The Attack That Shut Down 100 Million Prescriptions

In February 2024, a ransomware attack on Change Healthcare paralyzed pharmacy operations across the United States. Hospitals couldn't process claims. Patients couldn't fill prescriptions. UnitedHealth Group ultimately disclosed the breach affected roughly 100 million individuals — the largest healthcare data breach in U.S. history. The company paid a $22 million ransom and estimated total costs could exceed $1.6 billion.

If you're searching for how to prevent ransomware, that single incident tells you everything about the stakes. This isn't theoretical. It's an operational, financial, and reputational catastrophe that hits organizations of every size. I've spent years working in cybersecurity, and I can tell you the defenses that actually work aren't exotic. They're specific, layered, and ruthlessly consistent.

This guide gives you the practical playbook — the exact controls, configurations, and cultural changes that stop ransomware before it encrypts a single file.

What Is Ransomware and How Does It Get In?

Ransomware is malware that encrypts your files and demands payment for the decryption key. Modern variants also exfiltrate data first, threatening to publish it — a tactic called double extortion. Some threat actors now skip encryption entirely and just steal data, making the extortion faster and harder to detect.

The Three Most Common Entry Points

  • Phishing emails: According to the Verizon 2024 Data Breach Investigations Report, phishing and pretexting remain the top social engineering tactics. One employee clicks a malicious link, and the attacker has a foothold.
  • Exploited vulnerabilities: Unpatched VPNs, firewalls, and remote desktop services are prime targets. The MOVEit, Citrix Bleed, and ConnectWise ScreenConnect vulnerabilities all led to mass ransomware campaigns.
  • Stolen credentials: Credential theft through infostealers or credential stuffing gives attackers direct access. No exploit needed — they just log in.

Understanding how ransomware gets in is half the battle. Every prevention strategy maps directly to blocking one of these entry points.

How to Prevent Ransomware: 9 Controls That Actually Work

I've audited environments that got hit and environments that deflected attacks. The difference always comes down to the same set of controls, executed consistently. Here's what separates the two.

1. Deploy Multi-Factor Authentication Everywhere

Multi-factor authentication (MFA) is the single most effective control against credential theft. If an attacker buys your employee's password on a dark web marketplace, MFA stops them at the door.

Deploy it on email, VPNs, cloud platforms, remote desktop, and admin consoles. Phishing-resistant MFA — hardware keys or passkeys — is even better. SMS-based MFA is vulnerable to SIM swapping, so treat it as a minimum, not a goal.

2. Patch Ruthlessly and Rapidly

CISA's Known Exploited Vulnerabilities (KEV) catalog tracks vulnerabilities actively used in the wild. If a vulnerability appears on that list, you need to patch it within days, not weeks.

Prioritize internet-facing systems: VPN appliances, email gateways, web servers. These are the first things threat actors scan for. I've seen organizations with mature patching programs internally that left their Fortinet VPN unpatched for months. That's where the attackers walked in.

3. Implement Network Segmentation and Zero Trust

Flat networks are a ransomware attacker's dream. Once inside, they move laterally without friction — from a workstation to a domain controller to a file server to backups.

Zero trust architecture assumes breach. Every access request gets verified. Segment your network so that compromising one endpoint doesn't give access to your entire environment. Isolate backups, admin workstations, and critical servers on separate network segments with strict access controls.

4. Maintain Offline, Tested Backups

Backups are your last line of defense — but only if the attacker can't reach them. Follow the 3-2-1-1 rule: three copies of data, on two different media types, one offsite, and one offline or immutable.

Here's the part most organizations skip: test your restores. I've seen companies discover during an active ransomware incident that their backups were corrupted, incomplete, or took 14 days to restore. Run a full restore test quarterly at minimum. Document the recovery time. If it's unacceptable, fix it before you're under pressure.

5. Train Your People to Recognize Social Engineering

Technology alone won't save you. Your employees are the ones who click phishing links, open malicious attachments, and hand over credentials on fake login pages. Security awareness training transforms them from your biggest vulnerability into an active detection layer.

Generic annual training doesn't cut it. You need ongoing, scenario-based education that covers current tactics — QR code phishing, callback phishing, AI-generated voice scams. Pair it with regular phishing simulation exercises so employees practice recognizing attacks in realistic conditions.

If you're building or upgrading your program, our cybersecurity awareness training course covers the full threat landscape, from ransomware to social engineering to credential theft. For organizations that need targeted anti-phishing exercises, our phishing awareness training for organizations delivers hands-on simulations that build real muscle memory.

6. Harden Email Security

Email is the primary ransomware delivery vehicle. Layer your defenses:

  • Enable SPF, DKIM, and DMARC to prevent domain spoofing.
  • Block macros in Office documents received via email — Microsoft made this a default, but verify your configuration.
  • Quarantine executable attachments (.exe, .scr, .js, .iso, .img).
  • Use link detonation/sandboxing to analyze URLs before delivery.

