Security / February 18, 2022

How to Prevent Ransomware in Nine Easy Steps

The devastating effects of ransomware have continued to grow over the past two decades, which have seen ransomware shift from just being opportunistic “smash-and-grab” style attacks to carefully orchestrated attacks. Individuals and business organizations alike have continued to fall prey to ransomware where, in 2022, victims were forced to pay an average ransom of $925,162, up 71 percent from 2021.1

Thankfully, there are measures you can take to stay safe and stop ransomware attacks from affecting your network data security.

What Is Ransomware?

Ransomware describes a class of malware used to digitally extort victims into payment of a specific fee. Once the victim’s computer is locked or encrypted, ransomware actors will often attempt to extort money from the victim by displaying an on-screen alert. Victims are notified that unless a ransom is paid, access will not be restored.

Ransomware actors know how lucrative their campaigns can be and have expanded the scope of their attacks to not only extort individual users but disrupt entire businesses and critical infrastructure.

How Does a Computer Become Infected with Ransomware?

Ransomware is often spread through phishing emails that contain malicious attachments or through drive-by downloading. Drive-by downloading occurs when a user unknowingly visits an infected website, and then malware is downloaded and installed without the user’s knowledge.

Ransomware developers have incorporated capabilities like worms into their malware, so it will spread throughout corporate networks automatically. This ensures their ransomware persists even if the computer that was initially accessed is remediated.

How Has Ransomware Evolved?

As mentioned earlier, ransomware cybercriminals have shifted their tactics. Starting around 2019, they shifted from opportunistic, smash-and-grab attacks to more calculated, advanced persistent threat (APT)-style attacks. This attack style allows cybercriminals to exfiltrate sensitive data prior to encrypting affected hosts, opening the doors to multi-level extortion. They will move beyond extorting organizations to decrypt the affected hosts to extorting organizations to prevent the release of sensitive data. This strategy has yielded them much greater profits.

These multi-level extortion threats gave attackers more leverage, so their victims were pressured into paying. The demands could be very high, as the initial asking price of $34 million during the Foxconn attack showed, and we expect this trend to grow through the rest of this year and the next.

5 Common Ransomware Variants

Ransomware is a general label for a group of different malware types. They all have the common feature of demanding a ransom payment for removal, but they don’t all behave the same way. That’s why it’s important to have a plan to stop ransomware in all its forms.

The following are some of the most common types:

  1. Locker ransomware is considered to be the first type ever discovered. As its name suggests, it locks users out of their computers and demands some form of payment. This is one of the most debilitating versions, as it often requires a system wipe to remove. Unfortunately, paying the ransom doesn’t always save you; some hackers have embedded password-stealing software even once the ransom has been paid.
  2. Crypto ransomware’s key difference is that payment is demanded in the form of cryptocurrency. Hackers often lock the user’s files and demand payment through an anonymous cryptocurrency address.
  3. Leakware works by stealing your information and threatening to release the data if you don’t pay up. Targeted details could include your bank info, contacts, intimate photos, and personal documents. It’s an especially successful tactic as it causes the victim to panic and respond.
  4. Scareware usually poses as fake security software. Once downloaded, it will alert you of issues that cost extra money to fix. In some cases, you will be flooded with so many alerts and pop-ups that your computer is unusable until you take action.
  5. Ransomware as a Service (RaaS) is a meta-malware type employed by career criminals. A hacker will hire out their services, creating and distributing ransomware in exchange for a cut of the payment. This kind is particularly dangerous, as it can be used by anyone wanting revenge and could target you specifically.

How to Stop Ransomware

A number of these steps are often considered ransomware prevention and security best practices for a mature security program. These steps ensure your organization has the right policies, processes, and procedures in place to reduce the risk of a ransomware attack. Here are the nine steps you should be taking to stop ransomware attacks.

1. Maintain up-to-date systems.

Vulnerable applications and operating systems are the targets of most attacks. Ensuring these are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker.

