Implement Immutable Backups and the 3-2-1 Rule

Hardening the Network Perimeter

Endpoint Hardening and PowerShell Security

Credential Hygiene and Identity Protection

Want to go deeper? Small businesses are often the preferred targets for ransomware operators because they lack the dedicated security operations centers and multi-million dollar budgets of enterprise corporations. However, effective defense does not require a massive investment in proprietary security suites. By focusing on fundamental technical controls, robust backup strategies, and a hardened network perimeter, you can reduce your attack surface to a point where most automated and opportunistic attacks will fail. This guide focuses on high-impact, low-cost technical configurations that any small business owner or IT lead can implement today. The only guaranteed recovery path from a ransomware infection is a clean backup. Modern ransomware specifically targets backup servers first to ensure the victim has no choice but to pay. To counter this, you must follow the 3-2-1 backup rule: three copies of your data, on two different media, with one copy off-site. For small businesses, this usually means a local NAS for speed and an encrypted cloud tier for disaster recovery. If you are setting up a NAS for the first time, ensure that you use a filesystem like ZFS or BTRFS that supports snapshots. Snapshots should be set to 'read-only' and 'immutable' where possible. This prevents ransomware running on a compromised workstation from deleting the version history on the network share. Use a tool like Rclone to sync encrypted backups to low-cost object storage like Backblaze B2 or AWS S3. You can set an 'Object Lock' policy on these buckets, which prevents any file from being deleted or modified for a set number of days, even if your admin credentials are stolen. Stop exposing RDP (Remote Desktop Protocol) directly to the internet. This is the single most common entry point for manual ransomware deployments. If your staff needs remote access, use a VPN. We recommend deploying WireGuard because it has a significantly smaller attack surface than legacy protocols like PPTP or L2TP. Your edge firewall should be doing more than simple NAT. Transitioning to an open-source, enterprise-grade firewall can provide deep packet inspection and intrusion prevention without annual licensing fees. When comparing OPNsense vs pfSense, both offer robust plugins for Geoblocking and IP reputation filtering. Use these to block traffic from countries where you do not do business. Additionally, implement DNS filtering to block known malware domains at the gateway. You can use a Pi-hole setup or a cloud-based filter like Quad9 (9.9.9.9) to prevent systems from reaching out to ransomware command-and-control servers. Windows workstations are the primary target for initial access. You do not need expensive EDR (Endpoint Detection and Response) tools to make a significant impact. Start with Windows 11 security hardening by enabling Attack Surface Reduction (ASR) rules. These are built into Windows Pro and Enterprise and can block common ransomware behaviors, such as Office apps creating child processes or unauthorized scripts running from USB drives. One of the most effective moves is restricting PowerShell. Most ransomware uses PowerShell to download secondary payloads. You should enforce Constrained Language Mode and enable Script Block Logging. You can check your current PowerShell execution policy with this command: By requiring scripts to be digitally signed, you prevent the execution of raw scripts downloaded from the web by an unsuspecting user. Ransomware thrives on lateral movement. If an attacker compromises one machine, they will attempt to harvest credentials from memory to move to the next. The first step to stopping this is eliminating password reuse. Every employee should be setting up Bitwarden or a similar tool to generate and store unique, complex passwords. The second step is mandatory Multi-Factor Authentication (MFA). However, not all MFA is equal. SMS-based codes are vulnerable to SIM swapping. Use TOTP apps or hardware keys. For a deeper dive into why this matters, refer to our two-factor authentication guide. Finally, disable LLMNR and NetBIOS on your network to prevent attackers from spoofing network resources to steal hashes. You can do this via Group Policy or by running this command on individual critical machines: Our Home Network Security Setup Guide covers router hardening, DNS filtering, device monitoring, WireGuard VPN, and a complete firewall rule template. $12, instant download. Get the Security Guide Templates let you quickly answer FAQs or store snippets for re-use. Are you sure you want to ? It will become hidden in your post, but will still be visible via the comment's permalink. Hide child comments as well For further actions, you may consider blocking this person and/or reporting abuse