These aren't advanced capabilities anymore. They're baseline. If your email gateway isn't doing all four, you're leaving the front door propped open.

7. Restrict Administrative Privileges

Ransomware needs privileges to encrypt broadly. If the compromised account is a local user with no admin rights, the blast radius shrinks dramatically.

Apply the principle of least privilege. Remove local admin rights from standard users. Use dedicated admin accounts that aren't used for email or web browsing. Implement privileged access management (PAM) so admin credentials are vaulted, rotated, and audited.

8. Deploy Endpoint Detection and Response (EDR)

Traditional antivirus misses modern ransomware. EDR solutions monitor endpoint behavior in real time — detecting the process chains, lateral movement, and encryption patterns that signature-based tools can't see.

Make sure your EDR is configured to block, not just alert. I've investigated incidents where the EDR flagged the ransomware deployment 20 minutes before encryption started, but was set to alert-only mode. Nobody saw the alert on a Saturday night. By Monday, every file share was locked.

9. Develop and Practice an Incident Response Plan

Prevention isn't 100%. You need a tested plan for when something gets through. Your ransomware incident response plan should answer these questions before the crisis:

  • Who has authority to isolate systems and shut down network segments?
  • How do you contact your cyber insurance carrier and legal counsel?
  • What's the communication plan for customers, employees, and regulators?
  • Where are your offline backups, and who knows how to initiate a restore?
  • What's your organization's position on paying ransoms?

Run a tabletop exercise at least twice a year. Walk through a realistic ransomware scenario with your IT team, executives, legal, and communications staff. The organizations that recover fastest are the ones that practiced.

Why Small Businesses Are the Biggest Targets

If you're thinking ransomware only hits hospitals and Fortune 500 companies, the data says otherwise. The FBI's Internet Crime Complaint Center (IC3) consistently reports that small and medium businesses are disproportionately impacted. They have fewer security resources, less redundancy, and more pressure to pay.

A 50-person accounting firm can't survive three weeks of downtime during tax season. Threat actors know this. They specifically target organizations that are big enough to pay but small enough to lack mature defenses.

That's exactly why small businesses need these same controls — scaled to fit their environment. You don't need a $2 million security operations center. You need MFA, tested backups, patched systems, and trained people.

Should You Pay the Ransom?

This is the question every executive dreads. Here's the reality: paying doesn't guarantee recovery. The Verizon DBIR data and numerous public incidents show that even after payment, decryption tools often fail or work painfully slowly. You may get partial recovery at best.

Paying also funds the criminal ecosystem and may invite repeat targeting — threat actors share information about who pays. The FBI's official guidance is to not pay. CISA reinforces this position.

That said, I understand that when patient records are locked or payroll can't run, the calculus changes. The best way to avoid that impossible decision is to invest in prevention and recovery capability now, so you never face it.

The $4.88 Million Lesson Most Organizations Learn Too Late

IBM's 2024 Cost of a Data Breach Report put the global average cost of a data breach at $4.88 million. Ransomware incidents tend to exceed that average because of extended downtime, regulatory penalties, and reputational damage.

Every dollar you spend on prevention — patching automation, MFA rollout, security awareness training, backup infrastructure — delivers outsized returns compared to the cost of recovery. The math isn't even close.

A Ransomware Prevention Checklist You Can Use Today

Here's a prioritized summary you can hand to your IT team or MSP this week:

  • Immediate: Enable MFA on all remote access, email, and admin accounts.
  • This week: Verify backups are offline or immutable. Test a restore.
  • This month: Patch all internet-facing systems against CISA KEV vulnerabilities.
  • This quarter: Roll out security awareness training and phishing simulations.
  • This quarter: Segment your network. Isolate backups and admin systems.
  • Ongoing: Review EDR alerts daily. Remove unnecessary admin privileges. Run tabletop exercises.

Knowing how to prevent ransomware isn't the hard part. Executing consistently is. Every item on this list blocks a real attack path that real threat actors use every day.

Build the Culture, Not Just the Controls

The organizations I've seen withstand ransomware attempts share one trait: security is embedded in their culture, not bolted on as an afterthought. Executives talk about it. Employees report suspicious emails without embarrassment. IT teams have authority to enforce patching timelines.

Technical controls matter enormously, but they fail when the culture undermines them — when someone bypasses MFA because it's inconvenient, when patching gets delayed because nobody wants downtime, when training gets skipped because everyone's too busy.

Start building that culture today. Enroll your team in practical cybersecurity awareness training and reinforce it with ongoing phishing simulations. Make security a habit, not a checkbox. That's how you prevent ransomware — not with a single product, but with a relentless commitment to doing the basics right, every single day.