1. Map the modern kill chain
Initial access via phishing or exposed service → credential theft → lateral movement → data staging → exfiltration → encryption → extortion. Blocking any one step usually fails; blocking three or more succeeds.
2. Layer 1 — Identity
Enforce MFA everywhere, rotate service account passwords, enable Protected Users group, monitor for impossible-travel sign-ins. 80% of ransomware intrusions begin with a compromised credential.
3. Layer 2 — Email and web
Block executable attachments at the gateway, disable macros from internet, pair with DNS firewall to stop post-compromise callbacks. Most first-stage payloads beacon home before detonating.
4. Layer 3 — Endpoint
Application control plus behavioural EDR. Honeypot files and entropy monitoring kill encryption processes within seconds. Controlled Folder Access blocks untrusted writes to document folders.
5. Layer 4 — Backup
3-2-1 is the baseline: 3 copies, 2 media, 1 offsite immutable. Test restores monthly. If you cannot restore inside 24 hours, you will pay.
6. Layer 5 — Response
Pre-written runbook: isolate, scope, contain, eradicate, recover, lessons. Know your legal obligations under POPIA and which regulator to notify in South Africa within 72 hours.
7. When it happens anyway
Do not pay unless life-safety is at risk. Law enforcement globally discourages payment. Contact a reputable IR firm immediately, preserve evidence, and engage your insurer before restoring anything.