De4sec
De4sec Technology
de4sec.technology
๐ŸŒ AU + KE

Ransomware Defence Guide

A practical guide to preventing ransomware โ€” the attack lifecycle, the controls that stop it at each stage, and what to do when prevention fails.

Prepared by
De4sec Technology
Contact
support@de4sec.technology
Edition
2026 ยท March
CONFIDENTIAL ยท FOR CLIENT USE ONLY
Contents
  1. How Ransomware Actually Works
  2. Prevention: Block Initial Access
  3. Detection: Identify During Dwell Time
  4. Containment: Limit Blast Radius
  5. Recovery: When Prevention Fails
  6. De4sec Ransomware Defence Package
01

How Ransomware Actually Works

Understanding the ransomware attack lifecycle helps explain why specific controls are effective โ€” and why some defences that feel comprehensive leave significant gaps.

StageWhat happensTime typically
Initial AccessPhishing email clicked, credential stolen, or unpatched service exploitedDay 0
PersistenceAttacker creates backup access โ€” hidden accounts, remote access toolsDay 0โ€“3
Lateral MovementAttacker moves from initial foothold to other systemsDay 1โ€“14
Privilege EscalationAttacker gains admin/domain admin credentialsDay 3โ€“14
DiscoveryAttacker maps backup systems, identifies high-value targetsDay 7โ€“21
ExfiltrationData stolen for double extortion leverageDay 14โ€“21
ExecutionRansomware deployed โ€” files encrypted, ransom note displayedDay 21+

The average dwell time before ransomware executes is 21 days. Attackers are patient. Detection during the lateral movement phase prevents the worst outcomes.

02

Prevention: Block Initial Access

Patch critical vulnerabilities

โœ“Internet-facing services patched within 48 hours of critical vulnerability disclosure
โœ“RDP not exposed to the internet โ€” use VPN or Azure Bastion instead
โœ“Patch applications and OS on a defined cadence โ€” Microsoft Intune for automation

Email security

โœ“Safe Links and Safe Attachments via Defender for Office 365
โœ“DMARC at p=reject โ€” eliminate domain spoofing
โœ“Staff training on phishing identification

Credential security

โœ“MFA enforced for all users โ€” especially email and remote access
โœ“Entra ID Identity Protection โ€” block risky sign-ins automatically
โœ“Password protection โ€” disable common passwords
03

Detection: Identify During Dwell Time

If initial access is not prevented, early detection during the attacker's dwell period stops ransomware before execution.

โœ“Microsoft Sentinel SIEM โ€” alert on impossible travel, new admin accounts, bulk file access
โœ“Microsoft Defender for Endpoint โ€” behavioural detection of attacker tools (Cobalt Strike, Mimikatz, living-off-the-land techniques)
โœ“Audit logging for admin actions โ€” changes to user accounts, group memberships, security policies
โœ“Backup access monitoring โ€” alert if backup systems are accessed from unusual accounts or at unusual times

Many ransomware attacks are detected during the dwell phase through MFA prompts the legitimate user doesn't recognise. This is why prompt anomaly alerts matter โ€” users need a clear way to report suspicious MFA requests.

04

Containment: Limit Blast Radius

Network segmentation limits how far ransomware can spread if it executes. A flat network where every device can reach every other device allows ransomware to encrypt everything. A segmented network limits damage to one segment.

โœ“VLANs or subnets separating finance, operations, IT, and guest networks
โœ“Firewall rules blocking east-west traffic that has no business justification
โœ“POS and payment systems on isolated network segment
โœ“Backup systems not accessible from primary workstation network
โœ“Admin access restricted to dedicated admin jump hosts โ€” not from daily-use laptops

Privileged Access Workstations (PAW)

Admin tasks should only be performed from a dedicated, hardened device with no internet access. This prevents admin credentials from being captured on a compromised workstation.

05

Recovery: When Prevention Fails

Prevention and detection reduce the probability of a ransomware event. They don't eliminate it. Recovery capability determines survival.

โœ“Tested backup โ€” most recent clean backup confirmed restorable within the past 90 days
โœ“Backup isolation โ€” backups cannot be reached from the primary network during an attack
โœ“Recovery time objective โ€” documented and tested: how long does a full restore actually take?
โœ“Incident response plan โ€” who to call, what to disconnect, what not to delete
โœ“Cyber insurance โ€” confirm coverage and incident response support included

Businesses that recover well from ransomware are not the ones who got lucky โ€” they're the ones who built recovery capability before they needed it.

06

De4sec Ransomware Defence Package

Prevention
Essential Eight implementation, MFA enforcement, patch management, email security configuration.
Detection
Microsoft Sentinel deployment, Defender for Endpoint, 24/5 alert monitoring.
Containment
Network segmentation review, privilege access review, admin hardening.
Recovery
Backup design, testing, RTO/RPO definition, incident response plan documentation.

Contact support@de4sec.technology or book a free discovery call at de4sec.technology

// NEXT STEP

Ready to implement this?

De4sec provides hands-on implementation. Book a free discovery call โ€” we assess your environment at no cost.

Book a Free Discovery Call โ†’de4sec.technology
De4sec
ยฉ 2026 DE4SEC TECHNOLOGY.