
Step 3: Get the 3-2-1-0 Backup Strategy Right
Backups are the foundation of ransomware recovery. The 3-2-1-0 rule, recommended by the UK NCSC and most national cyber agencies, sets the minimum standard:
| Number | What it means |
|---|---|
| 3 | Keep three copies of your data: the live copy plus two backups. |
| 2 | Store those copies on two different types of media. |
| 1 | Keep one copy off-site, so a local incident cannot destroy everything. |
| 0 | Maintain zero errors. Test restores regularly and verify the backups actually work. |
The number that ransomware groups have learned to attack is the off-site copy. If your off-site backup is reachable from the same network as your production systems, it will be encrypted alongside everything else. That is why a growing number of organisations now extend the rule to 3-2-1-1-0, where the additional 1 is a copy that is physically offline and immutable.
Step 4: Make the Last Copy Unreachable
This is the step that separates organisations that survive ransomware from those that pay.
Encryption, immutability flags and cloud-vendor object locks all rely on software controls. Software controls can be turned off by anyone who has compromised the platform they run on. A motivated attacker with administrator credentials in your backup environment can delete retention policies, expire snapshots and corrupt indexes before they ever launch the ransomware payload.
A physical air gap removes that risk. If the storage hardware holding your last-known-good copy is electrically disconnected from every network for the majority of its life, no remote attacker can reach it. There is no IP address to scan, no protocol to exploit and no credential that grants access from the outside. The data is not just protected. It is unreachable.
Firevault Offline Secure Storage applies this principle at production scale. Your vault sits on dedicated hardware inside a CNI-grade facility, physically disconnected by default. It comes online only during authenticated, time-bound access windows that you initiate, and returns to a disconnected state the moment your session ends. For the rest of the time, it is invisible to the internet.
Step 5: Plan and Rehearse the Recovery
A ransomware plan that has never been tested is a wish. Every organisation should be able to answer the following questions without hesitation:
- Which systems and datasets are critical to the business surviving the next 72 hours?
- Where is the most recent verified, offline copy of that data and how long does it take to restore?
- Who decides whether to engage law enforcement, regulators, insurers and external incident-response specialists?
- How does the business communicate with customers and staff if email and collaboration tools are unavailable?
Run a tabletop exercise at least once a year. Test a full restore from your offline backup at least once a quarter. Pay particular attention to the time it takes, because that number is the real cost of any future ransomware event.
Step 6: Do Not Pay If You Can Avoid It
Paying a ransom funds the next attack, marks your organisation as a willing payer and provides no guarantee that the data will be returned intact. UK law-enforcement guidance is unambiguous: do not pay unless every other option has been exhausted, and report any incident to the National Cyber Security Centre and Action Fraud regardless of the outcome.
Organisations that have rehearsed their recovery and hold a verified offline copy of their critical data almost never need to pay. That is the whole point of the controls described above.
Key Takeaways
- Ransomware is a business model, not a one-off event. Treat it as a continuing operational risk, not a project.
- The basics still matter: multi-factor authentication, patching, segmentation and staff awareness close most of the doors attackers use.
- The 3-2-1-0 rule is the minimum standard for backups, and a physically offline copy is what makes it ransomware-proof.
- Rehearse the recovery at least quarterly. The time-to-restore from your offline copy is the real measure of resilience.
- Learn more about [how Offline Secure Storage works](/offline-secure-storage/what-is-oss), the [3-2-1-0 backup strategy](/compliance/cyber-insurance-3-2-1-0) or [explore the Vault](/vault).
