The Enterprise Ransomware Defence Playbook
Ransomware attacks cost enterprises an average of €4.5 million per incident in 2024. This playbook covers the preventative controls, detection logic, and response procedures that actually work.
Sophie Marchetti
Threat Intelligence Lead · 28 January 2025
Ransomware operators have matured from spray-and-pray campaigns into targeted, business-impact-optimised operations. Understanding the adversary lifecycle is prerequisite to defending against it.
Phase 1 – Initial Access. Phishing and exposed RDP remain the dominant entry vectors. Implement anti-phishing email controls with URL sandboxing, disable internet-facing RDP, and enforce MFA on every remote access path.
Phase 2 – Persistence and Privilege Escalation. Attackers dwell for an average of 21 days before deploying ransomware. Behavioural EDR and UEBA detect the credential abuse and lateral movement that characterises this phase. Enable detailed Active Directory audit logging — event IDs 4768, 4769, and 4625 are goldmines.
Phase 3 – Data Exfiltration. Modern ransomware groups exfiltrate before encrypting to enable double extortion. DLP controls on outbound channels and DarkWeb monitoring can detect early exfiltration signals.
Phase 4 – Encryption. If ransomware executes, your recovery posture becomes critical. Immutable, air-gapped backups tested monthly are non-negotiable. A tested incident response retainer means the clock starts immediately — not after procurement.
Measure your resilience with a ransomware-specific tabletop exercise at least annually.