MGM Resorts lost an estimated $100 million from a single ransomware attack in September 2023. The entry point? A social engineering call to the help desk that lasted about ten minutes. That's all it took for the Scattered Spider threat actor group to cripple slot machines, hotel check-in systems, and digital room keys across Las Vegas. If a $14 billion company can get taken down that fast, your organization needs ransomware protection tips that go far beyond "keep your antivirus updated."

This post is the playbook I wish every IT leader and business owner had pinned to their wall. I've spent years watching organizations get hit — and watching the ones that don't get hit do very specific things differently. I'm going to walk you through exactly what those things are.

Why Ransomware Is Still the #1 Threat in 2024

The FBI's Internet Crime Complaint Center (IC3) reported that ransomware complaints increased significantly in 2023, with adjusted losses exceeding those of prior years. The IC3 2022 Annual Report already showed ransomware as a persistent and growing threat, and 2023 only accelerated the trend.

Here's what I've seen change: threat actors aren't just encrypting files anymore. They're exfiltrating data first, then threatening to publish it. Double extortion is the norm now. Some groups have moved to triple extortion — going after your customers and partners directly.

The Verizon 2023 Data Breach Investigations Report found that ransomware was involved in 24% of all breaches. That number held steady from the prior year, which tells us something critical: organizations aren't getting better at stopping it. The playbook isn't changing because it still works.

The $4.88M Lesson Most Organizations Learn Too Late

IBM's Cost of a Data Breach Report 2023 pegged the global average cost of a data breach at $4.45 million — and ransomware-specific incidents ran higher. By the time you factor in downtime, recovery, legal fees, regulatory penalties, and reputational damage, the bill is staggering for mid-size organizations.

I've consulted with companies that thought they were covered because they had backups. They did have backups — connected to the same network the ransomware traversed. Every backup was encrypted alongside the production data. That's not a backup strategy. That's an expensive illusion.

The organizations that survive ransomware attacks without paying are the ones that prepared before the email arrived.

Ransomware Protection Tips: The Layered Defense Approach

There's no single product or setting that stops ransomware. What works is layered defense — making it hard at every stage of the attack chain. Here's the framework I recommend, broken into the layers that matter most.

Layer 1: Stop the Initial Access

Most ransomware enters through phishing emails or exposed remote access. The Verizon DBIR consistently shows that the human element is involved in roughly 74% of breaches. That means your first layer of defense is your people.

  • Run phishing simulations regularly. Not once a year — monthly. Threat actors evolve their lures constantly, and your employees need pattern recognition that stays sharp. Our phishing awareness training for organizations is built specifically for this purpose.
  • Disable macros in Office documents from external sources. This single policy change blocks a massive percentage of commodity ransomware loaders.
  • Restrict Remote Desktop Protocol (RDP). If RDP is exposed to the internet, you're running on borrowed time. Put it behind a VPN with multi-factor authentication, or better yet, replace it with a zero trust network access solution.
  • Filter email aggressively. Strip executable attachments. Sandbox suspicious links. Quarantine anything that triggers heuristic analysis.

Layer 2: Limit Lateral Movement

Once a threat actor gets in, they need to move. Your job is to make that movement as difficult and noisy as possible.

  • Segment your network. Your finance team's systems shouldn't be on the same flat network as your guest Wi-Fi. Microsegmentation limits the blast radius of any single compromised endpoint.
  • Enforce least-privilege access. No one — especially not IT admins — should use domain admin credentials for daily work. Credential theft is the engine that powers lateral movement.
  • Deploy multi-factor authentication everywhere. Not just email. VPN, admin consoles, cloud services, backup management — every privileged access point needs MFA. The MGM attack succeeded in part because social engineering bypassed identity verification at the help desk.
  • Monitor for anomalous behavior. Endpoint detection and response (EDR) tools that flag unusual process execution, mass file renaming, or connections to known command-and-control infrastructure are no longer optional.

Layer 3: Protect Your Backups Like Crown Jewels

Your backups are the single most important factor in whether you recover from ransomware without paying. Treat them accordingly.

  • Follow the 3-2-1 rule: Three copies of data, on two different media types, with one stored offsite. I'd add a zero to that — at least one copy should be immutable (cannot be modified or deleted for a set retention period).
  • Air-gap at least one backup. If every backup is network-accessible, every backup is encryptable. Tape is old-school and it works. Cloud-based immutable storage also works, if configured correctly.
  • Test your restores quarterly. Untested backups are Schrödinger's backups — they exist in a state of both working and not working until you actually try. I've seen organizations discover their backup corruption only during an active incident. Don't be that company.
  • Back up configurations, not just data. Rebuilding a server from scratch takes days. Restoring a system image takes hours. Back up your Active Directory, firewall configs, DNS settings, and application configurations.