2. Employ a data backup and recovery plan for critical data.

Your organization should perform and test regular backups to limit the impact of data or system loss and to expedite the recovery process. Note that network-connected backups can also be affected by ransomware; critical backups should be isolated from the network for optimum ransomware prevention.

3. Develop your incident response plan.

Create, maintain, and exercise a basic cyber incident response plan and associated communications plan that includes response and notification procedures for a ransomware incident.

4. Draft cybersecurity policies and baselines.

Consider developing policies and baselines around specific controls like firewalls, email scanning, application allow-listing, and remote access.

5. Implement comprehensive network visibility.

Modern ransomware attackers are dwelling on victims’ networks to steal sensitive data and maximize the impact of their extortion. As a result, they are maintaining persistence, moving laterally, leveraging remote access tools, and escalating their privileges. All of these actions generate network traffic that can be detected and remediated by a security team with network visibility.

6. Raise employee awareness.

A person who knows what to look for will be more effective at countering potential phishing or social engineering attacks. Implement a security awareness and training program that teaches employees how to assess whether an attachment, link, or email is trustworthy.

7. Protect devices with antivirus software.

Good antivirus suites are essential in stopping ransomware. They will alert users as soon as they locate a problem and can also remove the infection easily. Some antivirus applications provide free ransomware decryption tools for malware with low-level encryption.

8. Implement a proactive threat-hunting capacity.

Threat hunting is the practice of proactively searching for cyber threats that are lurking undetected in a network. Cyber threat hunting digs deep to find malicious actors in your environment that have slipped past your initial endpoint security defenses.

Threat hunting is highly complementary to the standard process of incident detection, response, and remediation. As security technologies analyze the raw data to generate alerts, threat hunting is working in parallel — using queries and automation — to extract hunting leads out of the same data.

Proactive hunting allows your security team to stop a potential threat before the attacker can deploy ransomware in your environment.

9. Implement a Zero Trust security posture.

Implementing a Zero Trust security posture places ransomware defense on user identity and access management. This is apt since human error is the root cause of most ransomware attacks.

Zero Trust helps reduce the attack surface significantly, as internal and external users only have access to limited resources, and all other resources are completely hidden away. Additionally, Zero Trust provides monitoring, detection, and threat inspection capabilities, which are necessary to prevent ransomware attacks and the exfiltration of sensitive data.

Is Your Company a Target for Ransomware Attacks?

The short answer to this question is yes: Every small- to medium-sized company, enterprise, and organization is fair game, especially in light of recent ransomware attacks.

The long answer is more complicated. Your vulnerability and ability to prevent ransomware can depend on how attractive your data is to cybercriminals, how much visibility you have into your network traffic, how mature your security posture is, and how vigorously you keep employees trained about phishing emails, among other factors.


Ransomware Attackers Are Lurking: See Why You Need Deep Observability. WATCH NOW

Fueled by easier access and greater financial payoffs, the number of ransomware attacks will likely continue to grow throughout the rest of 2022 and beyond. We predict that cybercriminals will target large enterprises, critical infrastructure, government, education, and even healthcare.

Effective ransomware prevention requires comprehensive network visibility paired with an effective threat detection and incident response capability.

  • Hybrid Cloud Visibility – Gigamon hybrid cloud visibility fabric collects and aggregates all data in motion, including East-West, IoT/OT, and container-level traffic to eliminate blind spots
    Learn more
  • TLS/SSL Decryption – Centralized SSL/TLS decryption from Gigamon provides the visibility needed to expose hidden threats from adversaries using encrypted channels for C2 and similar activity
    Learn more
  • Network Detection and Response – Gigamon ThreatINSIGHT™ Guided-SaaS network detection and response closes the SOC visibility gap and provides high-fidelity adversary detection to enable rapid, informed responses
    Learn more

Stop ransomware attacks that traditional tools miss with Gigamon.


  1. “2022 Unit 42 Ransomware Threat Report.” 2022. Unit 42 Team, Palo Alto Networks.

Featured Webinars

Hear from our experts on the latest trends and best practices to optimize your network visibility and analysis.


People are talking about this in the Gigamon Community’s Security group.

Share your thoughts today

Back to top