Layer 4: Patch Relentlessly

The Cl0p ransomware group exploited a zero-day vulnerability in MOVEit Transfer in mid-2023, compromising hundreds of organizations. But most ransomware doesn't use zero-days. Most exploits target vulnerabilities with patches that have been available for months or years.

  • Prioritize patching internet-facing systems. VPN concentrators, email gateways, web servers — these get targeted first.
  • Use CISA's Known Exploited Vulnerabilities Catalog as your triage guide. If CISA says it's actively exploited, patch it this week, not next quarter.
  • Automate where possible. Workstation OS and browser patches should be automated. For servers, have a tested fast-track process for critical vulnerabilities.

What Is the Single Most Effective Ransomware Protection Tip?

If I had to pick one thing — the single highest-ROI ransomware protection measure — it's security awareness training for every employee with a login. Phishing and social engineering are still the dominant initial access vectors. You can have the best EDR, the most segmented network, and immutable backups, but if an employee hands over their credentials to a convincing phishing page, the attacker walks through the front door.

Training isn't a checkbox. It's a continuous program that builds a security-first culture. Our cybersecurity awareness training course covers the exact scenarios threat actors use — credential theft lures, fake invoice attacks, business email compromise, and more. Pair it with regular phishing simulations and you'll see measurable improvement in your human firewall.

Build an Incident Response Plan Before You Need One

I've walked into organizations mid-incident where no one knew who was supposed to make decisions. The CEO was calling the ISP. The IT manager was Googling "how to decrypt ransomware." The legal team didn't know they had breach notification obligations.

Your incident response plan should answer these questions in advance:

  • Who has authority to disconnect systems from the network?
  • Who contacts law enforcement, and when?
  • Who communicates with customers, partners, and the media?
  • Where is the IR plan stored? (Hint: not only on the network that just got encrypted.)
  • Do you have a retainer with a digital forensics and incident response firm?
  • What is your organization's position on paying a ransom?

CISA provides excellent incident response guidance through their StopRansomware.gov portal. Bookmark it now. Read it before you need it.

Tabletop Exercises Are Non-Negotiable

Run a ransomware tabletop exercise at least twice a year. Get your leadership, IT, legal, HR, and communications teams in the same room. Walk through a realistic scenario. I've never run a tabletop that didn't expose a critical gap — missing contact info, unclear escalation paths, or assumptions about backup recovery times that turned out to be wildly optimistic.

Zero Trust Isn't a Buzzword — It's Your Architecture Goal

The zero trust model assumes that no user, device, or network segment is inherently trustworthy. Every access request is verified. Every session is monitored. It's the opposite of the traditional "hard shell, soft center" network design that ransomware tears through.

Adopting zero trust doesn't mean buying a product with "zero trust" on the label. It means implementing these principles:

  • Verify identity continuously, not just at login.
  • Grant minimum necessary access for each task.
  • Assume breach — design systems so that a single compromised account can't cascade.
  • Encrypt data in transit and at rest.
  • Log and analyze everything.

NIST Special Publication 800-207 is the authoritative framework. It's dense, but it's the standard that federal agencies are adopting, and private-sector organizations should use it as their north star.

The Ransomware Insurance Trap

Cyber insurance is part of a risk management strategy, not a substitute for security controls. In my experience, organizations that lean on insurance often underinvest in prevention. Then they discover their policy has exclusions for "failure to maintain minimum security standards" or sublimits on ransomware payments that don't come close to covering actual losses.

Insurers are getting smarter — and stricter. Most now require MFA, EDR, offline backups, and security awareness training as preconditions for coverage. If you can't check those boxes, you either won't get a policy or you'll pay through the nose for one.

Use insurance as a backstop. Build your defenses as if you don't have it.

Your 30-Day Ransomware Protection Checklist

Here's what I'd do in the next 30 days if I were running your security program:

  • Week 1: Audit RDP exposure. Enforce MFA on all remote access and admin accounts. Verify backup integrity with a test restore.
  • Week 2: Launch a phishing simulation through your phishing awareness training program. Identify your highest-risk click rates by department.
  • Week 3: Review and update your incident response plan. Schedule a tabletop exercise. Confirm you have offline or immutable backups.
  • Week 4: Enroll all employees in security awareness training. Patch every CISA-listed known exploited vulnerability. Review network segmentation and eliminate flat network segments.

None of these steps require massive budgets. They require attention, prioritization, and follow-through. The organizations that execute this checklist consistently are the ones I never get a panicked call from at 2 AM.

Ransomware Isn't Going Away — Your Defenses Shouldn't Be Optional

Every ransomware protection tip in this post comes from watching real organizations either survive or crumble under real attacks. The threat actors are disciplined, well-funded, and constantly adapting. Your defense needs to match that energy.

Start with your people. Layer in your technology. Test everything. And don't wait for the ransom note to find out where your gaps are.